U.S. patent application number 13/758203 was filed with the patent office on 2013-06-06 for method and device for distributing patterns to scanning engines for scanning patterns in a packet stream.
This patent application is currently assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION. The applicant listed for this patent is International Business Machines Corporation. Invention is credited to Kubilay ATASU, Christoph HAGLEITNER, Jan Van Lunteren, Jonathan Bruno ROHRER.
Application Number | 20130144830 13/758203 |
Document ID | / |
Family ID | 43301466 |
Filed Date | 2013-06-06 |
United States Patent
Application |
20130144830 |
Kind Code |
A1 |
ATASU; Kubilay ; et
al. |
June 6, 2013 |
METHOD AND DEVICE FOR DISTRIBUTING PATTERNS TO SCANNING ENGINES FOR
SCANNING PATTERNS IN A PACKET STREAM
Abstract
A method and a device for distributing patterns to scanning
engines for scanning packets in a packet stream are provided. The
method includes providing a plurality of scanning engines and
patterns, calculating a respective distance metric for every pair
of patterns, and providing a plurality of distribution functions.
Further, the method includes calculating a respective sum of the
calculated distance metrics for distributing the patterns for each
of the distribution functions, and utilizing the sums for selecting
a distribution function of the D distribution functions for
distributing the patterns to the M scanning engines. A device for
implementing the method is also provided.
Inventors: |
ATASU; Kubilay; (Zurich,
CH) ; HAGLEITNER; Christoph; (Zurich, CH) ;
ROHRER; Jonathan Bruno; (Zurich, CH) ; Lunteren; Jan
Van; (Zurich, CH) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
International Business Machines Corporation; |
Armonk |
NY |
US |
|
|
Assignee: |
INTERNATIONAL BUSINESS MACHINES
CORPORATION
Armonk
NY
|
Family ID: |
43301466 |
Appl. No.: |
13/758203 |
Filed: |
February 4, 2013 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
12793725 |
Jun 4, 2010 |
8386411 |
|
|
13758203 |
|
|
|
|
Current U.S.
Class: |
706/48 |
Current CPC
Class: |
H04L 63/0227 20130101;
H04L 69/22 20130101; H04L 63/1441 20130101; G06N 5/02 20130101 |
Class at
Publication: |
706/48 |
International
Class: |
G06N 5/02 20060101
G06N005/02 |
Foreign Application Data
Date |
Code |
Application Number |
Jun 5, 2009 |
EP |
09162120.1 |
Claims
1. A computer implemented method for distributing patterns to
scanning engines for scanning packets in a packet stream, the
method comprising: providing a plurality of scanning engines;
providing a plurality of patterns, each pattern having a respective
definite memory consumption when compiled onto a scanning engine;
calculating, using a computer device, a respective distance metric
for every pair of patterns, wherein the respective distance metric
represents a difference in memory consumption of two patterns of
the pair when compiled between mutual compilation onto a single
scanning engine and separate compilation onto two scanning engines;
providing a plurality of distribution functions, the respective
distribution function mapping the patterns to the scanning engines;
calculating, for each of the distribution functions, a respective
sum of a calculated distance metrics for distributing the patterns,
the respective sum estimating the memory consumption for compiling
the patterns to the scanning engines by accumulating the distance
metrics of every pair of patterns being mapped to the same scanning
engine for the respective distribution function; and utilizing the
sums for selecting a distribution function of the distribution
functions for distributing the patterns to the scanning engines;
wherein a pattern is identified as an incompatible pattern in
response to the pattern resulting in a respective memory
consumption higher than a defined memory consumption threshold when
compiled onto one scanning engine together with others of the
patterns.
2. The method of claim 1, further comprising the step of extracting
the distribution functions of the distribution functions that
fulfil constraints to provide a number of extracted distribution
functions.
3. The method of claim 2, further comprising the step of selecting
the distribution function of the extracted distribution functions
having a minimal calculated sum for distributing the patterns to
the scanning engines.
4. The method of claim 1, further comprising the step of
identifying incompatible patterns within the plurality of provided
patterns.
5. The method of claim 4, wherein a pattern is identified as an
incompatible pattern if it has a respective memory consumption
higher than a defined memory consumption threshold when compiled
onto one scanning engine.
6. The method of claim 4, wherein identifying a pattern as an
incompatible pattern comprises: calculating a sum value for the
respective pattern by accumulating all distance metrics of the
respective patterns to all other patterns; calculating an average
means value of the calculated sum values; calculating a standard
deviation value of the calculated sum values; and identifying a
respective pattern as an incompatible pattern in response to the
calculated respective sum value being greater than a sum of the
calculated average mean value and the calculated standard deviation
value.
7. The method of claim 4, further comprising: a pre-processing of a
pattern for providing a pre-processed pattern is triggered by
identifying the pattern as an incompatible pattern.
8. The method of claim 7, wherein the pre-processing of the pattern
includes rewriting the respective pattern as a semantically
equivalent pattern.
9. The method of claim 8, wherein the pre-processing of the
respective pattern includes rewriting the respective pattern as a
plurality of patterns, which together are semantically equivalent
to the respective pattern.
10. The method of claim 4, wherein a list of incompatible patterns
is generated from the identified incompatible patterns wherein the
provided patterns are automatically re-configured in dependence on
the generated list of incompatible patterns.
11. The method of claim 4, wherein: a list of incompatible patterns
is generated from the identified incompatible patterns; the
generated list of incompatible patterns and configuration means are
provided to a user; and the user can re-configure the provided
patterns by means of the configuration means and in dependence on
the generated list of incompatible patterns.
