CN110324204B - High-speed regular expression matching engine and method implemented in FPGA (field programmable Gate array) - Google Patents

Abstract

The invention discloses a high-speed regular expression matching engine and a high-speed regular expression matching method implemented in an FPGA (field programmable gate array). The matching engine comprises a DFA (distributed feed back) table item distribution module, a data packet preprocessing module, an FIFO (first in first out) module, a parallel matching module, a memory module and a controller, wherein the DFA table item distribution module is positioned on a software layer, and the data packet preprocessing module, the FIFO module, the parallel matching module, the memory module and the controller are positioned on a hardware layer. The method comprises the following steps: the matching process of the whole data packet is divided into a parallel matching part and a serial matching part, so that a serial-parallel combined matching mode is formed: parallel matching is adopted for most field positions in the data packet, and serial matching is adopted for a small part of field positions. Meanwhile, for the storage of the DFA table entry, a three-level storage structure of a register, an on-chip RAM and an off-chip DDR3 is adopted. The invention improves the matching speed of the data packet and reduces the resource consumption in the FPGA chip.

Description

High-speed regular expression matching engine and method implemented in FPGA (field programmable Gate array)

Technical Field

The invention relates to the technical field of electronic circuits, in particular to a high-speed regular expression matching engine and a method realized in an FPGA (field programmable gate array).

Background

High performance Deep Packet Inspection (DPI) systems require the use of a regular expression matching engine to perform packet inspection operations. Before deep packet inspection is performed by using a regular expression, the regular expression needs to be converted into a Deterministic Finite Automata (DFA) to generate a DFA state transition table, and then the DFA state transition table is written into a storage space inside a matching engine, and the regular expression matching engine completes the inspection process of the whole data packet by using DFA state information stored inside the regular expression matching engine.

The traditional regular expression-based data packet detection is a serial iterative matching process, and in the process, only under the condition that the current state and the current character are determined, the next hop state can be calculated, so that one hop is completed. The method has the advantages that the design of the whole matching engine has certain simplicity, the matching process of the whole data packet can be completed only by simply controlling the reading operation of the DFA table entry, but simultaneously, the method can only process one character in one time unit, and the improvement of the matching speed is limited to a certain extent. At present, researchers have proposed a multi-step DFA, and the specific implementation idea is to convert the serial matching process of a data packet into a parallel matching process, iterate the original DFA N times to generate N-step DFAs, and process N characters in parallel within one time unit. The storage consumption of the N-step DFA is N times of the original DFA, when the algorithm is realized by utilizing hardware platforms such as the FPGA and the like, the storage resource consumption brought by the algorithm can instantaneously exhaust the on-chip resource of the FPGA, and if an off-chip large-capacity memory such as a DDR is used for storing the table entry of the N-step DFA, the longer access delay of the off-chip memory limits the throughput of the whole system to a certain extent.

Disclosure of Invention

The invention aims to provide a high-speed regular expression matching engine and a method which are realized in an FPGA (field programmable gate array) and have the advantages of high data packet matching speed, low resource consumption in an FPGA chip, reliability, high efficiency and easiness in expansion.

The technical solution for realizing the invention is as follows: a high-speed regular expression matching engine realized in FPGA comprises a DFA (distributed data array) table item distribution module, a data packet preprocessing module, an FIFO (first in first out) module, a parallel matching module, a memory module and a controller, wherein the DFA table item distribution module is positioned on a software layer, and the data packet preprocessing module, the FIFO module, the parallel matching module, the memory module and the controller are positioned on a hardware layer;

the DFA table item distribution module stores different table items into different memories according to the access frequency of each table item, wherein the different table items comprise an on-chip register, an on-chip RAM and an off-chip DDR 3;

the data packet preprocessing module divides the data packets input into the system into a group of N-8 bits, wherein N is the number of the subsequent characters which can be simultaneously matched in parallel and is stored into the FIFO module;

the FIFO module is used for caching the divided data packets for the controller to read;

the parallel matching module receives a parallel matching request from the controller, and simultaneously performs parallel matching on the N characters according to state table entry information stored in the register file, the circuit is realized based on combinational logic, and the generated parallel matching result is sent to the controller for further analysis;

the memory module is used for storing DFA table items;

and the controller is used for controlling the operation of the whole matching engine.

