Junchen Jiang,Xiaofei Wang,Keqiang He,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501748

2010-01-01

Abstract:Multi-pattern matching is a key technique for implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against predefined attack signatures written in regular expressions (regexes). To this end, Deterministic Finite Automaton (DFA) is widely used for multi-regex matching, but existing DFAbased researches have claimed high throughput at an expenses of extremely high memory cost. In this paper, we propose a parallel architecture of DFA called Parallel DFA (PDFA), using multiple flow aggregations to increase the throughput with nearly no extra memory cost. The basic idea is to selectively store the DFA in multiple memory modules which can be accessed in parallel and to explore the potential parallelism. The memory cost of our system in both the average cases and the worst cases is analyzed, optimized and evaluated by numerical results. The evaluation shows that we obtain an average speedup of about 0.5k to 0.7k where k is the number of parallel memory modules under our synthetic trace and compressed real trace in a statistical average case, compared with the traditional DFA-based matching approaches.

Kai Wang,Zhe Fu,Xiaohe Hu,Jun Li

DOI: https://doi.org/10.1016/j.comcom.2014.08.005

IF: 5.047

2014-01-01

Computer Communications

Abstract:Regular expressions (regexes) provide rich expressiveness to specify the signatures of intrusions and are widely used in contemporary network security systems for signature-based intrusion detection. To perform very fast regex matching, deterministic finite automata (DFA) has been the first choice because its time complexity is constant O ( 1 ) . Unfortunately, DFA often suffers the well known state explosion problem and, consequently, tends to require prohibitive memory overhead in practical applications. To address the problem, a wide variety of DFA compression techniques have been proposed; however, few can keep up with the ever increasing network traffic bandwidth and regex set complexity. This paper proposes that the DFA problem is rooted in regexes (rather than in DFA), i.e., semantic overlapping of regexes, and accordingly presents a complete algorithmic solution PaCC (Partition, Compression, and Combination), that can transform the given large-scale set of complex regexes into a compact and fast matching engine using DFA as its core. PaCC fundamentally defuses state explosion for DFA by partitioning complex regexes into overlapping-free segments. By exploiting the massive repetitiveness among the resulting segments, PaCC can further deflate corresponding DFA in terms of the number of states. Moreover, on the basis of the characteristics of these segments, PaCC takes a tailor-made compression approach and reduces over 96% of the state transitions for the corresponding DFA. In the final matching engine, the combination of DFA and a small relation mapping table, built from segments and their syntagmatic relations, respectively, guarantees high performance and semantic equivalence. Experimental evaluation shows that PaCC produces succinct matching engines with memory usage proportional to the size of the real-world Snort and Bro regex sets, with speeds of up to 1.7Gbps per core on a HP Z220 SFF workstation with a 3.40GHz Intel Core i7-3770.

Jing Lin,Weiwei Lin,Hang Lin,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110662

IF: 5.493

2024-01-01

Computer Networks

Abstract:Regular expression matching is pivotal in numerous network applications. With the ever-increasing scale of data center traffic, deploying regular expression matching modules on traditional servers struggles to meet throughput demands. Emerging programmable switches have brought new prospects for high-speed pattern matching. However, deploying regular expression matching onto programmable switches presents the challenge of space explosion incurred by compiling regular expressions into a Deterministic Finite Automata (DFA). In this paper, we introduce P4Rex, a regular expression matching system designed for programmable switches. P4Rex synergistically leverages two following techniques: an efficient regular expression grouping algorithm that partitions regular expressions into different groups to reduce memory consumption, and DFA compression technology to achieve transition sharing. Experimental results demonstrate that P4Rex exhibits an average improvement of 17% and maximum improvement of 30% on memory consumption compared to prior regular expression grouping schemes and saves more than 10x memory consumption compared to deploying DFA directly on programmable switch.

Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Shuzhuang Zhang,Hao Luo,Binxing Fang,Xiao-chun Yun

DOI: https://doi.org/10.1587/transinf.E92.D.1953

2009-01-01

IEICE Transactions on Information and Systems

Abstract:Scanning packet payload at a high speed has become a crucial task in modern network management due to its wide variety applications on network security and application-specific services. Traditionally, Deterministic finite automatons (DFAs) are used to perform this operation in linear time. However, the memory requirements of DFAs are prohibitively high for patterns used in practical packet scanning, especially when many patterns are compiled into a single DFA. Existing solutions for memory blow-up are making a trade-off between memory requirement and memory access of processing per input character. In this paper we proposed a novel method to drastically reduce the memory requirements of DFAs while still maintain the high matching speed and provide worst-case guarantees. We removed the duplicate transitions between states by dividing all the DFA states into a number of groups and making each group of states share a merged transition table. We also proposed an efficient algorithm For transition sharing between states. The high efficiency in time and space made our approach adapted to frequently updated DFAs. We performed several experiments on real world rule sets. Overall, for all rule sets and approach evaluated, Our approach offers the best memory versus run-time trade-offs.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Wei Lin,Yi Tang,Bin Liu,Derek Pao,XiaoFei Wang

DOI: https://doi.org/10.1109/icc.2009.5198833

2009-01-01

Abstract:New applications such as real-time deep packet inspection require high-speed regular expression (regex) matcher, and the number of regexes in pattern store is increasing to several thousands, which requires a memory efficient solution. In this paper, a kind of hardware based compact DFA structure for multiple regexes matching called CPDFA is presented. According to statistics of regexes in Snort and L7-filter rules, transitions from each state to its next states are not evenly distributed. The summation of transitions from each state to its top three most popular next states takes about 90% of all the transitions. Therefore, CPDFA employs an indirect index table to represent transitions to top three most popular next states more efficiently. The remaining transitions which take about 10% of all the transitions are stored in direct transition table or K parallel SRAMs according to the number of remaining transitions from the same state is more than K or not. Simulation shows that CPDFA structure can save about 90% of memory storage comparing with the original DFA structure. By using pipelined architecture in FPGA, CPDFA can advance one character in one memory access cycle.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content against a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to software-based or hardware-based implementation where the memory resources are limited.In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called Stride-DFA (StriD(2)FA). In the instance of LBM that we realize, a speedup of 10-15 is achievable while the required memory size is much less than that in the traditional DFA.

Junchen Jiang,Yi Tang,Bin Liu,Xiaofei Wang,Yang Xu

DOI: https://doi.org/10.1145/1882486.1882523

2009-01-01

Abstract:ABSTRACTDeterministic Finite Automaton (DFA) is well-known for its constant matching speed in worst case, and widely used in multi-string matching, which is a critical technique in high performance Network Intrusion Detection System (NIDS) design. Existing DFA-based researches achieve high throughput at the expense of extremely high memory cost, so they fail to be used in situations like embedded systems where very tight memory resource is available. In this paper, we propose a memory-efficient multi-string matching acceleration scheme named Synergic Parallel Compact (SPC) Match Engine, which can provide a high matching speedup with no extra memory cost than the traditional DFA. Our scheme can be understood as consisting of k SPC-FAs, each of which can process one character from the input stream, causing achieving a constant speedup factor k with reduced memory occupation. Experimental evaluations with Snort and ClamAV rulesets show that a speedup of 9X can be practically achieved by a single SPC Match Engine instance with a reduced memory size than the up-to-date DFA-based compression approaches.

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1109/icccn.2011.6005927

2011-01-01

Abstract:Multi-pattern matching algorithm and architecture is critical for packet inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage of DFA based algorithms for multi-pattern expression matching by the combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multi-pattern matching algorithm, called ACS, is proposed, which is based on CDFA. Compared to the algorithms on DFA, our method can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. The most important is that our method is a kind of optimization and can be embedded to other algorithms as the second step for better results. Finally the architecture based on ACS is proposed and the experimental results show that 47.6% to 84.0% memory space can be saved for different size of pattern sets as compared to the best known architectures. The method is another one based on CDFA. It means that CDFA may be a more proper model for multi-pattern matching than other FAs.

LIU Jun-chao,ZHAO Guo-hong,CHEN Shu-hui

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.22.022

2008-01-01

Computer Engineering and Applications Journal

Abstract:Deep packet inspection based on regular expressions has become extremely important due to its applications in IDS/IPS,application protocol recognition,etc.However,DFA transition table of regular expressions require large amounts of memory,and this limits its practical application.This paper splits the DFA transition table into three tables,compresses the tables using run-length coding,and some optimizations are introduced.The test result using some normal applications in l7-filter indicates that the method has more than 90% compressing rate.

Kai Wang,Yaxuan Qi,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icc.2011.5963291

2011-01-01

Abstract:Regular expression matching has become a critical yet challenging technique in content-aware network processing, such as application identification and deep inspection. To meet the requirement for processing heavy network traffic at line rate, Deterministic Finite Automata (DFA) is widely used to accelerate regular expression matching at the expense of large memory usage. In this paper, we propose a DFA-based algorithm named RCDFA (Reorganized and Compact DFA), which dramatically reduces the memory usage while maintaining fast and deterministic lookup speed. Based on the dissection of real-life DFA tables, we observe that almost every state has multiple similar states, i.e. they share identical next-state transitions for most input characters. However, these similar states often distribute at nonadjacent positions in the original DFA table. RCDFA aims at reorganizing all similar states into adjacent entries, so that identical transitions become consecutive along the state dimension, then compresses the reorganized DFA table utilizing bitmap technique. Coupled with mapping along the character dimension, RCDFA is not only efficient in DFA compression, but also effective for hardware implementation. Experiment results show, RCDFA has superior performance in terms of high processing speed, low memory usage and short preprocessing time. RCDFA consistently achieves over 95% compression ratio for existing real-life rule sets. Implemented in a single Xilinx Virtex-6 FPGA platform, RCDFA matching engine achieved 12Gbps throughput.

Yi Tang,Junchen Jiang,Bin Liu

DOI: https://doi.org/10.1109/INFCOMW.2010.5466687

2010-01-01

Abstract:Multi-string matching is a key technique for network security applications like Network Intrusion Detection Systems (NIDS) and anti-virus scanners. %, where every packet is inspected against thousands of predefined signatures in real time. Existing DFA-based approaches always tradeoff between memory and throughput, no known approach has the best of both worlds. Hence, they fail to be used in the embedded systems like high speed routers where only limited on-chip resources are available. This post proposes a multi-step string matching acceleration scheme named step Finite Automata (Step-FA). Different from classical string matching approaches, we suppose to match an additional structural characteristic named as the distance of certain characters in Step-FA rather than the pure explicit characters themselves. As Step-FA does not follow each-byte-one-memory-access manner in the classical DFA, a high speedup can be achieved meanwhile the memory requirement decreased sharply. The Step-DFA gives the trade-off between accurate and approximate matching. For the purpose of guaranteeing he equivalence between the Step-FA and DFA, a verification module is introduced to fast check the already matched results. Experimental evaluations with ClamAV show that a 6 times of speedup can be practically achieved by a single Step-FA Matching System with a 70% reduced memory comparing to the up-to-date DFA-based approaches.

Mohammad Hashem Haghighat,Zhe Fu,Jun Li

DOI: https://doi.org/10.1145/3234664.3234669

2018-01-01

Abstract:Several security devices use signature based detection engine to detect malicious activities through the internet. The main challenge of this scenario is to keep up with the increase of line speed. On one hand, regular expression (regex) patterns allow security analysts to express more complicated attacks. On the other hand, they make pattern matching procedure much more costly. Several finite automata based techniques have been proposed to speed up the matching procedure. However, they are still impractical in the real world, due to their high spatial or temporal complexity.In this paper, a novel technique, called HES, is proposed to handle tens of thousands regex patterns, with minimum space limitation. The experimental results over several rule sets including Snort and Bro, as two leading open source intrusion detection systems, as well as random regex patterns, reveals us HES matched patterns significantly faster than DFA, as one of the fastest state-of-the-art techniques. In addition, the HES storage requirement is close to NFA, which leads as one of the most compact method. These results proved that HES can be used in the real world, as a signature based matching engine, and gives us the power to use more regex patterns.