12. The method of claim 1, wherein a number of constraints and the
respective constraint constraining the mapping of the patterns to
the scanning engines may be are defined.
13. The method of claim 12, wherein the constraints comprise: at
least one first mapping condition, wherein the respective first
mapping condition requires that a defined subset of the patterns is
to be compiled onto one common scanning engine; at least one second
mapping condition, wherein the respective second mapping condition
requires that a defined subset of the patterns is to be compiled
onto different scanning engines; and at least one third mapping
condition, wherein the respective third mapping condition requires
that at least two defined patterns of the patterns are to be
compiled onto different groups of scanning engines.
14. The method of claim 12, wherein the constraints comprise: at
least one first mapping condition, wherein the respective first
mapping condition requires that a defined subset of the patterns is
to be compiled onto one common scanning engine; at least one second
mapping condition, wherein the respective second mapping condition
requires that a defined subset of the patterns is to be compiled
onto different scanning engines; and at least one third mapping
condition, wherein the respective third mapping condition requires
that at least two defined patters of the patterns are to be
compiled onto one common group of scanning engines;
15. The method of claim 12, wherein the constraints comprise: at
least one first mapping condition, wherein the respective first
mapping condition requires that a defined subset of the patterns is
to be compiled onto one common scanning engine; at least one second
mapping condition, wherein the respective second mapping condition
requires that a defined subset of the patterns is to be compiled
onto different scanning engines; at least one third mapping
condition, wherein the respective third mapping condition requires
that at least two defined patters of the patterns are to be
compiled onto one common group of scanning engines; and at least
one fourth mapping condition, the respective fourth mapping
condition requiring that at least two defined patterns of the
patterns are to be compiled onto different groups of scanning
engines.
16. The method of claim 13, wherein the patterns are provided in
dependence on the constraints.
17. A device for distributing patterns to scanning engines for
scanning packets in a packet stream, the device comprising: a
plurality of scanning engines; a processor and memory with
programming instructions configured to perform providing a
plurality of patterns, each pattern having a respective definite
memory consumption when compiled onto a scanning engine;
calculating, using a computer device, a respective distance metric
for every pair of patterns, wherein the respective distance metric
represents a difference in memory consumption of two patterns of
the pair when compiled between mutual compilation onto a single
scanning engine and separate compilation onto two scanning engines;
providing a plurality of distribution functions, the respective
distribution function mapping the patterns to the scanning engines;
calculating, for each of the distribution functions, a respective
sum of a calculated distance metrics for distributing the patterns,
the respective sum estimating the memory consumption for compiling
the patterns to the scanning engines by accumulating the distance
metrics of every pair of patterns being mapped to the same scanning
engine for the respective distribution function; and utilizing the
sums for selecting a distribution function of the distribution
functions for distributing the patterns to the scanning engines;
wherein a pattern is identified as an incompatible pattern in
response to the pattern resulting in a respective memory
consumption higher than a defined memory consumption threshold when
compiled onto one scanning engine together with others of the
patterns.
18. The device of claim 17, further comprising the step of
extracting the distribution functions of the distribution functions
that fulfil constraints to provide a number of extracted
distribution functions.
19. The device of claim 18, further comprising the step of
selecting the distribution function of the extracted distribution
functions having a minimal calculated sum for distributing the
patterns to the scanning engines.
20. A non-transitory computer readable storage medium for
distributing patterns to scanning engines for scanning packets in a
packet stream, the computer readable storage medium comprising
instructions configured to perform a method comprising: providing a
plurality of scanning engines; providing a plurality of patterns,
each pattern having a respective definite memory consumption when
compiled onto a scanning engine; calculating, using a computer
device, a respective distance metric for every pair of patterns,
wherein the respective distance metric represents a difference in
memory consumption of two patterns of the pair when compiled
between mutual compilation onto a single scanning engine and
separate compilation onto two scanning engines; providing a
plurality of distribution functions, the respective distribution
function mapping the patterns to the scanning engines; calculating,
for each of the distribution functions, a respective sum of a
calculated distance metrics for distributing the patterns, the
respective sum estimating the memory consumption for compiling the
patterns to the scanning engines by accumulating the distance
metrics of every pair of patterns being mapped to the same scanning
engine for the respective distribution function; and utilizing the
sums for selecting a distribution function of the distribution
functions for distributing the patterns to the scanning engines;
wherein a pattern is identified as an incompatible pattern in
response to the pattern resulting in a respective memory
consumption higher than a defined memory consumption threshold when
compiled onto one scanning engine together with others of the
patterns.
Description
CROSS REFERENCE TO RELATED APPLICATION
[0001] This is a continuation of application Ser. No. 12/793,725
filed on Jun. 4, 2010, which claims priority under 35 U.S.C.
.sctn.119 from European Patent Application No. 09162120.1 filed
Jun. 5, 2009, the entire contents of which are incorporated herein
by reference.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] The present invention relates to the field of packet
scanning and more particularly, to a method and a device for
distributing patterns to scanning engines for scanning packets in a
packet stream.
[0004] 2. Description of the Related Art
[0005] Packet scanning, also known as packet content scanning, is
an important part of network security and application monitoring.
Packets in a stream are mapped against a set of patterns to detect
security threats or to gain information about the stream or packet
stream. Due to their flexibility, regular expressions are a common
way to define such patterns. Finite automata are typically used to
implement regular expression scanning or parsing.
[0006] In contrast to NFA (Non-Deterministic Finite Automata), DFA
(Deterministic Finite Automata) only require one state transition
per input value. This yields higher scanning or parsing rates and a
smaller parse state which has to be maintained per flow. Therefore,
DFA are preferred for Network Intrusion Detection Systems (NIDS)
although they usually require more memory than NFA.
