All-optical header processing in a 42.6Gb/s optoelectronic firewall by Webb, Rod P. et al.
Title All-optical header processing in a 42.6Gb/s optoelectronic firewall
Author(s) Webb, Rod P.; Dailey, James M.; Manning, Robert J.; Maxwell, Graeme
D.; Poustie, Alistair J.; Lardenois, Sébastien; Harmon, Robert; Harrison,
James; Kopidakis, Georgios; Athanasopoulos, Elias; Krithinakis,
Antonis; Doukhan, Francis; Omar, Mohamed; Vaillant, Dominique; Di
Nallo, Frédéric; Koyabe, Martin; Di Cairano-Gilfedder, Carla
Publication date 2011
Original citation Webb, R.P., Dailey, J.M., Manning, R.J., Maxwell, G.D., Poustie, A.J.,
Lardenois, S., Harmon, R., Harrison, J., Kopidakis, G., Athanasopoulos,
E., Krithinakis, A. , Doukhan F. , Omar, M., Vaillant, D., Di Nallo, F.,
Koyabe, M., Di Cairano-Gilfedde C. (2011) 'All-Optical Header
Processing in a 42.6Gb/s Optoelectronic Firewall'. Ieee Journal of
Selected Topics In Quantum Electronics, (99), pp.1-8 doi:
10.1109/JSTQE.2011.2135337
Type of publication Article (peer-reviewed)
Link to publisher's
version
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5770169&isn
umber=4481213
http://dx.doi.org/10.1109/JSTQE.2011.2135337
Access to the full text of the published version may require a
subscription.
Rights © 2011 IEEE. Personal use of this material is permitted. Permission
from IEEE must be obtained for all other uses, in any current or
future media, including reprinting/republishing this material for
advertising or promotional purposes, creating new collective works,
for resale or redistribution to servers or lists, or reuse of any
copyrighted component of this work in other works.
Item downloaded
from
http://hdl.handle.net/10468/404
Downloaded on 2017-02-12T04:42:39Z
  
 
 
 
 
 
 
 
© 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in 
any current or future media, including reprinting/republishing this material for advertising or promotional purposes, 
creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component 
of this work in other works. 
 
R.P. Webb, J.M. Dailey, R.J. Manning, G.D. Maxwell, A.J. Poustie, S. Lardenois, R. Harmon, J.Harrison, G. Kopidakis, E. 
Athanasopoulos, A. Krithinakis, F. Doukhan, M. Omar, D. Vaillant, F. Di Nallo, M. Koyabe, and C. Di Cairano-Gilfedde, 
“All-Optical Header Processing in a 42.6Gb/s Optoelectronic Firewall”, Journal of Selected Topics in Quantum Electronics, 
Invited, Accepted for publication, 2011. 
 
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5770169 
 
  
  
 
Abstract—A novel architecture to enable future network 
security systems to provide effective protection in the context of 
continued traffic growth and the need to minimise energy 
consumption is proposed. It makes use of an all-optical pre-
filtering stage operating at the line rate under software control to 
distribute incoming packets to specialised electronic processors. 
An experimental system that integrates software controls and 
electronic interfaces with an all-optical pattern recognition 
system has demonstrated the key functions required by the new 
architecture. As an example, the ability to sort packets arriving 
in a 42.6Gb/s data stream according to their service type was 
shown experimentally. 
 
Index Terms— internet security, pattern matching, optical 
logic devices, integrated optics.  
I. INTRODUCTION 
ANY commercial networks, Internet exchanges and even 
portals are starting to utilise high-speed links at the wide 
area network (WAN) edge in order to accommodate the 
exponential increase (around 60% per year [1]) in traffic as 
broadband access speeds and penetration rates grow.  
Maintaining effective protection of the high speed WAN edge 
is placing correspondingly growing demands on the firewall as 
links with speeds of 40Gb/s and greater are adopted. The 
provision of effective traffic monitoring and filtering 
capability must be achieved at these very high rates without 
compromising performance. Rather, the growing 
 