Furthermore, the DFA table entry distribution module is located in a software layer, and DFA state table entries are sequentially written into a memory under the control of the CPU.

Furthermore, the on-chip RAM included in the FIFO module and the memory module is designed and implemented using an IP core provided in the FPGA.

A high-speed regular expression matching method realized in FPGA comprises the following steps:

step 1, reading data to be detected from FIFO, and determining the operation to be taken on the data according to the current state recorded by an internal register;

step 2, if the current state meets the requirement of parallel matching, sending the N x 8bits data to a combinational logic circuit corresponding to a parallel matching module, performing serial matching on partial characters failed in matching, finally updating an internal register, and reading the next group of data;

step 3, if the current state does not meet the parallel matching requirement, serial matching is sequentially carried out from the first character corresponding to the lowest byte of the data, whether the parallel matching requirement is met or not is judged after each serial matching, and if the parallel matching requirement is met, the rest data is sent to a parallel matching module for parallel matching; otherwise, continuing to carry out serial matching.

Further, the remaining data in step 3 is sent to a parallel matching module for parallel matching, which specifically includes:

step 3.1, extracting the information of a key state KS from the register file, wherein the key state KS has two characteristics: one is the default transition of KS, i.e., the highest in percentage is itself; another is that the default transitions of a large number of states near KS are also KS;

step 3.2, respectively sending the n parallel input characters to n parallel execution decoders for character analysis, and inquiring a KS register file according to character analysis results, namely storing all transferred corresponding addresses of KS so as to obtain n data inquiry results, wherein the n data inquiry results respectively correspond to the n characters to be matched and represent a next hop state obtained by inputting the specific character when the system is in a key state;

step 3.3, sending the n results generated in the step 3.2 to a comparator, carrying out equal comparison with the state number of KS, and splicing the n comparison results into n bits of data;

and 3.4, performing secondary matching on the n-bit matching result in the step 3.3 to generate a 64-bit parallel matching result, and sending the result to the controller for further analysis.

Compared with the prior art, the invention has the following remarkable advantages: (1) the storage positions of the DFA table items are reasonably divided according to the access frequency, so that the consumption of on-chip storage is effectively reduced; (2) in the data packet detection process, parallel matching is adopted for certain field positions, so that the throughput of the whole system is improved; (3) the designed regular expression matching engine has universality and can be used as a lightweight module to be embedded in a high-performance router or other network equipment, so that the equipment can have a basic safety protection function based on application layer filtering; (4) the DFA table items are not subjected to secondary conversion, and the parallel matching module does not generate extra storage space consumption; the whole matching engine is realized by consuming less hardware logic resources and can be instantiated for many times in the FPGA, so that the performance and the throughput can be increased by times.

Drawings

FIG. 1 is a block diagram of a circuit structure of a high-speed regular expression matching engine implemented in an FPGA according to the present invention.

FIG. 2 is a flow chart of the parallel matching module executing the parallel matching operation according to the present invention.

Detailed Description

The invention will be further explained with reference to the drawings.