[0007] Regarding NIDSs, the frequency of network attacks increases
every year, and the methods of attack are becoming more
sophisticated, and NIDS keep up with these trends. An example of an
NIDS is known from "SNORT network institution detection systems",
http://www.snort.org, referenced as [1]. Such NIDS apply very
powerful and flexible content-filtering rules defined using regular
expressions. This has triggered a substantial amount of research
and product development in the area of hardware-based accelerators
for pattern matching, as this seems to be the only viable approach
for scanning network data against the increasingly complex regular
expressions at wire-speed processing rates of tens of gigabits per
second.
[0008] Moreover, in typical network environments, the number of
open sessions at any given time can be on the order of millions,
and the streams are scanned in an interleaved fashion. Therefore,
the internal state of the scanning engine needs to be stored and
reloaded whenever the input stream is switched.
[0009] To reach higher throughput for the complex sets of
expressions, a compact representation of the data structures
describing the automata is required, so that it can be kept in fast
on-chip memories.
[0010] If the data structures become too large, so that an off-chip
memory needs to be used, the higher latency of such memories limits
the rate at which the input stream can be processed. In this
regard, S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese,
"Curing regular expressions matching algorithms from insomnia,
amnesia, and acalculia", in ANCS '07, pp. 155-164, ACM, 2007,
referenced as [2], show that the size of the data structures can
grow exponentially if certain regular expressions are combined into
one scanning engine.
[0011] Accordingly, an embodiment of the present invention provides
a memory-efficient distribution of patterns to scanning
engines.
SUMMARY OF THE INVENTION
[0012] According to an embodiment of the invention, method for
distributing patterns to scanning engines for scanning packets in a
packet stream is provided. The method includes:
[0013] providing a plurality of scanning engines;
[0014] providing a plurality of patterns, each pattern having a
respective definite memory consumption when compiled onto a
scanning engine;
[0015] calculating a respective distance metric for every pair of
patterns, wherein the respective distance metric represents the
difference in memory consumption of the two patterns of the pair
when compiled between mutual compilation onto a single scanning
engine and separate compilation onto two scanning engines;
[0016] providing a plurality of distribution functions, the
respective distribution function mapping the patterns to the
scanning engines;
[0017] calculating, for each of the distribution functions, a
respective sum of the calculated distance metrics for distributing
the patterns, the respective sum estimating the memory consumption
for compiling the patterns to the scanning engines by accumulating
the distance metrics of every pair of patterns being mapped to the
same scanning engine for the respective distribution function;
and
[0018] utilizing the sums for selecting a distribution function of
the distribution functions for distributing the patterns to the
scanning engines.
[0019] According to another embodiment of the invention, a device
for distributing patterns to scanning engines for scanning packets
in a packet stream is provided. The device includes:
[0020] a plurality of scanning engines;
[0021] means for providing a plurality of patterns, where each
pattern has a respective definite memory consumption when compiled
onto a scanning engine;
[0022] means for calculating a respective distance metric for every
pair of patterns, wherein the respective distance metric represents
the difference in memory consumption of the two patterns of the
pair when compiled between mutual compilation onto a single
scanning engine and separate compilation onto two scanning
engines;
[0023] means for providing a plurality of distribution functions,
wherein the respective distribution function maps the patterns to
the scanning engines;
[0024] means for calculating a respective sum of the calculated
distance metrics for distributing the patterns for each of the
distribution functions, wherein the respective sum estimates the
memory consumption for compiling the patterns to the scanning
engines by accumulating the distance metrics of every pair of
patterns being mapped to the same scanning engine for the
respective distribution function; and
[0025] means for utilizing the sums for selecting a distribution
function of the distribution functions for distributing the
patterns to the scanning engines, in particular for selecting the
distribution function of the distribution functions having the
minimal calculated sum for distributing the patterns to the
scanning engines.
BRIEF DESCRIPTION OF THE FIGURES
[0026] FIG. 1 shows a first embodiment of a sequence of method
steps for distributing patterns to scanning engines for scanning
packets in a packet stream.
[0027] FIG. 2 shows a plot of the pair-wise distance for a set of
regular expressions.
[0028] FIG. 3 shows a metric of set of 75 regular expressions
randomly distributed on four DFAs.
[0029] FIG. 4 shows an exemplary illustration of the pattern
distribution problem for two DFAs as a Maximum Cut problem.
[0030] FIG. 5 shows a second embodiment of a sequence of method
steps for distributing patterns to scanning engines for scanning
packets in a packet stream.
[0031] FIG. 6 shows an embodiment of a device for distributing
patterns to scanning engines for scanning packets in a packet
stream.
[0032] FIG. 7 shows an embodiment of a pattern-scanning engine for
scanning packets in a packet stream.
[0033] Like or functionally-like elements in the figures have been
allotted the same reference signs if not otherwise indicated.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
[0034] Exemplary embodiments of the present invention will now be
described with reference to the enclosed figures.
[0035] FIG. 1 shows a sequence of essential method steps for
distributing patterns to scanning engines for scanning packets in a
packet stream. In the sense of the present invention, the term
"scanning engine" includes "pattern-scanning engine" or "parsing
engine". In particular, a scanning engine is embodied by a DFA.
[0036] An embodiment of the method according to the invention as
shown in FIG. 1 has the following method steps S1-S6:
Method Step S1:
[0037] A plurality of scanning engines is provided. As already
indicated above, a scanning engine may be embodied by a DFA.
