Skip to content

Use Cases / Regex Accelerator

Regex
Accelerator.

A hardware regular-expression matching engine for line-rate packet inspection. Delivered with verification collateral and source lineage.

FPGA implementation · AWS F2 See verification evidence →

NFA capacity

256K states

cond· runtime-programmable tables, no resynthesis

Rule capacity

8,192 rules

cond· with 512 character-class tables

Operation

250 MHz

cond· AWS F2 · Virtex UltraScale+ VU47P

Throughput

9.5 Gbps

cond· measured, RTL simulation · 7.4 Gbps dense

Overview

Line-rate pattern matching, in hardware.

The Regex Accelerator executes regular expressions as a hardware NFA whose transition tables are programmed at runtime - rule sets are compiled to tables and loaded without touching the bitstream. It targets deep packet inspection, intrusion detection, and content-filtering workloads where software matching cannot keep pace with the link.

It ships as parameterizable SystemVerilog with a complete verification package, the same release discipline applied to every VoskenAI artifact.

Features

  • Runtime-programmable

    patterns load into transition tables at runtime - no resynthesis

  • Large capacity

    up to 256K NFA states, 8,192 rules, 512 character classes

  • AWS F2 native

    AXI4-512 ingress, AXI4-Lite control, 250 MHz single clock domain

  • Backpressure

    ready/valid streaming, no drops

  • Match reporting

    rule-id tagged match events via match ring, interrupt threshold

  • Verification discipline

    SVA formal properties (SymbiYosys), Verilator lint, coverage

Use Cases

Where line-rate matching earns its silicon.

Intrusion detection & prevention

thousands of signature rules · feeds update daily

Signature sets compile to transition tables and load at runtime over the control interface - rule updates ship on the feed’s schedule, not the bitstream’s.

Deep packet inspection

SmartNIC / cloud boundary · 512-bit ingress

Payload scanning at the host boundary on the AXI4-512 data path, with backpressure-safe streaming so inspection never silently drops traffic.

Content filtering & DLP

policy regexes over live streams

Matches arrive as rule-id-tagged events in a host-memory ring - policy engines act on structured events instead of re-scanning payloads in software.

Log & telemetry scanning

batch streams · threshold alerting

High-volume log streams scan at line rate; the match-threshold interrupt flags hot patterns without the host polling for them.

Verification Status

Brought up end-to-end, in simulation.

Two independent test environments run against the AWS shell integration. A cocotb bring-up ladder takes the device from register connectivity to end-to-end match-ring drain, and a UVM environment - scoreboards, covergroups, 14 SVA bind modules - passes in full with an ARM AXI protocol checker bound to the bus as a hard gate.

66 / 66

UVM regression

ARM Axi4PC bound as hard gate

61 / 61

cocotb bring-up

registers to ring drain, end-to-end

0 / 0

lint errors · waivers

Verilator, all 39 modules

31 / 31

coherence validators

pipeline stages in agreement

// 74 of 75 requirements traced to passing tests, the one gap documented. measured throughput: 9.5 Gbps sparse, 7.4 Gbps dense - cocotb/Verilator RTL simulation at the 250 MHz model. silicon numbers follow post-route.

Architecture

Five subsystems, 39 blocks, one clock.

A single 250 MHz clock domain, no CDC. Every block was generated, specified, and verified individually in one Vosken Fabric run - and is traceable back to it.

Control

8 blocks

AXI4-Lite CSRs, table-load window, IRQ & error aggregation, perf counters

Ingress

5 blocks

AXI4-512 slave, sync FIFO, mode steering into the engine

Tables

7 blocks

banked URAM transition memory, character-class & rule-meta BRAM

Execution

6 blocks

byte lanes, active-state vector, accept collection

Match

7 blocks

match ring writer, threshold interrupt, event packing, counters

Interfaces

AWS F2 Shell native, no surprises.

interfaceprotocolrole
OCL AXI4-Lite control & status registers, runtime table loading
PCIS AXI4 slave · 512-bit ingress data path, host to engine
PCIM AXI4 master match ring written to host memory
usr_irq user interrupt match threshold notification
axi_clk / rst_n 250 MHz single clock domain, no CDC

What you receive

The full release package, verified and signed.

RTL, verification collateral, coverage and formal results, benchmark reports with conditions, source lineage, and a signed, reproducible package.

License this IP Inspect the evidence