With reference to fig. 1, the high-speed regular expression matching engine implemented in FPGA of the present invention includes a DFA table distribution module, a data packet preprocessing module, an FIFO module, a parallel matching module, a memory module, and a controller, wherein the DFA table distribution module is located on a software layer, and the data packet preprocessing module, the FIFO module, the parallel matching module, the memory module, and the controller are located on a hardware layer;

the DFA table item distribution module stores different table items into different memories according to the access frequency of each table item, wherein the different table items comprise an on-chip register, an on-chip RAM and an off-chip DDR 3;

the data packet preprocessing module divides the data packets input into the system into a group of N-8 bits, wherein N is the number of the subsequent characters which can be simultaneously matched in parallel and is stored into the FIFO module;

the FIFO module is used for caching the divided data packets for the controller to read;

the parallel matching module receives a parallel matching request from the controller, and simultaneously performs parallel matching on the N characters according to state table entry information stored in the register file, the circuit is realized based on combinational logic, and the generated parallel matching result is sent to the controller for further analysis;

the memory module is used for storing DFA table items;

and the controller is used for controlling the operation of the whole matching engine.

A high-speed regular expression matching method realized in FPGA comprises the following steps:

step 1, reading data to be detected from FIFO, and determining the operation to be taken on the data according to the current state recorded by an internal register;

step 2, if the current state meets the requirement of parallel matching, sending the N x 8bits data to a combinational logic circuit corresponding to a parallel matching module, performing serial matching on some partial characters failed in matching, finally updating an internal register, and reading the next group of data;

step 3, if the current state does not meet the parallel matching requirement, serial matching is sequentially carried out from the first character corresponding to the lowest byte of the data, whether the parallel matching requirement is met or not is judged after each serial matching, and if the parallel matching requirement is met, the rest data is sent to a parallel matching module for parallel matching; otherwise, continuing to carry out serial matching.

Further, the remaining data in step 3 is sent to a parallel matching module for parallel matching, which specifically includes:

the parallel matching module is implemented based on combinational logic, as shown in fig. 2, specifically as follows:

step 3.1, extracting the information of a key state KS from the register file, wherein the key state KS has two characteristics: one is the default transition of KS, i.e., the highest in percentage is itself; another is that the default transitions of a large number of states near KS are also KS;

step 3.2, respectively sending the n parallel input characters to n parallel execution decoders for character analysis, and inquiring a KS register file according to character analysis results, namely storing all transferred corresponding addresses of KS so as to obtain n data inquiry results, wherein the n data inquiry results respectively correspond to the n characters to be matched and represent a next hop state obtained by inputting the specific character when the system is in a key state;

step 3.3, sending the n results generated in step 3.2 to a comparator, and performing equal comparison with the state number of KS, wherein most transitions in KS return to the comparator, so that the execution result of each equal comparator has a high probability of 1, which means that the data query result is equal to the state number of KS; then, splicing the n comparison results into n bits of data;

step 3.4, performing secondary matching on the n-bit matching result in the step 3.3, aiming at determining whether the system can jump back to the key state again or not by reading a certain character and jumping to other states when the system is in the key state; the secondary matching enables a part of bits 0 to be corrected into bits 1, which means that when a system reads in a character corresponding to the bit, the state jumps to a certain state directly connected with KS, and then the next character is read in, namely after the next character corresponds to a high-order character adjacent to the character, the state jumps back to KS; the secondary matching effectively reduces the workload of subsequent serial matching; after the second matching, a 64-bit parallel matching result is generated and sent to the controller for further analysis.

In conclusion, the storage positions of the DFA table entries are reasonably divided according to the access frequency, so that the consumption of on-chip storage is effectively reduced; in the data packet detection process, parallel matching is adopted for certain field positions, so that the throughput of the whole system is improved; the designed regular expression matching engine has universality and can be used as a lightweight module to be embedded in a high-performance router or other network equipment, so that the equipment can have a basic safety protection function based on application layer filtering; the DFA table items are not subjected to secondary conversion, and the parallel matching module does not generate extra storage space consumption; the whole matching engine is realized by consuming less hardware logic resources and can be instantiated for many times in the FPGA, so that the performance and the throughput can be increased by times.