Method Step S2:
[0038] A plurality of patterns is provided, each pattern having a
respective definite memory consumption when compiled onto a
DFA.
Method Step S3:
[0039] A respective distance metric is calculated for every pair of
patterns, the respective distance metric representing the
difference in memory consumption of the two patterns of the pair
when compiled between mutual compilation onto a single DFA and
separate compilation onto two DFAs. Thus, the respective distance
metric represents the change in required memory or in required
storage consumption if patterns i and j are compiled onto a single
DFA compared to two individual or separate DFAs for each
pattern.
Method Step S4:
[0040] A plurality D of distribution functions is provided. The
respective distribution function is adapted to map the N patterns
to the M scanning engines.
Method Step S5:
[0041] For each of the D distribution functions, a respective sum
of the calculated distance metrics is calculated, the respective
sum estimating the memory consumption for compiling the N patterns
to the M scanning engines by pair-wise accumulating the distance
metrics of every pair of patterns being mapped to the same scanning
engine according to the respective distribution function. Thus, the
respective sum includes only the distance metrics of these pair of
patterns that share a common scanning engine according to the
mapping of the respective distribution function.
Method Step S6:
[0042] The distribution function is selected from the D
distribution functions. Preferably the distribution function that
has the minimal calculated sum for distributing the N patterns to
the M scanning engines is selected.
[0043] The above mentioned method as elucidated with reference to
FIG. 1 may be described as an optimization metric of the pattern
distribution problem, i.e. distributing the N patterns to the M
scanning engines, e.g. DFAs.
[0044] Thus, the pattern distribution problem may be represented as
an energy minimization problem based on the optimization metric.
Therefore, a weighted graph presentation is derived and it is shown
that the energy minimization problem is equivalent to the Maximum
Cut Problem as known from R. M. Garey and D. S. Johnson, Computers
and Intractability; A Guide to the Theory of NP-Completeness. New
York: W. H. Freeman and Co., 1979, referenced as [3].
[0045] As a result, the computationally expensive distribution
problem is mapped to the energy minimization problem, which enables
the application of standard optimization strategies to find an
optimal or close-to-optimal solution.
[0046] In this regard, the goal is to distribute a set S of N
patterns into M DFAs, wherein each DFA receives one subset
S.sub.k,k.epsilon.{1 . . . M}
of the N patterns, and the total memory requirement for the M DFAs
is minimized. The subsets S.sub.k must be non-overlapping and cover
all N patterns in S.
[0047] In the following, the energy function E.sub.dist is defined.
Further, there is an attempt to find the mapping of N patterns to
the M DFAs that minimizes this energy function E.sub.dist. The
energy function E.sub.dist should be correlated to the memory
consumption, that is, it should have high values for bad
distributions, and low values for good distributions, and be much
less expensive to compute than the actual memory consumption.
Therefore, a coefficient
a.sub.i,i.epsilon.{1 . . . N}
is defined as a measure of the memory requirement if pattern i is
compiled onto a DFA by itself. Further, the coefficient
b.sub.i,j,i,j.epsilon.{1 . . . N}
is defined as a measure of the memory requirement of the pair of
patterns i and j when compiled together into or onto the same DFA.
There are N a.sub.i values to be computed. In addition, considering
that
b i , j = b j , i and b i , i = a i , there exist ( N - 1 ) 2 2 b i
, j . ##EQU00001##
Based on these coefficients, a mutual distance m.sub.i,j of two
patterns i and j is defined as
m.sub.i,j=b.sub.i,j-a.sub.i-a.sub.j
which may be interpreted as the increase in memory consumption when
compiling the patterns i and j into the same DFA. Such a mutual
compilation may also cause a reduction in memory consumption, such
as if the two patterns share a common prefix or a common suffix,
which yields a negative m.sub.i,j value. When adding a third
pattern Ito the combined DFA of i and j, an increase in memory
consumption is approximated as
m.sub.i,l+m.sub.j,l
Herewith, the following energy function E.sub.dist may be defined
to find the distribution that minimizes the overall memory
consumption:
min E dist = k = 1 M i = 2 i .di-elect cons. S k N j = 1 j
.di-elect cons. S k i - 1 m i , j ( 1 ) ##EQU00002##
[0048] For a set of 329 regular expressions, FIG. 2 shows a plot of
the pair-wise distance for the set. The plot of FIG. 2 shows that
there are certain patterns which are particularly incompatible when
compiled together on a DFA resulting in spikes in the plot of FIG.
2. The above mentioned distance metric allows the amount of
interaction between a pair of patterns to be quantified.
[0049] In this regard, FIG. 3 shows a metric of a set of 75 regular
expressions randomly distributed on four DFAs. Thus, FIG. 3
emphasizes the relationship between the defined energy function and
the actual number of transition rules after a powerset compilation
for a large set of random distributions using the set of 75 regular
expressions. A linear least-squares approximation of all data
points indicated by a dashed line in FIG. 3 shows that an increase
in the energy function often results in a linear increase of the
number of transition rules.
[0050] Further, as already mentioned above, the energy minimization
problem of the above equation (1) is a Maximum Cut problem. This
may be proven by the following: A complete graph G(V, E) may be
provided, wherein the nodes V represent patterns and the edges E
are undirected and weighted based on the mutual distance between
the patterns as described above, i.e. the weight of the edge
between pattern i and pattern j is m.sub.i,j.
[0051] In this regard, FIG. 4 shows an exemplary illustration of a
pattern distribution problem for two DFAs as a Maximum Cut problem.
