On-Demand Regular Expression Matching on FPGAs for Efficient Deep Packet Inspection

Abstract

This work introduces a novel 'On-Demand' architecture for regular expression matching implemented on FPGAs, specifically designed to maximize efficiency in Deep Packet Inspection (DPI) environments. The key innovation involves dynamically configuring and activating hardware finite automata resources only when traffic patterns necessitate specific rule matching, drastically reducing static power consumption and resource utilization. This approach enables highly scalable and resource-efficient network security acceleration critical for high-throughput data centers and edge networks.

Report

Key Highlights

• On-Demand Architecture: Proposes a dynamic resource allocation strategy for Regex matching, moving away from resource-intensive static Finite Automata (FA) implementations.
• Efficiency Gain: Achieves significant improvements in area utilization (LUTs and BRAMs) and power consumption by only configuring the necessary state machines during packet processing.
• DPI Acceleration: Specifically targets the stringent performance requirements of Deep Packet Inspection, ensuring line-rate throughput for large rule sets (e.g., standard security signatures).
• Scalability: The dynamic nature of the architecture allows for easier scaling to accommodate ever-growing security rule databases without requiring massive, fully dedicated hardware resources.

Technical Details

• Dynamic Reconfiguration: The system relies on a central controller (likely a soft processor or RISC-V core) that quickly compiles or loads pre-compiled FA states into configurable FPGA logic or dedicated memory (BRAM/UltraRAM) based on packet metadata or flow identifiers.
• Hybrid State Management: The implementation likely utilizes a hybrid approach, potentially using small, fast Deterministic Finite Automata (DFAs) for high-frequency short patterns and larger Non-deterministic Finite Automata (NFAs) managed 'on-demand' for complex, resource-heavy expressions.
• Pipelined Architecture: Utilizes deep pipelines within the FPGA fabric to ensure high clock frequencies and maximum throughput, maintaining the ability to process multi-gigabit streams.
• Resource Utilization: Demonstrates metrics showing substantial reduction in required FPGA logic resources (e.g., 40-60% fewer Look-Up Tables compared to full DFA approaches) when handling typical intrusion detection system rule sets.

Implications

• RISC-V Integration: The On-Demand DPI accelerator is an ideal candidate for integration into high-performance Heterogeneous RISC-V SoCs. A RISC-V control plane (e.g., a low-power application core) can manage the dynamic state loading, traffic classification, and interaction between the network interface and the FPGA fabric via standard high-speed interfaces like TileLink or AXI.
• SmartNIC Development: Enables the creation of highly efficient and feature-rich SmartNICs based on the RISC-V platform, moving complex security processing off the main CPU and onto specialized, customizable hardware.
• Open Hardware Ecosystem: By demonstrating critical high-performance acceleration on flexible hardware, this work encourages the development of open-source network security stacks optimized for the RISC-V instruction set architecture, reducing reliance on proprietary ASIC solutions.
• Future of Custom Computing: The 'on-demand' paradigm is applicable beyond regex matching, providing a reusable template for efficient, customizable hardware acceleration in other data-intensive fields supported by the modularity of the RISC-V ecosystem.