Manuscript received November 12, 2010. This work was supported by the 
European Union project WISDOM and by the Science Foundation Ireland 
grant 06/IN/I969. 
R. P. Webb, J. M. Dailey and R. J. Manning are with the Tyndall National 
Institute, University College Cork, Lee Maltings, Cork, Ireland (email 
rod.webb@tyndall.ie).  
G. D. Maxwell, A. J. Poustie, S. Lardenois, R. Harmon and J. Harrison are 
with the Centre for Integrated Photonics (CIP) Ltd, B55 Adastral Park, 
Martlesham Heath, Ipswich IP5 3RE, UK. 
G. Kopidakis, E. Athanasopoulos and A. Krithinakis are with the Institute 
of Computer Science (ICS), Foundation for Research and Technology - Hellas 
(FORTH), P.O. Box 1385, GR-711 10, Heraklion, Crete, Greece and 
University of Crete. 
F. Doukhan, M. Omar, D. Vaillant and F. Di Nallo, were formerly with 
Avanex OIF SAS, 16 avenue du Quebec, 91140 Villebon sur Yvette, France. 
M. Koyabe and C. Di Cairano-Gilfedder are with British Telecom (BT), 
B62/B54 Adastral Park, Martlesham Heath, Ipswich IP5 3RE, UK. 
. 
sophistication of insidious and malicious network attacks will 
require a greater degree of design flexibility from future 
firewalls and other security monitoring systems than is 
currently available. They should, for example, be capable of 
supporting Layer 7 (application layer) deep packet inspection, 
a critical feature for eliminating some classes of unwanted 
traffic.  It is essential, therefore, to begin to consider the next 
generation of protection systems that will have to cope with 
data rates approaching 1 Tb/s while still allowing network 
operators to choose the appropriate policy controls and 
filtering rules and maintaining both efficiency and 
performance. 
It is clear therefore that the demands placed on network 
security systems, which already present a formidable 
processing challenge, will continue to increase. Although the 
capacity of electronic processors is also growing, it is at the 
cost of increased power consumption and the current growth-
rate of energy usage in telecommunications networks is 
unsustainable [2]. Future systems will have to adopt a 
radically new approach. 
Past claims that systems based on fast all-optical gates 
would satisfy future requirements for high-speed general 
purpose processors overlooked the large footprint and high 
power requirements of such gates and have long been 
abandoned. However, semiconductor optical amplifier (SOA)-
based gates operating at 40Gb/s have power requirements 
comparable with electronic gates working at the same speed 
and have the potential for much higher switching rates [3, 4]. 
Therefore, for those processes that require the combination of 
a small number of gates and very high operating speed, optical 
implementation can offer advantages over electronics. Part of 
the benefit arises from removing the need for optical-
electronic conversion before operating on incoming optical 
data, and for the reverse conversion if internal optical 
interconnects are used. 
The complementary regimes where optical and electronic 
processing offer the greatest benefit, namely fast, low-
complexity operations for optics and slower, almost arbitrarily 
complex operations for electronics, invite consideration of the 
optimum way to combine the advantages of both. In the 
context of a future security application, this can be achieved 
by employing an initial all-optical pre-processing stage to 
All-Optical Header Processing in a 42.6Gb/s 
Optoelectronic Firewall 
Roderick P. Webb, James M. Dailey, Member, IEEE, Robert J. Manning, Member, IEEE, 
Graeme D. Maxwell, Alistair J. Poustie, Member, IEEE, Sebastien Lardenois, Member, IEEE, 
Robert Harmon, James Harrison, Georgios Kopidakis, Elias Athanasopoulos, Antonis Krithinakis, 
Francis Doukhan, Mohamed Omar, Dominique Vaillant, Frédéric Di Nallo, Martin Koyabe 
and Carla Di Cairano-Gilfedder 
M 
  
carry out a simple filtering or sorting operation at the line rate, 
followed by parallel electronic processors to perform more 
complex operations at a lower rate.   
The development of an optoelectronic firewall with such a 
structure that is capable of providing efficient protection for 
the networks of the future has been the subject of the 
European Union project WISDOM [5]. The application of all-
optical processing to the management of optical packets 
continues to be an active field [6-8], but this project is 
believed to be the first to tackle security issues in packet-based 
networks. The remainder of this paper introduces the 
architecture proposed for firewalls and related security 
monitoring systems, describes the demonstration system 
constructed to test the key functions required by the novel 
architecture and presents experimental confirmation of their 
operation. 
 
Fig. 1.  Architecture of proposed optoelectronic firewall. Arriving packets are 
categorised and directed to the appropriate electronic processors by an optical 
pre-filter stage (e.g. set of pattern matching circuits) under software control.  
II. ARCHITECTURE OF PROPOSED OPTOELECTRONIC FIREWALL 
In order to exploit effectively both the ability of optical 
logic systems to operate at the line rate directly on data in the 
optical domain and the greater functionality of electronic 
processing, an architecture that combines both is proposed. It 
comprises an initial optical packet classification stage 
followed by specialised electronic processors that perform 
detailed inspections on each class of packets (Fig. 1).  
The packet classifier takes advantage of the speed of optical 
gates to operate on all incoming packets, but performs only 
simple inspections that require a small number of gates. These 
inspections might take the form of pattern matching to 
selected fields in the header. Fig. 1 shows multiple, single-
channel pattern matching circuits of the type demonstrated in 
the experiment described later, but multi-channel pattern 
matchers or other packet classification techniques could also 
be used to advantage. The packet classifier should be 
reconfigurable under software control to provide the flexibility 
to enable the firewall to respond to varying threats and types 
of traffic.  
This architecture is equally applicable to network intrusion 
detection systems (IDS), which form another important part of 
the armoury for defence against malicious attacks. They 
inspect network traffic by performing sophisticated signature-
based or anomaly-based detection. In a typical IDS, security 
threats are identified by matching network packets against a 
predefined rule-set. Real network traffic analysis shows that, 
although the majority of rules involve packet payload 
inspection, the vast majority of security alerts originate from 
inspection of the packet header alone. In this work we show 
that it is possible to pre-filter packets by all-optical processing 
of the headers.  
Optical inspection of specific header fields, such as the IP 
protocol or the port, can be used to sort traffic according to 
service type (e.g. web, email, etc) for further scrutiny by 
dedicated electronic processors. The subsequent electronic 
processors each operate on a sub-set of the arriving packets, 
thus reducing demands on their processing speed. They can 
also be more specialised, since each operates only on one 
service type, and inspections inappropriate to that type can be 
omitted. Previous pre-filtering approaches, using conventional 
electronic hardware and software, such as header classification 
[9], grouping packets according to packet header fields (e.g. 
destination port) [10] and active traffic splitting [11] have 
demonstrated greatly improved processing throughput and 
performance of IDS. It is envisaged that proposed architecture 
will extend these benefits to security systems protecting 
networks with higher line rates.  
 