The above defined energy function E.sub.dist tries to find the
distribution that minimizes the sum of the weights of these edges
internal to each DFA, e.g. the solid edges in FIG. 4. On the other
hand, the Maximum Cut problem as known from [3] tries to find a
distribution that maximizes the sum of the weights by the edges
that are cut across the DFAs, e.g. the dashed edges in FIG. 4. The
optimization metric for the Maximum Cut problem can be defined as
follows:
max E cut = k = 1 M i = 2 i .di-elect cons. S k N j = 1 j S k i - 1
m i , j ( 2 ) ##EQU00003##
[0052] Further, the following E.sub.tot is defined as a sum of the
weights of all edges:
E tot = i = 2 N j = 1 i - 1 m i , j ( 3 ) ##EQU00004##
[0053] Note that for a given graph G(V, E), E.sub.tot is constant
and that
E.sub.dist+E.sub.cut=E.sub.tot.
[0054] Therefore, the distribution that minimizes E.sub.dist
maximizes E.sub.tot. The optimal solution for above equation (1)
provides the optimal solution for equation (2) and vice versa.
[0055] Recapitulating, the problem of equation (1) is equivalent to
the Maximum Cut problem as shown in equation (2). The Maximum Cut
problem may be reduced to an energy minimization problem of
equation (1) and vice versa. As a result, the problem of equation
(1) is NP-hard, and a polynomial-time solution is not likely to
exist.
[0056] While targeting a pipelined rather than a parallel
architecture, Z. K. Baker and V. K. Prasanna, "A methodology for
synthesis of efficient intrusion detection systems of FPGAs", in
Proc. FCCM '04, pp. 135-144, IEEE, 2004'', referenced as [4],
represents the pattern distribution problem as a minimum cut
problem.
[0057] The differences between the problem as defined according to
embodiments of the present invention and the one described in [4]
are three-fold. First, according to embodiments of the present
invention, a Maximum Cut problem is solved, whereas reference [4]
solves a Minimum Cut problem. Second, according to embodiments of
the present invention, searching for balanced partitions is not
performed, whereas [4] uses the Kernighan-Lin algorithm, which
finds balanced partitions.
[0058] Third, the graph according to embodiments of the invention
may have negative edge weights, whereas [4] assumes positive edge
weights. Here, it is noted that the general Minimum Cut problem on
graphs with positive edge weights is polynomially solvable, whereas
the Maximum Cut problem is NP-hard on graphs with positive edge
weights and on graphs with both positive and negative edge weights,
see reference [5].
[0059] In the following, three optimization techniques are shown
that can be applied to find an optimal or close-to-optimal solution
for the above minimization problem. The first optimization
technique is based on integer linear programming (ILP). Here, a
binary decision variable
x.sub.ik.epsilon.{0,1} for i.epsilon.{1 . . . N},k.epsilon.{1 . . .
M}
is introduced, which represents whether pattern i is assigned to
subset
S.sub.k(x.sub.ik=1) or not (x=0).
[0060] Therefore, the objective function is formally defined as
follows:
min E dist = k = 1 M i = 2 N j = 1 i - 1 ( x ik x jk ) m ij ( 4 )
##EQU00005##
[0061] Further, the objective function is linearized using an
additional decision variable
y.sub.ijk=.epsilon.{0,1} for i,j.epsilon.{1 . . . N},k.epsilon.{1 .
. . M};
min E dist = k = 1 M i = 2 N j = 1 i - 1 y ijk m ij ( 5 )
##EQU00006##
[0062] Furthermore,
y.sub.ijk=(x.sub.ikx.sub.jk)
is computed by including the following constraints in the form
y.sub.ijk.ltoreq.x.sub.ik (6)
y.sub.ijk.ltoreq.x.sub.jk (7)
y.sub.ijk.gtoreq.x.sub.ik+x.sub.jk-1 (6)
[0063] In addition, it is ensured that each pattern is mapped to
exactly one subset S.sub.k by imposing the following:
k = 1 M x ik = 1 , i .di-elect cons. { 1 N } ( 9 ) ##EQU00007##
[0064] As a result, the integer linear program (ILP) formulation
requires O(N.sup.2M) binary decision variables and O(N.sup.2M)
linear constraints in total.
[0065] A second optimization technique is based on poles heuristic.
Here, when distributing for M DFAs, the heuristic first selects the
set P of patterns, the poles. The first two poles are the patterns
i and j with the largest value m.sub.i,j. It keeps adding patterns
i so that
arg max i i j .di-elect cons. P m i , j ( 10 ) ##EQU00008##
until P contains M patterns. M sets S.sub.k are initialized so that
each contains one of the poles. The remaining patterns are
distributed one of after another by adding patterns i to S.sub.k so
that
arg max k j .di-elect cons. S k m i , j ( 11 ) ##EQU00009##
[0066] A multi-pass variation of this scheme can yield slightly
improved results: after the initial distribution, it is looped over
all patterns i to find k according to above equation (11) for each
pattern. If pattern i is currently in set S.sub.l (l.noteq.k), it
is removed from S.sub.l and added to S.sub.k. This loop is repeated
until there are no changes during an entire loop. The poles
heuristic is very fast and considers the pair-wise distances
m.sub.i,j.
[0067] A further optimization technique is simulated annealing and
is shown for example in "S. Kirkpatrick, C. D. Gelatt, and M. P.
Vecchi, "Optimization by simulated annealing", Science, vol. 200,
pp. 671-680, 1983", referenced as [6].
[0068] Further, FIG. 5 shows a second embodiment of essential
method steps for distributing patterns to scanning engines for
scanning patterns in a packet stream. The second embodiment of the
method according to FIG. 5 has the following method steps T1 to
T8:
Method Step T1:
[0069] A number C of constraints is defined. The respective
constraint is adapted to constrain the mapping of the N patterns to
the M scanning engines.
