220 likes | 230 Vues
Deep Packet Inspection Using Parallel Bloom Filters. Sarang Dharmapurikar, Praveen Krishnamurthy, Tood Sproull, John Lockwood Presented by Jamie Huenefeld. Outline. Motivation and Introduction Related Works Bloom Filter Theory System Overview Hardware Design Considerations
E N D
Deep Packet Inspection Using Parallel Bloom Filters Sarang Dharmapurikar, Praveen Krishnamurthy, Tood Sproull, John Lockwood Presented by Jamie Huenefeld
Outline • Motivation and Introduction • Related Works • Bloom Filter Theory • System Overview • Hardware Design Considerations • Implementation and Results • Conclusions
Motivation and Introduction • Desire high throughput Intrusion Detection Systems • Fast Attack Signature Matching
Motivation and Introduction • Bloom Filter • Data structure that represents a set of strings and can verify set membership • Fast and efficient storage mechanism • Query time is independent of database size, if storage memory scales linearly • No false negatives
Related Works • Software • Use of Aho-Corasick Boyer-Moore algorithm for Snort performance • Set-wise implementation of ACBM • Hardware • Use of reconfigurable hardware • Resource consumption grows linearly with search string size • Time consuming updates
Bloom Filter Theory • Adding Strings • String x • k hash functions • k hashed values, 1 to m • m bit vector • Set k bits in vector, according to hashed values
Bloom Filter Theory • Add “apple” and “plums” • m = 12 • k = 3 • apple hashed values: 3, 11, 12 • plums hashed values: 1, 8, 11
Bloom Filter Theory • Check for “mangos” • Mangos hashed values: 3, 8, 12 • String verifies as a false positive
Bloom Filter Theory • False Positive Rate • f = (1 - e -nk/m)k • Minimized False Positive Probability • k = (m/n) ln 2 • Increasing k reduces FPP • False Positive Probability Ratio • f = (1/2)k
Bloom Filter Theory • Counting Bloom Filters • Incorporates string deletion from the filter • Uses a vector of counting vectors at each bit • Increment count when adding, decrement when deleting 1 0 1 0 0 0 0 1 0 0 1 1
System Overview Strings are probed by Analyzer
System Description • Throughput • R = 1/(Tadd + Tend ) bytes/sec • Throughput with shared Analyzer • f=(1/2)((m/g)/n)ln 2
System Description • Hash tables have constant search time • String retrieval from memory depends on string length, however. • 4 byte data bus with = 8 clock cycles • RG = G/(GTadd + Tend) bytes/sec • Less memory + increasing false positives = lower throughput
Hardware Design • Multiport Embedded Memory • Hash functions map to m bit memory array • Smaller chunks of memory creates more capacity • Restrict range of hash lookup to bypass memory retrieval constraints.
Implementation and Results • Xilinx XCV2000E • Signatures = 32 bytes • 160 block memories • 4096 bit array • 2 reads/clock • M=4096 • K = 2 • 1434 signatures • Using 7 parallel filters • 10038 signatures
Conclusions • Constant Time Queries • Fast updates • Trade-off between memory resources and system performance • Good for real-time processing systems