Fig. 2.  Experimental system for sorting packets into two categories, e.g. 
emails and other services.  The security application programming interface 
(SAPI), electronic interface, pattern match circuit and switch control circuit 
were experimentally demonstrated. 
III. EXPERIMENTAL SYSTEM 
The experimental system consisted of a single, high-speed 
all-optical pattern recogniser, together with electronic 
interfaces for generating the target pattern and controlling the 
optical gates, software controls and a driver for the packet 
sorting switch (Fig. 2). The system was therefore equipped to 
sort incoming packets into two classes, e.g. emails and other 
traffic, and thus demonstrate all the key novel features of the 
firewall architecture. The optical system employed SOA-based 
gates which were switched by optical pulses. The input data 
used in the experiment was therefore modulated with return-
to-zero on-off keying (RZ-OOK). Phase-modulated data could 
be accommodated by the addition of an initial phase-to-
amplitude convertor. 
The pattern recogniser employed a recursive operational 
technique to progress towards the pattern match result. The 
section of the incoming data to be searched, for this 
application part of a packet header, was repeated N times, 
where N was the length of the target pattern. In a practical 
system, the repetition would be accomplished by switching the 
Switch
Pattern match
circuit
SAPI
Delay
Electronic interface
42.6Gb/s
input data
Selected service
Other services
Switch
Pattern match
circuits
Software control
Electronic
inspection
Delay
Electronic interfaces
Incoming
data
packets
  
chosen search field into a recirculating loop, but in this 
experiment the loop was emulated by a pattern generator. 
During each cycle, or processing frame, the search field was 
compared with one bit of the target pattern by an exclusive-
NOR gate (XNOR, i.e. inverse exclusive-OR). The result was 
AND-gated with the output from the previous frame, which 
was returned through a feedback loop incorporating a 
regenerator (Fig. 3). Thus, the match between the data and the 
target was built up one bit at a time until, in the final frame, 
the output contained an optical pulse wherever the complete 
target occurred in the data. (A more detailed description and 
explanation of the pattern recognition system has been 
published previously [12].) 
 
 
Fig. 3. Logic circuit of the pattern recognition system with example 
waveforms. n is the number of bits in a frame (the search field) and T is the bit 
period. 
 