[0070] The constraints may include at least one first mapping
condition, the respective first mapping condition requiring that a
defined subset of N patterns is to be compiled onto one common
scanning engine.
[0071] Further, the constraints may include at least one second
mapping condition, the respective second mapping condition
requiring that a defined subset of the N patterns is to be compiled
onto different scanning engines.
[0072] Furthermore, the constraints may include at least one third
mapping condition, the respective third mapping condition requiring
that at least two defined patterns shall have a respective defined
distance when compiled onto one common scanning engine.
[0073] In addition, the constraints may include at least one fourth
mapping condition, the respective fourth mapping condition
requiring that at least two defined patterns shall have a
respective defined distance when compiled onto different scanning
engines.
[0074] The constraints may be defined or set by a user.
[0075] For example, the user can define groups of the form: [0076]
group 0=engines 0, 1, 2, 3 [0077] group 1=engines 4, 5, 6, 7
[0078] The user can further define constraints of the form: [0079]
pattern i and j have to be mapped to the same engine [0080] pattern
i and j have to be mapped to different engines [0081] pattern i and
j have to be mapped to the same group of engines [0082] pattern i
and j have to be mapped to different groups of engines
Method Step T2:
[0083] A plurality M of scanning engines is provided.
Method Step T3:
[0084] A plurality N of patterns is provided, each pattern having a
respective definite memory consumption when compiled onto a
scanning engine. Preferably, the N patterns are provided in
dependence on the C constraints as defined in accordance with
method step T1.
Method Step T4:
[0085] A respective distance metric is calculated for every pair of
patterns, the respective distance metric representing the
difference in memory consumption of the two patterns of the pair
when compiled between mutual compilation onto a single scanning
engine and separate compilation onto two scanning engines.
Method Step T5:
[0086] Incompatible patterns within the plurality N of provided
patterns are identified.
[0087] Preferably, a pattern is identified as an incompatible
pattern if it has a respective memory consumption higher than a
defined memory consumption threshold when compiled onto one
scanning engine solely.
[0088] Here, in particular, a powerset algorithm may be used, which
is used to generate the DFA representation of the respective
pattern. The powerset algorithm generates an NFA in an intermediate
step. Then, a ratio q=a(i)/anfa(i) is calculated, where anfa(i) is
the memory consumption of the NFA representation of the pattern i
and a(i) is the memory consumption of the DFA representation of the
pattern i. If q is above a certain user defined threshold, the
pattern i is added to the list of incompatible patterns. A typical
threshold may be ten.
[0089] Furthermore, a pattern may be identified as an incompatible
pattern if it results in respective memory consumption higher than
a defined memory consumption threshold when compiled onto one
scanning engine together with others of the N patterns.
[0090] This identifying may include the following substeps: [0091]
calculating a sum value for the respective pattern by accumulating
all distance metrics of the respective patterns to all other N-1
patterns; [0092] calculating an average means value of the
calculated sum values; [0093] calculating a standard deviation
value of the calculated sum values; [0094] identifying a respective
pattern as an incompatible pattern, if the calculated respective
sum value is greater than a sum of the calculated average mean
value and the calculated standard deviation value.
[0095] Based on the identifying of incompatible patterns, a list of
incompatible patterns may be generated. Furthermore, the provided N
patterns may be automatically re-configured in dependence on the
generated list of incompatible patterns.
[0096] The generated list of incompatible patterns may be provided
to a user together with configuration means, wherein the user can
re-configure the provided N patterns by means of the configuration
means and in dependence on the generated list of incompatible
patterns.
Method Step T7:
[0097] For each of the D distribution functions, a respective sum
of the calculated distance metrics is calculated. The respective
sum estimates the memory consumption for compiling the N patterns
to the M scanning engines by pair-wise accumulating the distance
metrics of every pair of patterns being mapped to the same scanning
engine in accordance with the respective distribution function.
Thus, the respective sum includes only the distance metrics of
these pair of patterns that share a common scanning engine
according to the respective distribution function.
Method Step T8:
[0098] First, the distribution functions of the D distribution
functions are extracted that fulfil the C constraints to provide a
number E of extracted distribution functions.
[0099] Second, the distribution function is selected from the E
extracted distribution functions having the minimal calculated sum
for distributing N patterns to the M scanning engines.
[0100] FIG. 6 shows an embodiment of a device 10 for distributing
patterns i, j to scanning engines 21-24 for scanning packets in a
packet stream.
[0101] The device 10 includes a plurality M of scanning engines
21-24, first means 30, second means 40, third means 50, fourth
means 60, fifth means 70 and a compiler 80.
[0102] The first means 30 are adapted to provide a plurality N of
patterns i, j, each pattern i, j having a respective definite
memory consumption when compiled onto a scanning engine 21-24.
Without loss of generality, FIG. 6 shows only the two variables i,
j to indicate the N patterns. In a real system, the number N of
patterns may be several hundreds to several thousands.
[0103] Further, the second means 40 are adapted to calculate a
respective distance metric m.sub.i,j for every pair of patterns i,
j, the respective distance metric m.sub.i,j representing the
difference in memory consumption of the two patterns i, j of the
pair when compiled between mutual compilation onto a single
scanning engine 21, for example, and separate compilation onto two
scanning engines 21, 22, for example.
[0104] Furthermore, the third means 50 are adapted to provide a
plurality D of distribution functions f.sub.1-f.sub.D, the
respective distribution function f.sub.l-f.sub.D mapping the N
patterns i, j to the M scanning engines 21-24.
