Wireless Personal Communications

, Volume 78, Issue 4, pp 1833–1847 | Cite as

mDFA: A Memory Efficient DFA-Based Pattern Matching Engine on FPGA

  • Tran Trung HieuEmail author
  • Tran Ngoc Thinh


Security applications such as network intrusion detection system (NIDS) and virus scanning engine utilize pattern matching as an essential mechanism for detecting harmful activities or malicious codes. The increase of pattern set in size and complexity as well as the high demand of scanning data volume make pattern matching task on general purpose processor more challenging. One solution for this issue is employing reconfigurable device, field programmable gate array (FPGA), to offload this time-consuming task. In this paper, we introduce a memory efficient FPGA-based pattern matching architecture. We utilized Deterministic Finite Automata (DFA) as main pattern matching algorithm and propose modifications (mDFA) to reduce redundant logic. The proposed design, with better memory utilization, is capable of dynamic update and compatible to stateful NIDSs and virus scanners. The analysis of memory efficiency and the hardware implementation of proposed architecture are also presented in this paper. We experiment our approach on contemporary NIDS pattern sets and virus signature database and build a prototype using NetFPGA 1G platform to test on real network environment. The results show that our design could save up to 90 % hardware resources as compared to traditional DFA approach and gain a throughput of 1.9 Gbps. The prototype could achieve 2.7–4.5\(\times \) speed up to software-based matching engine.


Antivirus DFA FPGA NIDS Pattern matching 



This research is funded by The Department of Science and Technology in Ho Chi Minh City under grand number 170/2013/H-D-SKHCN.


  1. 1.
    Aho, A. V., & Corasick, M. J. (1975). Efficient string matching: An aid to bibliographic search. Communications of the ACM, 18(6), 333–340.MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Baker, Z. K., & Prasanna V. K. (2005). High-throughput linked-pattern matching for intrusion detection systems. In Symposium on architecture for networking and communications systems, 2005. ANCS 2005 (pp. 193–202).Google Scholar
  3. 3.
    Boyer, R. S., & Moore, J. S. (1977). A fast string searching algorithm. Communications of the ACM, 20(10), 762–772.CrossRefzbMATHGoogle Scholar
  4. 4.
    Clam Antivirus. (2013). Open source antivirus engine.Google Scholar
  5. 5.
    Chen, H., Chen, Y., & Summerville, D. H. (2011). A survey on the application of fpgas for network infrastructure security. IEEE Communications Surveys & Tutorials, 13(4), 541–561.CrossRefGoogle Scholar
  6. 6.
    Cho, Y. H., Navab, S., & Mangione-smith, W. H. (2002). Specialized hardware for deep network packet filtering. In 12th Conference on field programmable logic and applications (pp. 452–461). Springer, Berlin.Google Scholar
  7. 7.
    Dharmapurikar, S., Krishnamurthy, P., Sproull, T., & Lockwood, J. (2003). Deep packet inspection using parallel bloom filters. In 11th Symposium on high performance interconnects, 2003. Proceedings (pp. 44–51).Google Scholar
  8. 8.
    Hieu, T. T., Thinh, T. N., & Tomiyama, S. (2013). Enrem: An efficient nfa-based regular expression matching engine on reconfigurable hardware for nids. Journal of Systems Architecture, 59(4), 202–212.CrossRefGoogle Scholar
  9. 9.
    Hutchings, B. L., Franklin, R., & Carver, D. (2002). Assisting network intrusion detection with reconfigurable hardware. In Proceedings of 10th annual IEEE symposium field-programmable custom computing machines (pp. 111–120).Google Scholar
  10. 10.
    ISCX. (2012). Unb iscx intrusion detection evaluation dataset.Google Scholar
  11. 11.
    Netfpga. (2012). Netfpga platform technical specifications.Google Scholar
  12. 12.
    Sidhu, R., & Prasanna, V. K. (2001). Fast regular expression matching using fpgas. In Proceedings 9th annual IEEE symposium field-programmable custom computing machines (pp. 227–238).Google Scholar
  13. 13.
    Snort. (2012). Intrusion detection/prevention system.Google Scholar
  14. 14.
    Sourdis, I. & Pnevmatikatos, D. (2004). Pre-decoded cams for efficient and high-speed nids pattern matching. In 12th Annual IEEE symposium on field-programmable custom computing machines, 2004. FCCM 2004 (pp. 258–267).Google Scholar
  15. 15.
    Thinh, T. N., Kittitornkun, S., & Tomiyama, S. (2009). Pamela: Pattern matching engine with limited-time update for nids/nips. IEICE Transactions on Information and Systems, E92–D(5), 1049–1061.CrossRefGoogle Scholar
  16. 16.
    Thinh, T. N., Tomiyama, S., Kittitornkun, S., & Vu, T. H. (2012). Tcp reassembly for signature-based network intrusion detection systems. In 9th International conference on electrical engineering/electronics, computer, telecommunications and information technology (ECTI-CON), 2012 (pp. 1–4).Google Scholar
  17. 17.
    Wu, S., & Manber, U. (1994). A fast algorithm for multi-pattern searching. Technical report.Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Faculty of Computer Science and EngineeringHo Chi Minh City’s University of TechnologyHo Chi Minh CityVietnam

Personalised recommendations