1 / 22

Deep Packet Inspection Using Parallel Bloom Filters

Deep Packet Inspection Using Parallel Bloom Filters. Sarang Dharmapurikar, Praveen Krishnamurthy, Tood Sproull, John Lockwood Presented by Jamie Huenefeld. Outline. Motivation and Introduction Related Works Bloom Filter Theory System Overview Hardware Design Considerations

alexandrak
Télécharger la présentation

Deep Packet Inspection Using Parallel Bloom Filters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deep Packet Inspection Using Parallel Bloom Filters Sarang Dharmapurikar, Praveen Krishnamurthy, Tood Sproull, John Lockwood Presented by Jamie Huenefeld

  2. Outline • Motivation and Introduction • Related Works • Bloom Filter Theory • System Overview • Hardware Design Considerations • Implementation and Results • Conclusions

  3. Motivation and Introduction • Desire high throughput Intrusion Detection Systems • Fast Attack Signature Matching

  4. Motivation and Introduction • Bloom Filter • Data structure that represents a set of strings and can verify set membership • Fast and efficient storage mechanism • Query time is independent of database size, if storage memory scales linearly • No false negatives

  5. Related Works • Software • Use of Aho-Corasick Boyer-Moore algorithm for Snort performance • Set-wise implementation of ACBM • Hardware • Use of reconfigurable hardware • Resource consumption grows linearly with search string size • Time consuming updates

  6. Bloom Filter Theory • Adding Strings • String x • k hash functions • k hashed values, 1 to m • m bit vector • Set k bits in vector, according to hashed values

  7. Bloom Filter Theory • Add “apple” and “plums” • m = 12 • k = 3 • apple hashed values: 3, 11, 12 • plums hashed values: 1, 8, 11

  8. Bloom Filter Theory • Check for “mangos” • Mangos hashed values: 3, 8, 12 • String verifies as a false positive

  9. Bloom Filter Theory • False Positive Rate • f = (1 - e -nk/m)k • Minimized False Positive Probability • k = (m/n) ln 2 • Increasing k reduces FPP • False Positive Probability Ratio • f = (1/2)k

  10. Bloom Filter Theory • Counting Bloom Filters • Incorporates string deletion from the filter • Uses a vector of counting vectors at each bit • Increment count when adding, decrement when deleting 1 0 1 0 0 0 0 1 0 0 1 1

  11. System Overview Strings are probed by Analyzer

  12. System Overview

  13. System Overview

  14. System Description • Throughput • R = 1/(Tadd + Tend ) bytes/sec • Throughput with shared Analyzer • f=(1/2)((m/g)/n)ln 2

  15. System Description • Hash tables have constant search time • String retrieval from memory depends on string length, however. • 4 byte data bus with = 8 clock cycles • RG = G/(GTadd + Tend) bytes/sec • Less memory + increasing false positives = lower throughput

  16. System Description

  17. Hardware Design

  18. Hardware Design • Multiport Embedded Memory • Hash functions map to m bit memory array • Smaller chunks of memory creates more capacity • Restrict range of hash lookup to bypass memory retrieval constraints.

  19. Implementation and Results • Xilinx XCV2000E • Signatures = 32 bytes • 160 block memories • 4096 bit array • 2 reads/clock • M=4096 • K = 2 • 1434 signatures • Using 7 parallel filters • 10038 signatures

  20. Implementation and Results

  21. Conclusions • Constant Time Queries • Fast updates • Trade-off between memory resources and system performance • Good for real-time processing systems

More Related