Hardware-accelerated regular expression matching at multiple tens of Gb/s

Hardware acceleration of regular expression matching is key to meeting the throughput requirements of state-of-the-art network intrusion detection systems (NIDSs) dictated by fast growing link speeds. This paper presents extensions to a programmable state machine, called B-FSM, which was initially optimized for string matching. These extensions enable direct support in hardware for essential regular expression features, such as character classes and case insensitivity. Moreover, they also allow the exploitation of regular expression properties that show up at the data structure level as common transitions shared between multiple states, resulting in storage reductions of up to 95% for five NIDS pattern sets analyzed. Additional instruction support based on a flexible integration within the B-FSM data structure increases the processing capabilities and enables the scaling to larger pattern collections. The new IBM Power Edge of Network^TM processor employs the B-FSM technology to provide scanning capabilities at typical rates of 20-40 Gb/s.