This pattern recognition scheme offered a number of 
advantages for the firewall application. It required only a 
small number of gates (three, with additional gates for the 
storage loop) and the number was independent of the length of 
the target pattern. The target was generated at a substantially 
lower speed than the line rate, 1 bit per repetition of the search 
field, and did not have to be synchronised at the bit level with 
the incoming data. It could therefore be readily produced by 
an electronic interface driving a low-cost modulator. It could 
also be simply reprogrammed by loading new data into the 
interface. The output of the system not only indicated the 
presence but also the temporal position of the target in the 
search field, allowing occurrences in non-significant locations 
to be ignored by gating the output with a synchronisation 
pulse [12]. Finally, the time taken for the search process, 
though increased by the use of recursion, would normally be 
less than the duration of a packet and thus would not restrict 
throughput. For example, matching a 16-bit port number to a 
16-bit target would require a minimum of 256 bit periods to 
complete. The shortest TCP/IP packet, an acknowledgement, 
is 320 bits long and many IP packets have a length of 4000 
bits (500 bytes). 
A versatile simulation environment, Wsim, for logic-level 
emulation of optical gates was developed for bit-by-bit testing 
of the pattern recognition algorithm [13,14]. Reconfiguration 
of the optical circuit was supported and a range of 
visualisation tools was provided for examination of the results. 
Extensive simulations were carried out using data traces 
collected from real traffic and representative port or protocol 
numbers as targets. Wsim was accessed through a security 
application programming interface (SAPI) that also 
communicated with the experimental hardware. It too was 
developed specifically for this project and its user interface 
provided a convenient means for comparing simulation with 
experiment. 
The optical gates in the experimental system were Mach-
Zehnder interferometers (MZI) with nonlinear SOAs in each 
arm [15]. In all three gates, the line-rate control signals were 
divided into push and pull inputs [15], which co-propagated 
with the probe inputs for maximum switching speed (Fig. 4). 
Control and probe signals therefore had to be at different 
wavelengths to facilitate their separation after the gate. For 
this reason, a regenerator was included in the feedback path 
from the output of the AND gate to its control input. The 
XNOR gate differed from previously reported high-speed 
XOR gates [16-18] in that it was comparing input data at the 
line rate with the target input at a much lower speed. Push-pull 
operation was therefore neither necessary nor even possible 
for the target input and there was no penalty for connecting it 
in the counter-propagating direction. Similarly, the AND gate 
required a long initialisation pulse to allow data in the first 
frame to enter the feedback loop. In this case too, it was 
convenient to connect the low-speed input in the counter-
propagating direction and avoid the need to add an extra 
coupler to the input side of the gate. 
All three MZI-SOA gates were hybrid integrated devices 
incorporating silica-on-silicon optical waveguides for the 
passive sections and InP-based SOAs [8]. The passive 
waveguides included an integrated time delay for the push-
pull operation of the gate and a variable power splitter to 
control the optical control signal power reaching each SOA. 
The SOAs were designed and optimised for nonlinear 
operation [19] and had high optical gain, long path interaction 
lengths (>2mm) and very short (<10ps) 1/e gain recovery 
times. 
In addition to the integrated gates, the feedback loop 
contained a number of discrete components which increased 
its length and led to a frame length of 144ns (6144 bit periods) 
for the experimental system. A fully integrated system would 
not be limited by, for example, fibre pigtail lengths and the 
 
XNOR 
AND 
(n+1)T 
Recirculating 
loop 
Storage loop 
Regen 
nT 
Probe  
(clock pulses) 
Initialising pulse 
data / data 
  
  
Repeated n-bit data segment 
Target pattern (1101) 
Recirculated signal (1 bit relative delay) 
Output 
Frame:  1 2 3 4 
Pulse in final frame shows position of target 
Output 
  
frame length could be the minimum necessary to 
accommodate the search field which would reduce the 
processing time. 
Target patterns were selected from a list of common port 
numbers held in the SAPI or entered manually and 
downloaded to a purpose-built electronic board that generated 
the target waveform. The 8, 16 or 32-bit target word was 
loaded into a circular register from which it was clocked out at 
a rate to match the optical loop length. The board also 
produced initialisation and reset pulses synchronised with the 
target pattern. In order to obtain optical waveforms, these 
three signals drove modulators connected to the outputs of 
CW lasers. Rise and fall times were 134 and 150ps 
respectively. Because the transition times were longer than the 
bit-period of the incoming data (23ps), a guard interval was 
left between repetitions of the search field during which 
invalid outputs were ignored. A separate electronic interface 
was developed to control the operating conditions of the SOA-
based gates (i.e. the bias currents, phase adjusters and 
temperature stabilisation). 
 
Fig. 5. Waveforms from output 2 (Fig. 4) passed through a bandpass filter 
with a red offset from 1. Pulses from the final three frames are shown to the 
same scale. The gain of the regenerator was enhanced by 5dB during the final 
frame when the probe was reset. 
 
The detection of the target pattern was indicated by a short-
duration optical pulse in the final frame, but pulses in previous 
frames represent intermediate results which had to be ignored. 
The selector switch (Fig. 2) had to be set to the appropriate 
state and held while the packet passed to the chosen output 
port. Hence it was necessary to isolate the final frame and 
convert the pulse, if present, to an electrical pulse having the 
same duration as the packet in order to control the switch. This 
was achieved by enhancing the optical gain in the final frame 
and defining a time window with an electronic gate. 
  
Fig. 6. Selector switch control circuit. Output pulses from the optical pattern 
recognition system pass through a red-shifted bandpass filter before detection 
to enhance contrast. The 3GHz photoreceiver is connected to the clock input 
(C1) of the first D-type flip-flop.  If a pulse arrives while input D1 is high, the 
output O1 goes high. The state of O1 is transferred to the output of the second 
D-type, O2, when the rising edge of the enable pulse reaches C2 after the 
delay. Thus an acceptance window is defined by the interval between the 
arrival of the enable pulse at D1 and its arrival at C2. An input pulse received 
during this window causes the circuit output to go high and remain so until the 
next enable pulse. (Any pulse received while D1 is low serves to reset the first 
D-type.) 
 
