Zhe Fu,Kai Wang,Liangwei Cai,Jun Li

DOI: https://doi.org/10.1016/j.compeleceng.2018.03.040

IF: 4.152

2018-01-01

Computers & Electrical Engineering

Abstract:Regular expressions are widely used in various applications. Due to its low time complexity and stable performance, Deterministic Finite Automaton (DFA) has become the first choice to perform fast regular expression matching. Unfortunately, compiling a large set of regular expressions into one DFA often leads to the well-known state explosion problem, and consequently requires huge memory consumption. Regular expression grouping is a practical approach to mitigate this problem. However, existing grouping algorithms are either brute-force or locally optimal and thus not efficient for large-scale regular expressions. In this paper, we propose two grouping algorithms, namely Reevo and Reant, to solve this problem intelligently and efficiently. In addition, two optimization methods are presented to accelerate the convergence speed and reduce the running time of proposed algorithms. Experimental results on large-scale rulesets from real world show that our algorithms achieve around 25% to 45% improvement compared to previous regular expression grouping algorithms.

Prithi Samuel,Sumathi Subbaiyan,Balamurugan Balusamy,Sumathi Doraikannan,Amir H. Gandomi

DOI: https://doi.org/10.1007/s11831-020-09419-z

IF: 9.7

2020-04-15

Archives of Computational Methods in Engineering

Abstract:Construction and deployment of finite state automata from the regular expressions might results in huge overhead and results in the state explosion problem which is in need of large memory space, high bandwidth and additional computational time. To overcome this problem, a new framework is proposed, and several intelligent optimization algorithms are reviewed and compared in this framework. The proposed approach is called intelligent optimization grouping algorithms (IOGA), which intends to group regular expression intelligently. IOGAs are used to allocate the regular expression sets into various groups and to build independent deterministic finite automata (DFA) for each group. Grouping the regular expression efficiently solves the state explosion problem by achieving large-scale best tradeoff among memory utilization and computational time. This study reviews and compares the various alternatives of IOGA including genetic algorithm, ant colony optimization, particle swarm optimization, bacterial foraging optimization, artificial bee colony algorithm, biogeography based optimization, cuckoo search, firefly algorithm, bat algorithm and flower pollination algorithm for solving the problem of DFA state explosion and also for improving the overall efficiency of deep packet inspection (DPI). The discussions state that by effectively using these grouping algorithms along with DFA based DPI, the number of states can be reduced, providing a balance between the memory consumption, time complexity, throughput, inspection speed, convergence speed and grouping time.

computer science, interdisciplinary applications,engineering, multidisciplinary,mathematics

Cai Liangwei,Liu Siqi,Li Xia,Li Jun

DOI: https://doi.org/10.3724/sp.j.1249.2014.03279

2014-01-01

Abstract:Following the idea of the Becchi algorithm, an improved regular expressions grouping algorithm based on ant colony optimization ( GRE-ACO) was introduced. Taking account of the characteristics of regular expressions grouping, GRE-ACO defined the relationship between positive and negative effects of conflict information, a new heuristic function and pheromone update strategy. Comparison with the Becchi algorithm shows that GRE-ACO can reflect the optimizing merge information of the regular expressions more reasonably, reduce the amount of states effec-tively,and attain the optimal solution of the total number of state. As a result, the GRE-ACO can reduce the com-plexity of matching algorithm.

Junchen Jiang,Yang Xu,Tian Pan,Yi Tang,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501973

2010-01-01

Abstract:In Network Intrusion Detection System, De-terministic Finite Automaton (DFA) is widely used to compare packet content at a constant speed against a set of patterns specified in regular expressions (regex patterns). However, combining many regex patterns into a single DFA causes a serious state explosion. Partitioning the pat-tern set into several subsets, each of which produces a small DFA, is a practical way to deflate the state explosion. In this paper, we propose a regex pattern grouping scheme based on a new DFA model called Pattern-Based DFA (P-DFA) which supports efficient pattern-based op-erations, such as insertion, deletion, and etc. By using these basic operations, one can easily measure the state explo-sion when combining a set of regex patterns into a single DFA. Based on the privilege, we develop regex grouping algorithms for mitigating the state explosion in parallel and sequential matching environments, respectively. The evaluation shows that under the same constraints, our ap-proach requires only half the number of groups compared with the most well-known algorithms.

Jing Lin,Weiwei Lin,Hang Lin,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110662

IF: 5.493

2024-01-01

Computer Networks

Abstract:Regular expression matching is pivotal in numerous network applications. With the ever-increasing scale of data center traffic, deploying regular expression matching modules on traditional servers struggles to meet throughput demands. Emerging programmable switches have brought new prospects for high-speed pattern matching. However, deploying regular expression matching onto programmable switches presents the challenge of space explosion incurred by compiling regular expressions into a Deterministic Finite Automata (DFA). In this paper, we introduce P4Rex, a regular expression matching system designed for programmable switches. P4Rex synergistically leverages two following techniques: an efficient regular expression grouping algorithm that partitions regular expressions into different groups to reduce memory consumption, and DFA compression technology to achieve transition sharing. Experimental results demonstrate that P4Rex exhibits an average improvement of 17% and maximum improvement of 30% on memory consumption compared to prior regular expression grouping schemes and saves more than 10x memory consumption compared to deploying DFA directly on programmable switch.