Claims (5)

1. A high-speed regular expression matching engine realized in FPGA is characterized by comprising a DFA (distributed design automation) table item distribution module, a data packet preprocessing module, an FIFO (first in first out) module, a parallel matching module, a memory module and a controller, wherein the DFA table item distribution module is positioned on a software layer, and the data packet preprocessing module, the FIFO module, the parallel matching module, the memory module and the controller are positioned on a hardware layer;

the DFA table item distribution module stores different table items into different memories according to the access frequency of each table item, wherein the different table items comprise an on-chip register, an on-chip RAM and an off-chip DDR 3;

the data packet preprocessing module divides the data packets input into the system into a group of N-8 bits, wherein N is the number of the subsequent characters which can be simultaneously matched in parallel and is stored into the FIFO module;

the FIFO module is used for caching the divided data packets for the controller to read;

the parallel matching module receives a parallel matching request from the controller, and simultaneously performs parallel matching on the N characters according to state table entry information stored in the register file, the circuit is realized based on combinational logic, and the generated parallel matching result is sent to the controller for further analysis;

the memory module is used for storing DFA table items;

the controller is used for controlling the operation of the whole matching engine, and specifically comprises the following steps:

reading out the data to be detected from the FIFO module, and determining the operation to be taken on the data according to the current state recorded by the internal register;

if the current state meets the requirement of parallel matching, the N x 8bits data is sent to a combinational logic circuit corresponding to a parallel matching module, serial matching is carried out on partial characters failed in matching, and finally an internal register is updated and the next group of data is read;

if the current state does not meet the parallel matching requirement, serial matching is sequentially carried out from the first character corresponding to the lowest byte of the data, whether the parallel matching requirement is met or not is judged after each serial matching, and if the parallel matching requirement is met, the rest data is sent to a parallel matching module for parallel matching; otherwise, continuing to carry out serial matching.

2. The high-speed regular expression matching engine implemented in FPGA of claim 1, wherein said DFA table entry distribution module is located in software layer, and DFA state table entries are written into memory in sequence under control of CPU.

3. The high-speed regular expression matching engine implemented in an FPGA of claim 1, wherein on-chip RAMs included in said FIFO module and said memory module are designed and implemented using an IP core built into the FPGA.

4. A high-speed regular expression matching method realized in an FPGA is characterized in that the high-speed regular expression matching engine realized in the FPGA based on any claim 1 to 3 comprises the following steps:

step 1, reading data to be detected from FIFO, and determining the operation to be taken on the data according to the current state recorded by an internal register;

step 2, if the current state meets the requirement of parallel matching, sending the N x 8bits data to a combinational logic circuit corresponding to a parallel matching module, performing serial matching on partial characters failed in matching, finally updating an internal register, and reading the next group of data;

step 3, if the current state does not meet the parallel matching requirement, serial matching is sequentially carried out from the first character corresponding to the lowest byte of the data, whether the parallel matching requirement is met or not is judged after each serial matching, and if the parallel matching requirement is met, the rest data is sent to a parallel matching module for parallel matching; otherwise, continuing to carry out serial matching.

5. The method for matching high-speed regular expressions implemented in an FPGA according to claim 4, wherein the remaining data in step 3 is sent to a parallel matching module for parallel matching, specifically as follows:

step 3.1, extracting the information of a key state KS from the register file, wherein the key state KS has two characteristics: one is the default transition of KS, i.e., the highest in percentage is itself; another is that the default transitions of a large number of states near KS are also KS;

step 3.2, respectively sending the n parallel input characters to n parallel execution decoders for character analysis, and inquiring a KS register file according to character analysis results, namely storing all transferred corresponding addresses of KS so as to obtain n data inquiry results, wherein the n data inquiry results respectively correspond to the n characters to be matched and represent a next hop state obtained by inputting the specific character when the system is in a key state;

step 3.3, sending the n results generated in the step 3.2 to a comparator, carrying out equal comparison with the state number of KS, and splicing the n comparison results into n bits of data;

and 3.4, performing secondary matching on the n-bit matching result in the step 3.3 to generate a 64-bit parallel matching result, and sending the result to the controller for further analysis.

Images