Gain enhancement was a secondary effect of the reset pulse 
applied to the regenerator. During the final frame, the CW 
probe input to the regenerator was interrupted to prevent any 
pulses from being returned to the AND gate and interfering 
with the processing of the next packet. Removal of the probe 
resulted in partial gain recovery in the SOAs and an increase 
in the amplitude of the control pulses observed at the 
regenerator monitor point (output 2 in Fig. 4). The self phase 
modulation on the control pulses was also increased and the 
use of a red-shifted bandpass filter further improved the 
Optical pulses
D1
C1
O1
C2
D2
O2
Enable pulse
C1
D1
O1 (D2)
C2
O2
Bandpass
Filter
Photoreceiver
Duration 
of search
t
Delay
Delay
Pulse in 
acceptance 
window
No pulse
Switch activated
Not activated
Initialising pulse, 
3
Probe with reset, 3
Linear SOA
1
1
Repeated data at 
42.6Gb/s
2=1550nm
Output I
SOAs
Target pattern
3=1545nm
1
Clock
42.6 GHz
1=1555nm
XNOR Gate
Var. Delay line
Var. Attenuator
AND Gate
SOAs
Regen Gate
SOAs
10%
3
Linear SOA
3
Output 2
Single Frame
1
Linear SOA
Polarisation 
Controller
Var. Power SplitterVar. Phase Shifter
Fig. 4. Experimental implementation of the optical pattern recognition system. 
 
  
contrast of pulses in the output frame (Fig. 5). The output 
pulses were detected and broadened by a 3GHz receiver and 
an electronic circuit comprising two D-type flip-flops 
responded to pulses only within a defined time-window and 
held the result for the duration of the packet (Fig. 6). The 
selector switch control circuit was successfully demonstrated 
with pulses from the pattern recogniser output, but not used 
for the experiment described below. (Following a 
reconfiguration of the optical system, output 2 was no longer 
available.) 
A schematic diagram of the overall experimental system is 
shown in Fig. 7. Data representing the repeated search fields 
of a stream of input packets was programmed into a 42.6Gb/s 
pattern generator. Because the storage loop for repeating the 
search field was not physically implemented in the 
experiment, its output was emulated by including repetitions 
of each packet header in the programmed data. The pattern 
generator output modulated a stream of 2ps pulses at 1550nm 
from a fibre ring laser multiplexed up to 42.6GHz. A mode-
locked semiconductor laser provided a 42.6GHz clock train of 
2.4ps pulses at 1555nm which served as the probe for the 
XNOR gate. The target generator described above was 
synchronised with the repetitions of the input data and 
produced the target pattern and other low-speed inputs 
required by the pattern recognition system (Fig. 4). The output 
(output 1 in Fig. 4) was observed with an oscilloscope 
triggered through a programmable delay to facilitate selection 
of the desired packet and frame from the output trace. 
IV. EXPERIMENT AND RESULTS 
The exercise chosen to demonstrate optical pre-filtering in a 
firewall was to select packets according to the type of service, 
which can be achieved by searching for the appropriate value 
of the 16-bit port number. The data stream was derived from a 
real-world trace of traffic in an educational institute network 
connecting about 1000 hosts. The distributions of the port and 
protocol numbers were recorded for later analysis and their 
values were copied from the trace to 32-byte headers 
constructed for the experiment (Fig. 8a). (The remaining bytes 
were given arbitrary values.) 
  
Fig. 8. Data stream assembly: a) First 16 bytes of the 32-byte artificial headers 
used in the experiment with port numbers 25 and 80. b) Each header was 
replicated 24 times to fill the frame and each frame was repeated 16 times to 
emulate the storage loop. Similar blocks of data were generated for each 
packet. 
 
The header duration of 6ns was much shorter than the 
experimentally realised feedback loop length, so each header 
was repeated 24 times to create a frame of 144ns. To search 
Byte 0 31
x 24 copies
x 16 repetitions
Data from one 
packet
Header
Frame
Emulation 
of storage 
loop
Multi-packet 
data
stream
 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
0
0.5
1
1.5
Pkt 0
 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
0
0.5
1
1.5
Pkt 1
Byte
Port No. = 25
Alignment 
features Arbitrary data
Port No. = 80
a)
b)
Pattern 
generator
42.6Gb/s
Fibre
ring laser 
10.65GHz
10.65-
42.6G
Mux
Target 
generator
Mode-locked 
laser
42.6GHz
XOR
gate
Sync
Frame clock
Data
AND
gate
regenerator
Modulators
Target
Initialisation pulse
Reset pulse
SOA-MZI 
controller
SOA-MZI 
controller
Oscilloscope
Output
Scope trigger
Target
Optical 
data 
stream
PC
Program target 
(e.g. port No)
Data extracted 
from internet 
trace
Init
Probe 
with reset
Clock 
input
CW 
lasers
Programmable
delay
Optical connection
Electrical connection
PC
Mod
Fig. 7. Complete experimental packet sorting system. 
 
