一种面向100Gbps网络的L7-filter硬件加速方法

doi:10.3969/j.issn.0372-2112.2016.11.001

电子学报 ›› 2016, Vol. 44 ›› Issue (11): 2561-2568.DOI: 10.3969/j.issn.0372-2112.2016.11.001

• 学术论文 • 下一篇

一种面向100Gbps网络的L7-filter硬件加速方法

付文亮¹, 郭平¹, 周舟²

1. 北京理工大学计算机科学与技术学院, 北京 100081;
2. 中国科学院信息工程研究所信息内容安全技术国家工程实验室, 北京 100093

收稿日期:2015-04-07 修回日期:2015-08-17 出版日期:2016-11-25
- 通讯作者:
- 郭平
- 作者简介:
- 付文亮,男,1984年出生于河北邯郸市.现为北京理工大学计算机学院在读博士生.主要从事高性能网络、网络安全、节能等领域关键技术研究;周舟,男,1983年出生,现为中国科学院信息工程研究所高级工程师.主要从事高性能网络及网络安全相关领域研究.
- 基金资助:
- 国家自然科学基金 (No.61402474）

A Hardware-Accelerated L7-filter Method for 100Gbps Networks

FU Wen-liang¹, GUO Ping¹, ZHOU Zhou²

1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China;
2. National Engineering Laboratory for Information Security Technologies, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China

Received:2015-04-07 Revised:2015-08-17 Online:2016-11-25 Published:2016-11-25
- Supported by:
- National Natural Science Foundation of China (No.61402474)

摘要/Abstract

摘要：

L7-filter是当前广泛应用的流量分类系统，其采用基于正则表达式匹配的深包检测方法，通过检测数据包有效载荷中存在的字符串特征对流量进行分类.然而，由于计算复杂度高、存储消耗大等原因，现有L7-filter软硬件方法的处理性能严重不足，不能适应当前40Gbps以及更高性能骨干网络.在对L7-filter的应用层协议规则集进行分析，总结其中广泛存在的特征的基础上，本文提出了一个硬件加速方法，其通过有针对性的数据模型、算法优化、匹配架构设计以提高流量分类系统的处理能力.为了验证方法的可行性，采用了基于Virtex6的FPGA板卡实现原型系统并对其进行评估.实验结果表明，原型系统的数据吞吐率可以达到约115Gbps.

关键词: 流量分类, 正则表达式匹配, 100Gbps, FPGA

Abstract:

L7-filter is a widely used traffic classification system which relies on regular expression matching based deep packet inspect method and can identify network traffic by inspecting string patterns hidden in the packet payload.However,due to considerable computation and storage expenditures,existing L7-filter software and hardware solutions could not offer sufficient performance in the context of 40 Gbps and higher speed networks.Based on analysis of common features of the L7-filter protocol patterns,this paper proposes a hardware-accelerated method which is for achieving high performance and includes customized data structure,optimization and matching architecture.To validate the proposed method,a hardware prototype on Virtex 6 FPGA card is implemented and tested.Experimental results show that the prototype can scan network traffic at a typical rate of about 115Gbps.

Key words: traffic classification, regular expression matching, 100Gbps, FPGA

中图分类号:

TP393

付文亮, 郭平, 周舟. 一种面向100Gbps网络的L7-filter硬件加速方法[J]. 电子学报, 2016, 44(11): 2561-2568.

FU Wen-liang, GUO Ping, ZHOU Zhou . A Hardware-Accelerated L7-filter Method for 100Gbps Networks[J]. Acta Electronica Sinica, 2016, 44(11): 2561-2568.

