infant nfa pattern matching
play

iNFAnt: NFA Pattern Matching on GPGPU Devices Niccolo - PDF document

Public Review for iNFAnt: NFA Pattern Matching on GPGPU Devices Niccolo Cascarano, Pierluigi Rolando, Fulvio Risso, and Riccardo Sisto This paper proposes iNFAnt, a


  1. • • Public Review for • • iNFAnt: NFA Pattern Matching • • on GPGPU Devices • • • Niccolo’ Cascarano, Pierluigi Rolando, Fulvio Risso, • • and Riccardo Sisto • • • • This paper proposes iNFAnt, a parallel engine for regular expression pattern matching based on general- • purpose computation on graphical processing units (GPGPU). Pattern matching is an important research • • area and GPGPU-based pattern matching is a timely and novel research direction. While there are previ- • ous approaches that use GPGPU to speed up deterministic finite automata (DFA) based pattern matching, • this paper represents the first attempt to speed up pattern matching based on non-deterministic finite • • automata (NFA). The authors make good justifications on the use of GPGPU for speeding up NFA instead • of DFA – large amounts of concurrent threads in GPU to offset the complexityof NFA as compared to • DFA, and high memory bandwidth to transfer ablock of memory contents for NFA rather than supporting • • random access caused by DFA. The Compute Unified Device Architecture (CUDA) implemented by GPU • devices also provides a nice programming model for easy deployment. The design of iNFAnt incorporates • • a few useful techniques specifically tailored for GPU environment (such as multistriding and self-loop • handling). Experimental evaluation confirms the good performance of iNFAnt. The paper also sheds some • light on the performance bottleneck of iNFAnt. These results are interesting and will likely inspire more • • follow-up research on GPGPU-based pattern matching. • Public review written by • • Yin Zhang • The University of Texas at Austin, USA • • • • • • • • • • • • • • • • • • • • • • • • • • • • • a c m s i g c o m m • • • • ACM SIGCOMM Computer Communication Review 20 Volume 40, Number 5, October 2010

  2. iNFAnt: NFA Pattern Matching on GPGPU Devices Niccolo’ Cascarano, Pierluigi Rolando, Fulvio Risso, Riccardo Sisto Politecnico di Torino Turin, Italy { niccolo.cascarano, pierluigi.rolando, fulvio.risso, riccardo.sisto } @polito.it ABSTRACT certain peculiar patterns that are rather common in prac- tice (the so-called state space explosion ) [2]. In general, This paper presents iNFAnt, a parallel engine for regular software-based NFA implementations suffer from a higher expression pattern matching. In contrast with traditional per-byte traversal cost when compared with DFAs: intu- approaches, iNFAnt adopts non-deterministic automata, al- itively, this is because multiple NFA states can be active at lowing the compilation of very large and complex rule sets any given step, while only a single one must be considered that are otherwise hard to treat. when processing DFAs. iNFAnt is explicitly designed and developed to run on So far software research has been focused mainly on DFAs, graphical processing units that provide large amounts of as they provide a relatively easy way to achieve high through- concurrent threads; this parallelism is exploited to handle puts; many efforts have been aimed at solving the inherent the non-determinism of the model and to process multiple downsides of this model and avoid the aforementioned mem- packets at once, thus achieving high performance levels. ory explosion. At the same time, NFAs have often been relegated to the design of hardware devices (e.g. FPGAs) Categories and Subject Descriptors that can easily mimic their behavior, or for use where high throughput is not the primary concern (e.g. many general- C.2.3 [ Computer-Communication Networks ]: Network purpose pattern-matching libraries). Operations This paper presents iNFAnt, a NFA-based regular expres- sion engine running on graphical processing units (GPUs). General Terms iNFAnt represents a significant departure from traditional software-based pattern matching engines both for its un- Experimentation, Algorithms derlying automaton model, the NFA, and its target hard- ware platform, the GPU. NFA adoption allows iNFAnt to Keywords efficiently store very large regular expression sets in a lim- ited amount of memory while the parallelism offered by the NFA, pattern matching, CUDA, GPGPU, regular expression underlying hardware helps countering the higher per-byte traversal cost of NFAs with respect to DFAs and the higher 1. INTRODUCTION instruction execution time of GPUs with respect to CPUs. Pattern matching, i.e. the task of matching a string of iNFAnt also represents, as far as we know, one of the first ap- symbols against a set of given patterns, plays an important proaches to pattern matching designed from the ground up role in multiple fields that range from bioinformatics (e.g. for the heavily parallel execution environment offered by the for analyzing DNA sequences) to high-speed packet process- modern programmable GPUs, as opposed to being an adap- ing, where it is a critical component for packet filtering, traf- tation of a technique originally designed for general-purpose fic classification and, in general, deep packet inspection. processors. Pattern matching is commonly performed by expressing patterns as sets of regular expressions and converting them 2. RELATED WORKS into finite state automata (FSAs), mathematical models that represent (potentially infinite) sets of strings. The behav- It is common knowledge that pattern matching is the most ior of FSAs is simple to emulate on computing devices in time-expensive operation to be performed in intrusion de- order to perform the actual matching procedure and finite tection systems and similar applications: accelerating its automata can be easily composed together with the full set execution has been the object of several academic works. of boolean operators. Some of them have already considered the idea of using the Two kinds of FSAs are known from the literature, de- parallelism offered by GPUs. terministic (DFA) and non-deterministic (NFA). While au- It is possible either to try to execute the whole packet tomata theory proves them equivalent in terms of expressive- processing application on a graphical device or to accelerate ness, their practical properties are different: NFA traversal only the pattern matching portion. The first case saw the development of Gnort [7], a full port of the Snort IDS 1 to a requires, by definition, non-deterministic choices that are hard to emulate on actual, deterministic processors; on the GPU environment. other hand DFAs, while fast to execute, can be less space- 1 Available at http://www.snort.org/ . efficient, requiring very large amounts of memory to store ACM SIGCOMM Computer Communication Review 21 Volume 40, Number 5, October 2010

Recommend


More recommend