  
for a 16-bit target, each frame must be repeated 16 times, so 
16 copies of the frame were made in order to emulate the 
action of the storage loop. Further blocks of data were 
assembled in the same way to represent the required number 
of packets and the resulting bit stream was uploaded to the 
pattern generator (Fig. 8b). 
First, data was generated from a single packet that 
contained the port number for email (SMTP), 00000000 
00011001, the binary equivalent of 25, and the SAPI was used 
to set the target to the same value. The output of the pattern 
recognition system was observed and extracts from each frame 
are shown in Fig. 9. Each mark indicated where a match to the 
target bits so far presented to the system was found in the data. 
Thus the first frame showed all the zeros in the data (the most 
significant target bit was presented first) and was therefore the 
inverse of the input data (some isolated zeros were not 
resolved by the oscilloscope on this scale). The second frame 
showed all occurrences of a pair of zeros. Frame 12 showed 
occurrences of a one preceded by 11 zeros and so on. The final 
frame clearly showed the presence of the complete target. 
Note that a match to the first 15 bits was found 0.5ns before 
the port number, but this partial match was unambiguously 
rejected in the final frame. 
 
Fig. 9. Pattern recognition system output showing successive output frames 
during the identification of the email port number, 00000000 00011001 
(binary equivalent of 25). 
 
Then a second packet was added to the data stream 
containing the port number 00000000 01010000 (binary 
equivalent of 80, indicating http service). With the target 
unchanged, the outputs for the first packet remained the same. 
The output frames for the second packet are shown in Fig. 10 
Here, the final frame contained only zeros, correctly showing 
that there was no match between the target and the data. A 
further data stream was generated from 16 packets, including 
nine email packets with the port number 25. The remaining 
packets had port numbers 21, 80 or 2256. Examination of the 
final output frame for each packet showed that the system had 
correctly identified the nine emails. Several other target values 
were also programmed and correct recognition was observed 
in each case. The accuracy of the pattern recognition system 
when searching for arbitrarily chosen targets ranging in length 
from 8 to 256 bits had been confirmed previously [12]. 
V. CONCLUSIONS 
A new architecture has been proposed to enable future 
firewalls and network monitors to provide protection for 
systems with data input line rates of 40Gb/s or more. It 
employs an optical pre-filtering stage operating at the line rate 
to sort incoming packets in order to allow the subsequent 
electronic processing stages to be made more specialised, and 
thus simpler and more power efficient. In an experimental 
demonstration operating at 42.6Gb/s, packets derived from an 
internet trace were sorted into two categories according to 
their service type by an all-optical pattern recognition system 
under software control. Both the proposed architecture and the 
experimental demonstration show how the optical, electronic 
and software processing domains can be combined to exploit 
the speed of operation or degree of complexity available with 
each. 
 
 
Fig. 10. Successive output frames from the second packet. Here the zeros in 
the final frame show that the port number in the data stream, 00000000 
01010000 (binary equivalent of 80), did not match the target, 00000000 
00011001 (binary equivalent of 25). 
REFERENCES 
[1] R. W. Tkach, “Network Traffic and System Capacity: Scaling for the 
Future,”  presented at European Conference on Optical 
Communications, Turin, Italy, Sep. 19-23, 2010, paper We.7.D.1. 
[2] Y. Zhang , P. Chowdhury, M. Tornatore, and B. Mukherjee, “Energy 
Efficiency in Telecom Optical Networks,” IEEE Communications 
Surveys & Tutorials, to be published (available online). 
[3] Y. Liu, E. Tangdiongga, Z. Li, S. Zhang, H. de Waardt, G. D. Khoe and 
H. J. S. Dorren, “160 Gbit/s Wavelength Conversion Using Ultra-fast 
Dynamics in an SOA”, presented at European Conference on Optical 
Communications, Glasgow, Scotland, Sep. 25-29, 2005, paper We1.5.4. 
[4] R. J. Manning, R. Giller, X. Yang, R. P. Webb and D. Cotter, “Faster 
Switching with Semiconductor Optical Amplifiers,” presented at 
 
0 1 2 3 4 5
x 10
-9t, ns
 
 
Frame 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
 
 
 
0 1 2 3 4 5
x 10
-9t, ns
 
 
Frame 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
 
 
  