Chengcheng Xu,Shuhui Chen,Jinshu Su,S. M. Yiu,Lucas C. K. Hui

DOI: https://doi.org/10.1109/comst.2016.2566669

2016-01-01

Abstract:Deep packet inspection (DPI) is widely used in content-aware network applications such as network intrusion detection systems, traffic billing, load balancing, and government surveillance. Pattern matching is a core and critical step in DPI, which checks the payload of each packet for known signatures (patterns) in order to identify packets with certain characteristics (e.g., malicious packets that carry viruses or worms). Regular expression is the major tool for signature description due to its powerful and flexible expressive ability. However, this flexibility also brings great challenges for efficient implementation in practice. Despite of hundreds to thousands of empirical proposals, wire-speed matching for large scale regular expressions still remains a big challenge. The gap between the matching throughput and the link speed is widening with the ever-increasing network link speed and pattern scale. This survey begins with a full-scale application background of DPI and technical background of regular expression matching in order to provide a global view and essential knowledge for readers. We then analyze the challenges in regular expression matching originated from the state explosion of finite state automaton used for regular expression matching. The nature of state explosion is analyzed in details, and the state-of-the-art solutions are grouped into categories of methods to relieve state expansion and methods to avoid state explosion, suggestions are also provided for building compact and efficient automata in different scenarios. Furthermore, proposals employing parallel platforms, including field-programmable gate array, GPU, general multi-processors, and ternary content addressable memory, to accelerate the matching process are introduced and thoroughly discussed. We also provide guidelines for efficient deployment for each of these platforms.

SONG Tian,LI Dong-Ni,WANG Dong-Sheng,XUE Yi-Bo

DOI: https://doi.org/10.3724/sp.j.1001.2013.04314

2013-01-01

Journal of Software

Abstract:Pattern matching is the main part of content inspection based network security systems, and it is widely used in many other applications. In practice, pattern matching methods for large scale sets with stable performance are in great demand, especially the architecture for online real-time processing. This paper presents a memory efficient pattern matching algorithm and architecture for a large scale set. This paper first proposes cached deterministic finite automata, namely CDFA, in the view of basic theory. By classifying transitions in pattern DFA, a new algorithm, ACC, based on CDFA is addressed. This algorithm can dynamically generate cross transitions and save most of memory resources, so that it can support large scale pattern set. Further, an architecture based on this method is proposed. Experiments on real pattern sets show that the number of transition rules can be reduced 80%~95% than the current most optimized algorithms. At the same time, it can save 40.7% memory space, nearly 2 times memory efficiency. The corresponding architecture in single chip can achieve about 11Gbps matching performance.

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1145/1882486.1882507

2009-01-01

Abstract:Multiple pattern matching architecture is critical for content inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage for multiple string or regular expression matching by the idea of combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multiple pattern matching algorithm is proposed, which is based on Cached DFA (CDFA). Compared to extended AC algorithm based on DFA, our method on CDFA can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. More important is that our method can be embedded to other algorithms as the optimization.

Zhe Fu,Jun Li

2019-01-01

China Communications

Abstract:Regular expression matching is playing an important role in deep inspection. The rapid development of SDN and NFV makes the network more dynamic, bringing serious challenges to traditional deep inspection matching engines. However, state-of-the-art matching methods often require a significant amount of pre-processing time and hence are not suitable for this fast updating scenario. In this paper, a novel matching engine called BFA is proposed to achieve high-speed regular expression matching with fast pre-processing. Experiments demonstrate that BFA obtains 5 to 20 times more update abilities compared to existing regular expression matching methods, and scales well on multi-core platforms.

Xiaofei Wang,Junchen Jiang,Wei Lin,Yi Tang,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/iccomta.2009.5349207

2009-01-01

Abstract:Deep packet inspection at high speed has become extremely important due to its application in a wide range of network applications, such as network security and network monitoring. Network intrusion detection system (NIDS) uses a collection of signatures of known security threats and viruses to scan the payload of each packet. Signatures are often specified in the form of regular expressions (regex), called patterns, which are traditionally implemented as finite automata. Deterministic finite automata (DFA) is fast, but requires prohibitive amounts of memory which limits their practical use. Instead of matching an incoming packet with each individual regex in a ruleset, we match the packet with a fixed substring, called fingerprint, of a regex first. Fixed string matching is faster and consumes less energy than regex matching. The fact is that if a packet does not match with the fingerprint of a regex, it will not match the regex itself. So fingerprints can be used in a prefilter engine to filter out those packets and do not match any of the fingerprints of the regex in a rule set, which represents normal non-malicious traffic. This actually reduces the number of regex rules being matched, which results in increased throughput of the NIDS. We present a weight scheme to extract a good fingerprint from a regex. A good fingerprint is the one that not only indicates the regex uniquely, but also occurs as less as possible in the matching procedure. We demonstrate how to use fingerprints for efficient prefiltering by means of Bloom filters in practice.