[0105] In addition, the fourth means 60 are adapted to calculate a
respective sum of the calculated distance metrics m.sub.i,j for
distributing the N patterns i, j for each of the D distribution
functions f.sub.1-f.sub.D. The respective sum estimates the memory
consumption for compiling the N patterns i, j to the M scanning
engines 21-24 by accumulating the distance metrics m.sub.i,j for
every pair of patterns i, j being mapped to the same scanning
engine 21, 22, 23 or 24 for the respective distribution function
f.sub.1-f.sub.D. These sums may be represented by the above energy
function E.sub.dist of equation (1).
[0106] The fifth means 70 are adapted to select the distribution
function f of the D distribution functions f.sub.l-f.sub.p having
the minimal calculated sum for distributing the N patterns i, j to
the M scanning engines 21-24.
[0107] Further, FIG. 7 shows an embodiment of a pattern-scanning
engine 100 for scanning packets in a packet stream.
[0108] The pattern-scanning engine 100 has a plurality M of
scanning engines 21-24 embodied as DFAs. Without loss of
generality, M=4 for FIG. 7. The four DFAs 21-24 may be implemented
using the BaRT-based Finite State Machine technology (B-FSM)
presented in [7].
[0109] The respective B-FSM 21-24 has a classifier 101, a state
register 102, a rule selector 103 and a transition rule memory 104.
The respective B-FSM, such as B-FSM 21, is adapted to receive an
input stream IS and to provide a stream of match result MR. In this
regard, the first B-FSM 21 outputs the match-result stream MR 21,
for example.
[0110] Each DFA 21-24 is adapted to be responsible for detecting a
disjoint subset of the N patterns in the provided input stream IS.
Although a larger number than four of DFAs may provide more freedom
for the distribution, the algorithm to optimize the storage
efficiency, it will also increase the overall pattern-scanning
engine state, as the latter is the combination of all DFA states.
The size of the pattern-scanning engine state is important when
multiple input streams IS are processed in an interleaved fashion,
and has to be stored and retrieved when switching between streams.
For this reason, it is preferably focused on implementations with
relatively few DFAs, particularly between four and eight, four in
the example of FIG. 7.
[0111] The respective B-FSM 21-24 embody the respective DFA for a
programmable DFA implementation in hardware, in which the
"operation" of the DFA may be programmed using a special data
structure stored in a memory, such as SRAM or DRAM. The B-FSM data
structure may be constructed from so-called transition rules, which
may be organized in multiple linked hash tables.
[0112] A transition rule provides a flexible definition of a state
transition by supporting various input conditions, such as
wildcards, case sensitivity, and negated conditions. It also
efficiently supports character classes by allowing a transition
rule to test either the current input value or the corresponding
class information generated by the classifier component, which
classifies each input value into typically 16 or 32 so-called
programmable base classes. The B-FSM applies a special hash
function to select the applicable transition rule for any given
state and input combination by evaluating all conditions of all
rules in parallel. The hash function enables high processing rates.
Synthesis results in 45-nm CMOS technology show that beyond 2 GHz a
transition per cycle is possible. This allows scan rates of around
16 to 20 Gbps per input stream. Moreover, the hash function has
storage requirements that grow approximately linearly with the
number of state transitions, and thus achieves one of the most
storage-efficient data structures in the industry, as reported in
[7].
[0113] The B-FSM data structure may be generated in two steps.
First, the so-called pattern compiler performs the grouping of the
patterns, followed by the compilation of each pattern group into a
separate state-diagram description based on the transition rules
mentioned above. This compilation is partially based on the
power-set algorithm [8]. In the second step, the B-FSM compiler
will map these state-diagram descriptions onto the hash tables that
make up the B-FSM data structure.
[0114] The utilizing step can include selecting the distribution
function of the D distribution functions having the minimal
calculated sum for distributing the N patterns to the M scanning
engines; and/or pre-selecting a group of distribution functions of
the D distribution functions, preferably a group having the lowest
calculated sums. Such a group may establish a possible candidate
list for a final selection of a distribution function.
[0115] The utilizing step can further include selecting one of the
distribution functions of the group of pre-selected distribution
functions for distributing the N patterns to the M scanning
engines. The latter selection may be based on one or more further
selection criteria, e.g. the real memory consumption after
compilation or the respective cache performance. This establishes a
final or second selection step from the pre-selected distribution
functions.
[0116] Furthermore, the N patterns may be compiled onto the M
scanning engines in a way that a total memory requirement for the M
scanning engines may be minimized.
[0117] This minimization of the total memory requirement has
advantageous effects, because the storage or memory efficiency of
the compiled patterns is an important factor in the overall
performance and depends on the distribution of the patterns across
a limited number (here M) of parallel pattern-matching engines or
scanning engines.
[0118] Because the distribution of N patterns to M scanning engines
may be not computationally feasible for a large N, embodiments of
the present invention provide heuristic solution techniques.
[0119] In one embodiment of the method of the present invention,
the method includes a step of identifying incompatible patterns
within the plurality N of provided patterns.
[0120] In a further embodiment, a pattern is identified as an
incompatible pattern if it has respective memory consumption higher
than a defined memory consumption threshold when compiled onto one
scanning engine solely.
[0121] In a further embodiment, a pattern is identified as an
incompatible pattern if it results in respective memory consumption
higher than a defined memory consumption threshold when compiled
onto one scanning engine together with others of the N
patterns.