Photonics in Switching, San Francisco CA, USA, 19-22 Aug. 2007 pp. 
145 – 146. 
[5] WISDOM website: http://www.ist-wisdom.org 
[6] M. Usami and D. Blumenthal, “Optical Signal Processing: The 
Roadmap towards High-Speed Optical Packet/Burst Switching,” 
presented at European Conference on Optical Communications, Vienna, 
Austria, Sep. 20-24, 2009, paper Tu 5.6.1. 
[7] F. Ramos, E. Kehayas, J. M. Martinez, R. Clavero, J. Marti, L. 
Stampoulidis, D. Tsiokos, H. Avramopoulos, J. Zhang, P. V. Holm-
Nielsen, N. Chi, P. Jeppesen, N. Yan, I. Tafur Monroy, A. M. J. Koonen, 
M. T. Hill, Y. Liu, H. J. S. Dorren, R. Van Caenegem, D. Colle, M. 
Pickavet, and B. Riposati, “IST-LASAGNE: Towards All-Optical Label 
Swapping Employing Optical Logic Gates and Optical Flip-Flops,” 
Journal of Lightwave Technology, vol. 23, pp. 2993-3011, Oct., 2005. 
[8] L. Stampoulidis, D. Apostolopoulos, D. Petrantonakis, P. Zakynthinos, 
P. Bakopoulos, O. Zouraraki, E. Kehayas, A. Poustie, G. Maxwell and 
H. Avramopoulos, “Enabling Tb/s photonic routing: Development of 
advanced hybrid integrated photonic devices to realize high-speed, all-
optical packet switching ,” IEEE Journal of Selected Topics in Quantum 
Electronics, vol. 14, p.849 (2008). 
[9] V. Dimopoulos, G. Papadopoulos, and D. Pnevmatikatos, “On the 
importance of Header Classification in HW/SW Network Intrusion 
Detection Systems,” PCI 2005, LNCS 3746, pp. 661-671, 2005. 
[10] A. Papadogiannakis, D. Antoniades, M. Polychronakis, and E. P. 
Markatos, “Improving the Performance of Passive Network Monitoring 
Applications using Locality Buffering,” in Proceedings of 15th Annual 
Meeting of the IEEE International Symposium on Modeling, Analysis, 
and Simulation of Computer and Telecommunication Systems 
(MASCOTS) , pp. 151-157, 2007. 
[11] K. Xinidis, I. Charitakis, S. Antonatos, K. G. Anagnostakis, and E. P. 
Markatos, “An Active Splitter Architecture for Intrusion Detection and 
Prevention,” IEEE Transactions on Dependable and Secure Computing, 
vol.3, pp. 31-44, 2006. 
[12] R. P. Webb, X. Yang, R. J. Manning, G. D. Maxwell, A. J. Poustie, S. 
Lardenois and D. Cotter, “All-Optical Binary Pattern Recognition at 42 
Gb/s,” Journal of Lightwave Technology, vol. 27, pp. 2240-5, Jul. 1, 
2009. 
[13] A. Krithinakis, L. Stroetmann, E. Athanasopoulos, G. Kopidakis, E. P. 
Markatos. “WSIM: A software platform to simulate all-optical security 
operations,” in Proceedings of the 2nd European Conference on 
Computer Network Defense (EC2ND), pp. 41-27,  2008. 
[14] E. Athanasopoulos, A. Krithinakis, G. Kopidakis, G. Maxwell, A. 
Poustie, R. Manning, R. Webb, M. Koyabe, C. Di Cairano-Gilfedder, 
“WISDOM: Security-Aware Fibres,” in Proceedings of the 2nd ACM 
European Workshop on System Security (EUROSEC), pp. 22-27, 2009. 
[15] Y. Ueno, S. Nakamura, and K. Tajima, “Nonlinear phase shifts induced 
by semiconductor optical amplifiers with control pulses at repetition 
frequencies in the 40–160-GHz range for use in ultrahigh-speed all-
optical signal processing,” J. Opt. Soc. Am. B, vol. 19, pp. 2573-89 Nov. 
2002. 
[16] H. Chen, G.  Zhu, Q. Wang, J. Jaques, J. Leuthold, A. B. Piccirilli, N. K. 
Dutta, “All-optical logic XOR using differential scheme and Mach-
Zehnder interferometer,” Electronics Letters , vol. 38, pp. 1271-3, Oct. 
2002 . 
[17] R. P. Webb, R. J. Manning, G. D. Maxwell, A. J. Poustie, “40 Gbit/s all-
optical XOR gate based on hybrid-integrated Mach-Zehnder 
interferometer,” Electronics Letters, vol. 39, pp. 79-81, Jan. 2003. 
[18] J. M. Dailey, S. K. Ibrahim, R. J. Manning, R. P. Webb, S. Lardenois, G. 
D. Maxwell and A. J. Poustie, “42.6 Gbit/s fully integrated all-optical 
XOR gate”, Electronics Letters, vol. 45,  pp. 1047-9,  Sep. 2009. 
[19] A. Poustie, “Highly integrated InP-based subsystems for all-optical 
processing”, tutorial OWW1, OFC 2010, San Diego, U.S.A. (2010). 
 
Roderick P. Webb received the B.Sc. and Ph.D. 
degrees in electrical engineering from the Imperial 
College, London, England, in 1973 and 1993 
respectively. He also gained a B.A. from the Open 
University, Britain, in 1986 for studies in subjects 
ranging from the humanities to cosmology. 
He joined BT Laboratories in 1973 and worked 
on many aspects of optical transmission systems, 
on neural networks and on semiconductor optical 
amplifiers (SOAs) and while there he 
demonstrated the first all-optical regenerator based 
on an SOA. For some of this time he was also an 
Associate Lecturer with the Open University teaching artificial intelligence 
and electronics. In 2000, he moved to the Corning Research Centre, England, 
to work primarily on the 40Gb/s all-optical regenerator project, where he 
invented a 40Gb/s XOR gate.  He was one of the founding members of 
Photonic Systems Group set up in 2003 by Prof. Cotter at the Tyndall 
National Institute and Department of Physics, University College Cork, 
Ireland, where he continues to work as a Senior Researcher. His current 
research goals include improving the performance of SOA-based logic gates 
and putting them to use in telecommunications applications. He has published 
over 100 journal papers, conference papers and patents. 
 
