The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - Feb. (2013 vol.62)
pp: 310-321
Cong Liu , Sun Yat-sen University, Guangzhou
Jie Wu , Temple University, Philadelphia
ABSTRACT
Deep packet inspection, in which packet payloads are matched against a large set of patterns, is an important algorithm in many networking applications. Nondeterministic Finite Automaton (NFA) and Deterministic Finite Automaton (DFA) are the basis of existing algorithms. However, both NFA and DFA are not ideal for real-world rule sets: NFA has the minimum storage, but the maximum memory bandwidth; while DFA has the minimum memory bandwidth, but the maximum storage. Specifically, NFA and DFA cannot handle the presence of character sets, wildcards, and repetitions of character sets or wildcards in real-world rule sets. In this paper, we propose and evaluate a dual Finite Automaton (dual FA) to address these shortcomings. The dual FA consists of a linear finite automaton (LFA) and an extended deterministic finite automaton (EDFA). The LFA is simple to implement, and it provides an alternative approach to handle the repetition of character sets and wildcards (which could otherwise cause the state explosion problem in a DFA) without increasing memory bandwidth. We evaluate the automaton in real-world rule sets using different synthetic payload streams. The results show that dual FA can reduce the number of states up to five orders of magnitude while their memory bandwidth is close to minimum.
INDEX TERMS
Doped fiber amplifiers, Automata, Erbium-doped fiber amplifier, Payloads, Inspection, Bandwidth, Explosions, dual finite automaton (dual FA), Deep packet inspection, linear finite automaton (LFA)
CITATION
Cong Liu, Jie Wu, "Fast Deep Packet Inspection with a Dual Finite Automata", IEEE Transactions on Computers, vol.62, no. 2, pp. 310-321, Feb. 2013, doi:10.1109/TC.2011.231
REFERENCES
[1] M. Roesch, “Snort: Lightweight Intrusion Detection for Networks,” Proc. 13th System Administration Conf., Nov. 1999.
[2] Snort: http:/www.Snort.org/, 2011.
[3] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, vol. 31, pp. 2435-2463, Dec. 1999.
[4] Citrix Systems & Application Firewall, http:/www.citrix.com, 2007.
[5] Cisco Systems, Cisco ASA 5505 Adaptive Security Appliance, http:/www.cisco.com, 2007.
[6] M. Altinel and M.J. Franklin, “Efficient Filtering of XML Documents for Selective Dissemination of Information,” Proc. Int'l Conf. Very Large Data Bases (VLDB), 2000.
[7] ClamAV: http:/www.clamav.net/, 2007.
[8] F. Yu, Z. Chen, Y. Diao, T.V. Lakshman, and R.H. Katz, “Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection,” Proc. ACM/IEEE Symp. Architecture for Networking and Comm. Systems (ANCS), 2006.
[9] S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, “Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection,” Proc. ACM SIGCOMM, Sept. 2006.
[10] A. Bremler-Barr, D. Hay, and Y. Koral, “CompactDFA: Generic State Machine Compression for Scalable Pattern Matching,” Proc. IEEE INFOCOM, 2010.
[11] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, “Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection,” Proc. IEEE INFOCOM, 2004.
[12] K. Namjoshi and G. Narlikar, “Robust and Fast Pattern Matching for Intrusion Detection,” Proc. IEEE INFOCOM, 2010.
[13] J.E. Hopcroft and J.D. Ullman, Introduction to Automata Theory. Addison Wesley, 1979.
[14] M. Becchi and P. Crowley, “A Hybrid Finite Automaton for Practical Deep Packet Inspection,” Proc. ACM CoNEXT Conf. (CoNEXT), 2007.
[15] L. Tan and T. Sherwood, “A High Throughput String Matching Architecture for Intrusion Detection and Prevention,” Proc. 32nd Ann. Int'l Symp. Computer Architecture (ISCA), 2005.
[16] S. Kumar, J. Turner, and J. Williams, “Advanced Algorithms for Fast and Scalable Deep Packet Inspection,” Proc. ACM/IEEE Symp. Architecture for Networking and Comm. Systems (ANCS), 2006.
[17] M. Becchi and P. Crowley, “An Improved Algorithm to Accelerate Regular Expression Evaluation,” Proc. ACM/IEEE Symp. Architecture for Networking and Comm. Systems (ANCS), 2007.
[18] S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese, “Curing Regular Expressions Matching Algorithms from Insomnia,” Proc. ACM/IEEE Symp. Architecture for Networking and Comm. Systems (ANCS), 2007.
[19] S. Kong, R. Smith, and C. Estan, “Efficient Signature Matching with Multiple Alphabet Compression Tables,” Proc. Int'l Conf. Security and Privacy in Comm. Networks (Securecomm), 2008.
[20] M. Becchi and P. Crowley, “Efficient Regular Expression Evaluation: Theory to Practice,” Proc. ACM/IEEE Symp. Architecture for Networking and Comm. Systems (ANCS), 2008.
[21] R. Smith, C. Estan, S. Jha, and S. Kong, “Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata,” Proc. ACM SIGCOMM, 2008.
[22] M. Becchi, M. Franklin, and P. Crowley, “A Workload for Evaluating Deep Packet Inspection Architectures,” Proc. IEEE Int'l Symp. Workload Characterization (IISWC), Sept. 2008.
[23] R. Sidhu and V.K. Prasanna, “Fast Regular Expression Matching Using FPGAs,” Proc. Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), 2001.
[24] B.L. Hutchings, R. Franklin, and D. Carver, “Assisting Network Intrusion Detection with Reconfigurable Hardware,” Proc. Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), 2002.
[25] C.R. Clark and D.E. Schimmel, “Efficient Reconfigurable Logic Circuit for Matching Complex Network Intrusion Detection Patterns,” Proc. Int'l Conf. Field Programmable Logic and Applications (FLP), 2003.
[26] B. Brodie, R. Cytron, and D. Taylor, “A Scalable Architecture for High-Throughput Regular-Expression Pattern Matching,” Proc. Int'l Symp. Computer Architecture (ISCA), 2006.
[27] A. Mitra, W. Najjar, and L. Bhuyan, “Compiling PCRE to FPGA for Accelerating SNORT IDS,” Proc. ACM/IEEE Symp. Architecture for Networking and Comm. Systems (ANCS), 2007.
[28] S. Kumar, J. Turner, P. Crowley, and M. Mitzenmacher, “HEXA: Compact Data Structures for Faster Packet Processing,” Proc. IEEE INFOCOM, 2009.
[29] M. Becchi and P. Crowley, “Extending Finite Automata to Efficiently Match Perl-Compatible Regular Expressions,” Proc. ACM CoNEXT Conf. (CoNEXT), 2008.
47 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool