CONIX Publication

Deep Packet Inspection (DPI) improves network performanceand security by examining packet payloads to inform networkmanagement decisions. However, due to the intensive computeassociated with deep inspection, it has become more and moreexpensive for CPU-based solutions to keep up with the ever-increasing network line-rate. FPGAs are a promising candidatefor improving DPI performance without sacrificing the benefitsof flexibility. In this work, we present a multi-string patternmatching engine for DPI that runs on an FPGA SmartNIC at 100Gbps line-rate. Many prior FPGA-based works use traditional,finite automaton-based approach. Unfortunately, these resultin high memory usage and are thus less-than-ideal for deploy-ment on FPGAs. Inspired by the recent successes of the CPU-centric Hyperscan string matching algorithm, we devise a morememory-efficient hashtable-based approach and add additionalShift-OR filter to reduce the false positive rate. Furthermore,unlike a CPU-centric implementation, FPGAs enable us to fullyleverage the potential of parallelism in the hashtable-based ap-proach. By enabling parallel hashtable lookups, wide bit-vectoroperations, and deep pipelining, our design can achieve 100Gbps on a rule-set with about 6K string patterns, representingroughly 6-72X speedup over a CPU running the same algo-rithm. The evaluation results also show modest resource usageand near-linear speedup as we increase the bit-vector width,making the design amenable to scale to higher line-rates