James M. Dailey (M’06) was born in Reading, 
PA, USA in May 1979.  He earned his B.S., M.S., 
and Ph.D. degrees in electrical engineering from 
Lehigh University, Bethlehem, PA, USA in 2001, 
2006, and 2008, respectively.   
 Following his B.S. he worked for 2 years at 
Essex Corp in Columbia, MD as an Engineer 
characterizing novel DWDM technologies, after 
which he returned to Lehigh for graduate school.  
He is currently employed as a Post-Doctoral 
Researcher at the Tyndall National Institute in Cork, Ireland.  Research 
interests include optical communications and the use of semiconductor optical 
amplifiers in signal processing applications. 
 
Robert J. Manning (M’01) graduated with a BSc in physics (first class 
honours) in 1975 from Imperial College, London, and obtained a PhD in laser 
physics in 1982, also from Imperial College. 
He joined RSRE, Malvern in 1982, where he studied picosecond carrier 
dynamics of bulk and quantum well semiconductors using mode-locked 
lasers, He developed techniques to measure cross-well transport of electrons 
in quantum well devices, both without and with an applied electric field. In 
1989 he joined British Telecom Laboratories at Martlesham Heath, Ipswich, 
where he worked on optical non-linearities in a variety of materials for all-
optical signal processing applications. He was part of the group that 
discovered high–speed switching effects in semiconductor optical amplifiers 
(SOAs). Upon joining Corning in 2000, after their acquisition of the optics 
group of which he was a part, he continued the development of all-optical 
switching devices based upon SOAs. This led to the realisation of a hybridly 
integrated 40 Gbit/s all-optical regenerator. The same device was used to 
demonstrate a 40 Gbit/s all-optical XOR gate. He is now a Principal 
Investigator in the Photonic Systems group at Tyndall National Institute, 
Ireland, where he is continuing to pursue his interests in high speed dynamics 
in SOAs for optical logic applications. Dr Manning has published over 150 
journal and conference papers. 
Dr Manning is a member of the Optical Society of America, the Institute of 
Physics and is a Chartered Physicist. 
 
Graeme D. Maxwell has a PhD from Glasgow 
University, Scotland, in flame hydrolysis 
deposition 
 He leads the activity responsible for hybrid 
integration of active and passive components at 
the Centre for Integrated Photonics (CIP), 
including hybrid device design, planar silica 
fabrication and assembly of hybrid devices. He 
is a renowned authority on hybrid integration 
and PLC technology and was part of the 
management team that built up the business 
case to establish CIP. Prior to CIP, Graeme 
worked for BT Research Labs at Martlesham Heath, Ipswich from 1989. In 
1997 he was made Head of Technology Research Group, BT Laboratories. In 
this role he had responsibility for the research in planar silica, silica fibre, 
semiconductor opto-electronics, micro-machining. During this time he was 
responsible for down-streaming the planar silica technology from BT to the 
start-up company Kymata (now owned by Gemfire), and received BT’s 
Directorate Achiever Award in recognition. In 2000 when Corning took over 
the BT facility, he became the Department Manager for Hybrid Integration 
Research and became responsible for hybrid integration, passive planar 
devices, silicon micro-machining, packaging and electron beam lithography. 
During his time in Corning, he had global responsibility for hybrid 
integration, and was part of the team responsible for setting Corning’s strategy 
for planar devices and technology. 
 Dr. Maxwell has filed more than 15 patents and authored over 48 papers 
and is a member of the technical committee for ECTC. 
  
 Alistair J. Poustie (M’06) received the 
B.Sc. and Ph.D. degrees in physics & 
theoretical physics from the University of St. 
Andrews, Scotland in 1986 and 1990 
respectively. 
He joined BT Laboratories in 1990 and was 
engaged in research into quantum states of 
light, nonlinear optics and all-optical signal 
processing. In 2000 he joined Corning and 
continued research on optical processing 
using semiconductor optical amplifiers. In 2003 he was part of the founding 
team of the Centre for Integrated Photonics, Ipswich, U.K., where he is 
Optical Systems Manager. His current research interests include hybrid 
integrated photonic modules and their applications. He has published over 130 
journal papers, conference papers and patents. 
Dr. Poustie is a member of the Optical Society of America, a chartered 
Physicist and a Fellow of the Institute of Physics. 
 
Biographies not available for the other authors 
 
 
 
 
 
 
 
 
 
 
 
