Hardware Architecture of a Parallel Pattern Matching Engine

Several network security and QoS applications require detecting multiple string matches in the packet payload by comparing it against predefined pattern set. This process of pattern matching at line speeds is a memory and computation intensive task. Hence, it requires dedicated hardware algorithms. This paper describes the hardware architecture of a parallel, pipelined pattern matching engine that uses trie based pattern matching algorithmic approach. The algorithm optimizes pattern matching process through two key innovations of parallel pattern matching using incoming content filter and multiple character matching using trie pruning. The hardware implementation is capable of performing at line-speeds and handle traffic rates up to OC-192, the underlying architecture allows for multiple patterns to be detected and for the system to gracefully recover from a failed partial match, the throughput of the system does not degrade with the increase in the number of patterns or the length of the patterns to be matched. The solution described outperforms most current implementations in terms of speed and memory requirement and outperforms TCAM based solutions in terms of power consumption, area, and cost while remaining competitive in terms of throughput and update times. The complete Snort rule set (2005 release) and VoIP RFC were used to validate our performance and achieve a throughput of 12Gbps with 6KBytes of content filter memory and 0.3 MBytes of total memory for Snort and 0.5KBytes of filter memory and 12KBytes of total memory for SIP.