網路威脅偵測系統(Network Intrusion Detection Systems)已經被廣泛地使用來偵測網路上的病毒，並且保護我們的電腦。其中最主要的核心，就是字串比對(Pattern Matching)的引擎，而正規表示法(Regular Expression)就是最常被採用的表示方法，因為他簡潔而有力的演繹能力，同時，使用上非常具有彈性。不過，雖然使用上非常方便，相對地，它運算量大又複雜，實做上也有許多問題。因此，正規表示法的字串比對是整個網路威脅偵測系統效能的瓶頸。這篇論文中，我們提出一個創新的階層式有限狀態機(Hierarchical Finite State Machine)，他是一個特別適合應用在圖形處理器(GPU)的一個平行演算法，並且能夠解決並加速一般無法處理的複雜正規表示法，同時，依然能過有效處理一般的固定字串(Exact String)。

Abstract
In terms of flexibility and scalability, regular expression has been widely adopted in Network Intrusion Detection Systems (NIDS) to represent network attack patterns. To accommodate the increasing number of attack patterns, several recent researches adopt Graphic Processor Units (GPUs) to accelerate the matching process. However, all of them cannot deal with complex regular expressions which have become an important representation in virus database. In this paper, we propose a novel parallel algorithm to accelerate regular expression matching performed on GPUs. We also propose an innovative state machine for complex regular expression matching, the state machine of which is more suitable for performing in the parallel algorithm. The experimental results show that the novel approach not only achieves a significant speedup on performing complex regular expression matching but also are faster on the simple regular expression matching than other GPU approaches.

Reference
[1] M. Roesch. Snort- lightweight Intrusion Detection for networks. In Proceedings of LISA99, the 15th Systems Administration Conference, 1999.
[2] Bro official website, “http://www.bro-ids.org/”
[3] Linux L7-filter official website, “http://l7-filter.sourceforge.net/”
[4] R. Sidhu and V. K. Prasanna, “Fast regular expression matching using FPGAs,” in Proc. 9th Ann. IEEE Symp. Field-Program. Custom Comput. Mach. (FCCM), 2001, pp. 227-238.
[5] B.L. Hutchings, R. Franklin, and D. Carver, “Assisting Network Intrusion Detection with Reconfigurable Hardware,” in Proc.10th Ann. IEEE Symp. Field-Program. Custom Comput. Mach. (FCCM), 2002, pp. 111-120.
[6] C. R. Clark and D. E. Schimmel, “Scalable Pattern Matching for High Speed Networks,” in Proc. 12th Ann. IEEE Symp. Field-Program. Custom Comput. Mach. (FCCM), 2004, pp. 249-257
[7] J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos, “Implementation of a Content-Scanning Module for an Internet Firewall,” in Proc. 11th Ann. IEEE Symp. Field-Program. Custom Comput. Mach. (FCCM), 2003, pp. 31–38.
[8] M. Aldwairi*, T. Conte, and P. Franzon, “Configurable String Matching Hardware for Speeding up Intrusion Detection,” in ACM SIGARCH Computer Architecture News, 2005, pp. 99–107
[9] S. Dharmapurikar and J. Lockwood, “Fast and Scalable Pattern Matching for Content Filtering,” in Proc. of Symp. Architectures Netw. Commun. Syst. (ANCS), 2005, pp. 183-192
[10] Y. H. Cho and W. H. Mangione-Smith, “A Pattern Matching Co-processor for Network Security,” in Proc. 42nd Des. Autom. Conf. (DAC), 2005, pp. 234-239
[11] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection and prevention,” in proc. 32nd Ann. Int. Symp. on Comp. Architecture, (ISCA), 2005, pp. 112-122
[12] H. J. Jung, Z. K. Baker, and V. K. Prasanna, “Performance of FPGA Implementation of Bit-split Architecture for Intrusion Detection Systems,” in 20th Int. Parallel and Distributed Processing Symp. (IPDPS), 2006.
[13] F. Yu, Z. Chen, Y.Diao, T.V. Lakshman, and R.H. Katz, “Fast and Memory-Efficient Regular Expression Matching for Deep packet Inspection,” in Proc. ACM/IEEE Symp. Architectures Netw. Commun. Syst. (ANCS), 2006, pp. 93-102
[14] A. V. Aho and M. J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. In Communications of the ACM, 18(6):333–340, 1975.
[15] Flex official website, “http://flex.sourceforge.net/”
[16] PCRE official website, “http://www.pcre.org/”
[17] M. Aldwairi, T. Conte, and P. Franzon, “Configurable String Matching Hardware for Speeding up Intrusion Detection,” in Proc. ACM SIGARCH Computer Architecture News, 33(1):99–107, 2005.
[18] F. Yu, R. H. Katz, and T. V. Lakshman, “Gigabit Rate Packet Pattern-Matching Using TCAM,” in Proc. the 12th IEEE International Conference on Network Protocols (ICNP’04), 2004.
[19] N. Tuck, T. Sherwood, B. Calder, and G. Varghese. “Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection,” in Proc. 23nd Conference of IEEE Communication Society (INFOCOMM), Mar, 2004.
[20] S. Kumar, S.Dharmapurikar, F.Yu, P. Crowley, and J. Turner, “Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection,” in ACM SIGCOMM Computer Communication Review, ACM Press, vol.36, Issue. 4, Oct. 2006, pp. 339-350.
[21] N. F. Huang, H. W. Hung, S. H. Lai, Y. M. Chu, and W. Y. Tsai, “A gpu-based multiple-pattern matching algorithm for network intrusion detection systems,” in Proc. 22nd International Conference on Advanced Information Networking and Applications (AINA), 2008, pp. 62–67.
[22] M. C. Schatz and C. Trapnell, “Fast Exact String Matching on the GPU,” Technical report.
[23] G. Vasiliadis , M. Polychronakis, S. Antonatos , E. P. Markatos and S. Ioannidis, “Regular Expression Matching on Graphics Hardware for Intrusion Detection,” In Proc. 12th International Symposium on Recent Advances in Intrusion Detection, 2009.
[24] R. Smith, N. Goyal, J. Ormont, K. Sankaralingam, C. Estan, “Evaluating GPUs for network packet signature matching,” in Proc. of the International Symposium on Performance Analysis of Systems and Software, ISPASS (2009).