Eceb: Enhanced constraint repetition block for regular expression matching on FPGA

Recent Network Intrusion Detection Systems (NIDSs) utilize Perl Compatible Regular Expression to describe malicious patterns existing in the content payload of packets more and more effciently. Several techniques are introduced to optimize the performance or complete the system for full support all of PCRE features in hardware platform, but some issues have just been solved partially. Constraint Repetition is among important characteristics of PCRE but its effective hardware-based implementation solutions are still limited. This paper describes an Enhanced Constraint rEpetition Block (ECEB) for regular expression matching engine in FPGA. To support more PCRE features, we improve our implementation to handle flag 'm' modifier. We also implement the block memory (BRAM) based character matching which saves a lot of LUTs and effectively improves overall system's throughput com-pared to related techniques. A software tool-chain for autogenerating PCRE matching system is also introduced. We do experiments on lowcost XC2VP50 Xilinx Virtex II Pro chip with the rule set of SNORT, an open source NIDS, to evaluate our implementation. The results verify that our architecture can achieve throughput up to 1Gbps and save up to 90% hardware resources compared with the conventional architecture.