[0122] In a further embodiment, the step of identifying a pattern
as an incompatible pattern includes: [0123] calculating a sum value
for the respective pattern by accumulating all distance metrics of
the respective patterns to all other N-1 patterns; [0124]
calculating an average means value of the calculated sum values;
[0125] calculating a standard deviation value of the calculated sum
values; and [0126] identifying a respective pattern as an
incompatible pattern, if the calculated respective sum value is
greater than a sum of the calculated average mean value and the
calculated standard deviation value.
[0127] In a further embodiment, a pre-processing of a pattern for
providing a pre-processed pattern is triggered by identifying the
pattern as an incompatible pattern.
[0128] In a further embodiment, the pre-processing of the pattern
includes rewriting the pattern as a semantically equivalent
pattern.
[0129] In a further embodiment, the pre-processing of the pattern
includes rewriting the respective pattern as a plurality of
patterns, which together are semantically equivalent to the
respective pattern.
[0130] In a further embodiment, a list of incompatible patterns is
generated from the identified incompatible patterns wherein the
provided N patterns are automatically re-configured in dependence
on the generated list of incompatible patterns.
[0131] In a further embodiment, a list of incompatible patterns is
generated from the identified incompatible patterns, wherein the
generated list of incompatible patterns and configuration means are
provided to a user, wherein the user can re-configure the provided
N patterns by means of the configuration means and in dependence on
the generated list of incompatible patterns.
[0132] In a further embodiment, a number C of constraints may be
defined, the respective constraint constraining the mapping of the
N patterns to the M scanning engines.
[0133] In a further embodiment, the C constraints may include the
following constraints:
[0134] at least one first mapping condition, the respective first
mapping condition requiring that a defined subset of the N patterns
is to be compiled onto one common scanning engine;
[0135] at least one second mapping condition, the respective second
mapping condition requiring that a defined subset of the N patterns
is to be compiled onto different scanning engines;
[0136] at least one third mapping condition, the respective third
mapping condition requiring that at least two defined patters of
the N patterns are to be compiled onto one common group of scanning
engines; and/or at least one fourth mapping condition, the
respective fourth mapping condition requiring that at least two
defined patterns of the N patterns are to be compiled onto
different groups of scanning engines.
[0137] In a further embodiment, the method step a) includes
providing the N patterns in dependence on the C constraints.
[0138] In a further embodiment, the method includes:
[0139] extracting the distribution functions of the D distribution
functions that fulfil the C constraints to provide a number E of
extracted distribution functions; and
[0140] selecting the distribution function of the E extracted
distribution functions having the minimal calculated sum for
distributing the N patterns to the M scanning engines.
[0141] In a further embodiment, the method includes:
[0142] distributing N patterns to M scanning engines according to
the above described method for distributing patterns to scanning
engines for scanning packets in a packet stream;
[0143] compiling the distributed N patterns onto to the M scanning
engines;
[0144] providing a packet stream; and
[0145] scanning the packets of the provided packet stream by means
of the M scanning engines.
[0146] In a further embodiment, a packet-scanning engine for
scanning packets in a packet stream includes:
[0147] M scanning engines;
[0148] an above described device for distributing patterns to
scanning engines; and
[0149] a compiler for compiling the distributed N patterns onto the
M scanning engines wherein the M scanning engines are adapted to
scan the packets of the provided packet stream according to the
distribution of the N patterns, respectively.
[0150] All above mentioned embodiments of the method of the present
invention may be embodied by respective means to be a respective
embodiment of the device for distributing patterns to scanning
engines for scanning packets in a packet stream of above mentioned
second aspect of the invention.
[0151] What has been described herein is merely illustrative of the
application of the principles of the present invention. Other
arrangements and systems may be implemented by those skilled in the
art without departing from the scope and spirit of this
invention.
[0152] Although the above description has been made of the
preferred embodiments, those skilled in the art should appreciate
that the above system, device and method may be implemented by
using a computer executable instruction and/or by being included in
a processor control code. For example, such code is provided on a
magnetic diskette, carrier medium of CD or DVD-ROM, a programmable
memory such as read-only memory (firmware) or data carrier such as
an optical or electronic signal carrier.
[0153] The device, the server and units thereof according to the
present embodiments may be implemented by a Super-Large Scale
Integration or a gate array, a semiconductor such as logic chip and
transistor, or hardware circuitry of a programmable hardware device
such as field-programmable gate array or a programmable logic
device and may also be implemented by combination of the above
hardware circuitry and software.
[0154] Although the device and method of the present invention have
been described in detail with reference to the preferred
embodiments, the present invention is not limited hereto. Those
skilled in the art can make various alterations, replacements and
modifications to the present invention without departing from the
spirit and scope of the present invention under the teaching of the
present description. It should be understood that all such
alternations, replacements and modifications still fall within the
scope of protection of the present invention.
[0155] The respective means may be implemented in hardware or in
software. If the means are implemented in hardware, it may be
embodied as a device, such as, a computer, or as a processor, or as
a part of a system such as a computer-system. If the means are
implemented in software, it may be embodied as a computer program
product, as a function, as a routine, as a program code or as an
executable object.
REFERENCE SIGN LIST
[0156] E.sub.dist energy function [0157] f selected distribution
function [0158] f.sub.1-f.sub.D distribution function [0159] i, j
pattern [0160] m.sub.i,j distance metric between the patterns i and
j [0161] 10 device for distributing patterns [0162] 21-24 scanning
engines [0163] 30 first means [0164] 40 second means [0165] 50
third means [0166] 60 fourth means [0167] 70 fifth means [0168] 80
compiler [0169] 100 pattern-scanning engine [0170] 101 classifier
[0171] 102 state register [0172] 103 rule selector [0173] 104
transition rule memory
* * * * *
References