参考文献

[1] GA/T1177-2014,信息安全技术第二代防火墙安全技术要求[S].
[2] J.Nielsen.Nielsen's law of internet bandwidth[EB/OL].http://www.nngroup.com/articles/law-of-bandwidth/,2015-3-12.
[3] Application layer packet classifier for Linux[EB/OL].http://l7-filter.sourceforge.net/,2005-02-18.
[4] 付文亮,嵩天,周舟.RocketTC一个基于FPGA的高性能网络流量分类架[J].计算机学报,2014,37(2):414-422. FU Wen-liang,SONG Tian,ZHOU Zhou.RocketTC:A high throughput traffic classification architecture on FPGA[J].Chinese Journal of Computers,2014,37(2):414-422.(in Chinese)
[5] Antonello Rafael,et al.Design and optimizations for efficient regular expression matching in DPI systems[J].Proceedings of Computer Communications,2015,61:103-120.
[6] Wang Kai,Zhe Fu,Xiaohe Hu,and Jun Li.Practical regular expression matching free of scalability and performance barriers[J].Proceedings of Computer Communications 2014:97-119.
[7] Wang Jianhua,et al.A regular expression matching algorithm based on high-efficient finite automaton[J].Proceedings of Journal of Computing Science and Engineering,2014:78-86.
[8] WANG X,et al.StriFA:Stride finite automata for high-speed regular expression matching in network intrusion detection systems[J].IEEE Systems Journal,2013,7(3):374-384.
[9] Liu Tingwen,et al.Towards fast and optimal grouping of regular expressions via DFA size estimation[J].IEEE Journal on Selected Areas in Communications,2014,32(10):1797-1809.
[10] Shukla Surendra Kumar,et al.A survey of approaches used in parallel architectures and multi-core processors[J].For Performance Improvement.Proceedings of Progress in Systems Engineering,2015:537-545.
[11] Vasiliadis Giorgos,et al.GASPP:a GPU-accelerated stateful packet processing framework[A].Proceedings of 2014 USENIX Conference on Annual Technical Conference[C].Philadelphia:USENIX,2014.321-332.
[12] FEITOZA SANTOS A,et al.Multigigabit traffic identification on GPU[A].Proceedings of the First Edition Workshop on High Performance and Programmable Networking[C].New York:ACM,2013.39-44.
[13] Van Lunteren J,et al.Hardware-accelerated regular expression matching at multiple tens of gb/s[A].Proceedings of 31th IEEE INFOCOM[C].New York:ACM,2013.1737-1745.
[14] Smith R,et al.XFA:faster signature matching with extended automata[A].Proceedings of IEEE Symposium on Security and Privacy (S & P)[C].New York:IEEE,2008.187-201.
[15] Becchi M and Cadami S.Memory-efficient regular expression search using state merging[A].Proceedings of IEEE INFOCOM[C].New York:ACM,2007.1064-1072.
[16] Bando M,et al.Scalable lookahead regular expression detection system for deep packet inspection[J].IEEE/ACM Trans on Networking,2012,20(3):699-714.
[17] 余慧,王健.一种专用可重配置的FPGA嵌入式存储器模块的设计和实现[J].电子学报,2012,40(2):215-222. YU Hui,WANG Jian.The design and implement of a special reconfigureable FPGA embedded BRAM[J].Acta Electronica Sinica,2012,40(2):215-222.(in Chinese)
[18] Yamagaki N,Sidhu R,Kamiya S.High-speed regular expression matching engine using multi-character NFA[A].Proceedings of IEEE Field Programmable Logic and Applications[C].New York:ACM,2008.131-136.
[19] HOPCROFT J E.Introduction to Automata Theory,Languages,and Computation[M].3rd ed,Addison-Wesley Longman Publishing Co,Inc,2006.
[20] Regular expression patterns for L7-filter[EB/OL].http://l7-filter.sourceforge.net/protocols,2015-03-12.
[21] NetFPGA[OL].http://netfpga.org.2015-07-20.
[22] Wang L,et al.Gregex:GPU based high speed regular expression matching engine[A].Proceedings of IEEE Innovative Mobile and Internet Services in Ubiquitous Computing[C].New York:IEEE,2011.366-370.

一种面向100Gbps网络的L7-filter硬件加速方法

A Hardware-Accelerated L7-filter Method for 100Gbps Networks

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	袁海英, 曾智勇, 成君鹏. 面向灵活并行度的稀疏卷积神经网络加速器[J]. 电子学报, 2022, 50(8): 1811-1818.
[2]	陈晓杰, 李斌, 周清雷. RTL级可扩展高性能数据压缩方法实现[J]. 电子学报, 2022, 50(7): 1548-1557.
[3]	许皓文, 陆浩, 王振占. 高光谱微波辐射计系统中2GHz带宽数字谱仪设计[J]. 电子学报, 2022, 50(6): 1472-1479.
[4]	曲立国, 陈国豪, 胡俊, 陈鹏. 单次扫描连通域分析算法研究综述[J]. 电子学报, 2022, 50(6): 1521-1536.
[5]	王鹏, 邹彬, 刘金枝, 周丹阳. 基于Xilinx型FPGA系统单粒子效应评估方法研究[J]. 电子学报, 2022, 50(11): 2716-2721.
[6]	李斌, 齐延荣, 周清雷. 基于Winograd算法的目标检测加速器设计与优化[J]. 电子学报, 2022, 50(10): 2387-2397.
[7]	蔡莹, 朱翔, 王舰, 李昊远, 韩建伟. 基于激光注入的FPGA加密防护设计验证研究[J]. 电子学报, 2022, 50(10): 2381-2386.
[8]	张建民, 黎铁军, 马柯帆, 肖立权. 一种加速FPGA布线的不可满足子式求解算法[J]. 电子学报, 2021, 49(6): 1210-1216.
[9]	刘杰, 葛一凡, 田明, 马力强. 基于ZYNQ的可重构卷积神经网络加速器[J]. 电子学报, 2021, 49(4): 729-735.
[10]	孙明乾, 乔庐峰, 陈庆华. 一种无匹配时间损耗的DFA压缩算法的研究与实现[J]. 电子学报, 2020, 48(6): 1132-1139.
[11]	蹇强, 张培勇, 王雪洁. 一种可配置的CNN协加速器的FPGA实现方法[J]. 电子学报, 2019, 47(7): 1525-1531.
[12]	刘公绪, 史凌峰, 辛东金. 基于FPGA的零误差大数阶乘算法的设计与实现[J]. 电子学报, 2019, 47(5): 1180-1184.
[13]	余乐, 李任伟, 王瑶, 李洋洋, 吴超, 贾瑞. 综述:面向SoC-FPGA的开源处理器[J]. 电子学报, 2018, 46(4): 992-1004.
[14]	薛一鸣, 陈鹞, 何宁宁, 胡彩娥, 王建平. 基于DFT滤波器组的低时延FPGA语音处理实现研究[J]. 电子学报, 2018, 46(3): 695-701.
[15]	孙悦, 王传伟, 康龙飞, 叶超, 张信. 基于CORDIC的精确快速幅相解算方法[J]. 电子学报, 2018, 46(12): 2978-2984.