Regular expression matching on graphics hardware for intrusion detection

Giorgos Vasiliadis, Michalis Polychronakis, Spiros Antonatos, Evangelos P. Markatos, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

61 Citations (Scopus)

Abstract

The expressive power of regular expressions has been often exploited in network intrusion detection systems, virus scanners, and spam filtering applications. However, the flexible pattern matching functionality of regular expressions in these systems comes with significant overheads in terms of both memory and CPU cycles, since every byte of the inspected input needs to be processed and compared against a large set of regular expressions. In this paper we present the design, implementation and evaluation of a regular expression matching engine running on graphics processing units (GPUs). The significant spare computational power and data parallelism capabilities of modern GPUs permits the efficient matching of multiple inputs at the same time against a large set of regular expressions. Our evaluation shows that regular expression matching on graphics hardware can result to a 48 times speedup over traditional CPU implementations and up to 16 Gbit/s in processing throughput. We demonstrate the feasibility of GPU regular expression matching by implementing it in the popular Snort intrusion detection system, which results to a 60% increase in the packet processing throughput.

Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings
Pages265-283
Number of pages19
Volume5758 LNCS
DOIs
Publication statusPublished - 2009
Externally publishedYes
Event12th International Symposium on Recent Advances in Intrusion Detection, RAID 2009 - Saint-Malo, France
Duration: 23 Sep 200925 Sep 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5758 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other12th International Symposium on Recent Advances in Intrusion Detection, RAID 2009
CountryFrance
CitySaint-Malo
Period23/9/0925/9/09

Fingerprint

Graphics Hardware
Regular Expressions
Intrusion detection
Intrusion Detection
Hardware
Program processors
Throughput
Computer viruses
Graphics Processing Unit
Pattern matching
Processing
Large Set
Engines
Data storage equipment
Data Parallelism
Network Intrusion Detection
Spam
Expressive Power
Evaluation
Pattern Matching

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Vasiliadis, G., Polychronakis, M., Antonatos, S., Markatos, E. P., & Ioannidis, S. (2009). Regular expression matching on graphics hardware for intrusion detection. In Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings (Vol. 5758 LNCS, pp. 265-283). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5758 LNCS). https://doi.org/10.1007/978-3-642-04342-0_14

Regular expression matching on graphics hardware for intrusion detection. / Vasiliadis, Giorgos; Polychronakis, Michalis; Antonatos, Spiros; Markatos, Evangelos P.; Ioannidis, Sotiris.

Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings. Vol. 5758 LNCS 2009. p. 265-283 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5758 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Vasiliadis, G, Polychronakis, M, Antonatos, S, Markatos, EP & Ioannidis, S 2009, Regular expression matching on graphics hardware for intrusion detection. in Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings. vol. 5758 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5758 LNCS, pp. 265-283, 12th International Symposium on Recent Advances in Intrusion Detection, RAID 2009, Saint-Malo, France, 23/9/09. https://doi.org/10.1007/978-3-642-04342-0_14
Vasiliadis G, Polychronakis M, Antonatos S, Markatos EP, Ioannidis S. Regular expression matching on graphics hardware for intrusion detection. In Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings. Vol. 5758 LNCS. 2009. p. 265-283. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-04342-0_14
Vasiliadis, Giorgos ; Polychronakis, Michalis ; Antonatos, Spiros ; Markatos, Evangelos P. ; Ioannidis, Sotiris. / Regular expression matching on graphics hardware for intrusion detection. Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings. Vol. 5758 LNCS 2009. pp. 265-283 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{ac0c58b0f4474b45ac96a2b48e4cfe65,
title = "Regular expression matching on graphics hardware for intrusion detection",
abstract = "The expressive power of regular expressions has been often exploited in network intrusion detection systems, virus scanners, and spam filtering applications. However, the flexible pattern matching functionality of regular expressions in these systems comes with significant overheads in terms of both memory and CPU cycles, since every byte of the inspected input needs to be processed and compared against a large set of regular expressions. In this paper we present the design, implementation and evaluation of a regular expression matching engine running on graphics processing units (GPUs). The significant spare computational power and data parallelism capabilities of modern GPUs permits the efficient matching of multiple inputs at the same time against a large set of regular expressions. Our evaluation shows that regular expression matching on graphics hardware can result to a 48 times speedup over traditional CPU implementations and up to 16 Gbit/s in processing throughput. We demonstrate the feasibility of GPU regular expression matching by implementing it in the popular Snort intrusion detection system, which results to a 60{\%} increase in the packet processing throughput.",
author = "Giorgos Vasiliadis and Michalis Polychronakis and Spiros Antonatos and Markatos, {Evangelos P.} and Sotiris Ioannidis",
year = "2009",
doi = "10.1007/978-3-642-04342-0_14",
language = "English",
isbn = "3642043410",
volume = "5758 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "265--283",
booktitle = "Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings",

}

TY - GEN

T1 - Regular expression matching on graphics hardware for intrusion detection

AU - Vasiliadis, Giorgos

AU - Polychronakis, Michalis

AU - Antonatos, Spiros

AU - Markatos, Evangelos P.

AU - Ioannidis, Sotiris

PY - 2009

Y1 - 2009

N2 - The expressive power of regular expressions has been often exploited in network intrusion detection systems, virus scanners, and spam filtering applications. However, the flexible pattern matching functionality of regular expressions in these systems comes with significant overheads in terms of both memory and CPU cycles, since every byte of the inspected input needs to be processed and compared against a large set of regular expressions. In this paper we present the design, implementation and evaluation of a regular expression matching engine running on graphics processing units (GPUs). The significant spare computational power and data parallelism capabilities of modern GPUs permits the efficient matching of multiple inputs at the same time against a large set of regular expressions. Our evaluation shows that regular expression matching on graphics hardware can result to a 48 times speedup over traditional CPU implementations and up to 16 Gbit/s in processing throughput. We demonstrate the feasibility of GPU regular expression matching by implementing it in the popular Snort intrusion detection system, which results to a 60% increase in the packet processing throughput.

AB - The expressive power of regular expressions has been often exploited in network intrusion detection systems, virus scanners, and spam filtering applications. However, the flexible pattern matching functionality of regular expressions in these systems comes with significant overheads in terms of both memory and CPU cycles, since every byte of the inspected input needs to be processed and compared against a large set of regular expressions. In this paper we present the design, implementation and evaluation of a regular expression matching engine running on graphics processing units (GPUs). The significant spare computational power and data parallelism capabilities of modern GPUs permits the efficient matching of multiple inputs at the same time against a large set of regular expressions. Our evaluation shows that regular expression matching on graphics hardware can result to a 48 times speedup over traditional CPU implementations and up to 16 Gbit/s in processing throughput. We demonstrate the feasibility of GPU regular expression matching by implementing it in the popular Snort intrusion detection system, which results to a 60% increase in the packet processing throughput.

UR - http://www.scopus.com/inward/record.url?scp=76649131237&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=76649131237&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-04342-0_14

DO - 10.1007/978-3-642-04342-0_14

M3 - Conference contribution

AN - SCOPUS:76649131237

SN - 3642043410

SN - 9783642043413

VL - 5758 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 265

EP - 283

BT - Recent Advances in Intrusion Detection - 12th International Symposium, RAID 2009, Proceedings

ER -