S. Prithi,S. Sumathi

DOI: https://doi.org/10.4314/ijest.v16i2.6

2024-05-23

Abstract:Network Security plays an essential role in the modern world. Current network services mainly rely on processing of payload in packets. Deep Packet Inspection (DPI) is a key factor in examining the packet payload which uses the signatures to identify the packet that carries any viruses, worms, malicious traffic, unauthorized access and attacks. DPI uses regular expression matching as a core operator to examine the packet payload. Finite State Automata (FSA) are natural representations for regular expression. FSA is usually too large to be constructed or deployed and has a huge overhead. Finite State Automata frequently leads to state explosion problem which require more storage space, high bandwidth and more computational time. To overcome this problem, Intelligent Optimization Grouping Algorithms (IOGA) can be used to distribute the regular expressions into various groups and for each group the Deterministic Finite Automata (DFA) are built independently. Grouping the regular expression efficiently solves the state explosion problem by achieving large-scale best tradeoff among the memory utilization and computational time. This paper reviews the various Intelligent Optimization Grouping Algorithms like Genetic Algorithm, Ant Colony Optimization, Particle Swarm Optimization, Bacterial Foraging Optimization, Artificial Bee Colony Algorithm, Biogeography Based Optimization, Cuckoo Search, Firefly Algorithm, Bat Algorithm and Flower Plant Optimization. The discussions states that by effectively using these grouping algorithms along with finite state automata can reduce the number of states by solving the state explosion blow up problem, providing a balance between the memory consumption, number of groups and provide faster convergence.

Zhe Fu,Jun Li

DOI: https://doi.org/10.1145/2658260.2661771

2014-01-01

Abstract:Regular expression matching has been playing an import role in today's network security systems with deep inspection function. However, compiling a set of regular expressions into one Deterministic Finite Automata (DFA) often leads to state explosion, which means huge or even impractical memory cost. Distributing regular expressions into several groups and building DFAs independently has been proved an efficient solution, but the previous grouping algorithms are either locally optimal or time-consuming. In this work, we proposed a new grouping method based on Spectral Clustering, which defines the similarity between regular expressions and then transforms grouping problem to clustering problem. Preliminary experiments illustrate that our grouping algorithm achieves efficient result with much less processing time.

Yi Tang,Junchen Jiang,Xiaofei Wang,Yi Wang,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5683142

2010-01-01

Abstract:Regular expression (Regex) becomes the standard signature language for security and application detection. Deterministic finite automata (DFAs) are widely used to perform regex matching in linear time. Previously researches mostly focus on how to compress DFA to reduce memory requirements in recent years. However, memory requirement is not the only problem caused by DFA explosion when implementation DFA matching system. In this paper, we propose a new issue in DFA matching procedure. We notice that the DFA produced from regex never considers the physical locality of logical neighbor, which results in a low cache hit rate when using cache as matching accelerator. This problem becomes severe for current increasingly complex security regex which producing huge DFA with nearly no locality in physical location. We propose to solve this problem through reordering the state number of existing DFA and further put forward two methods on reordering DFA from different viewpoints. In our algorithms, we achieve more than twice cache hit rate compared with traditional method. Moreover, our methods will not affect the existing matching system. Hence, all the cache hit rate improvement is achieved without any cost in wire speed matching.

Junchen Jiang,Xiaofei Wang,Keqiang He,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501748

2010-01-01

Abstract:Multi-pattern matching is a key technique for implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against predefined attack signatures written in regular expressions (regexes). To this end, Deterministic Finite Automaton (DFA) is widely used for multi-regex matching, but existing DFAbased researches have claimed high throughput at an expenses of extremely high memory cost. In this paper, we propose a parallel architecture of DFA called Parallel DFA (PDFA), using multiple flow aggregations to increase the throughput with nearly no extra memory cost. The basic idea is to selectively store the DFA in multiple memory modules which can be accessed in parallel and to explore the potential parallelism. The memory cost of our system in both the average cases and the worst cases is analyzed, optimized and evaluated by numerical results. The evaluation shows that we obtain an average speedup of about 0.5k to 0.7k where k is the number of parallel memory modules under our synthetic trace and compressed real trace in a statistical average case, compared with the traditional DFA-based matching approaches.

Zhe Fu,Zhi Liu,Jun Li

DOI: https://doi.org/10.1109/ICCCN.2017.8038377

2017-01-01

Abstract:Regular expression matching has been widely used in today's network security systems, where the payloads of network packets are matched against a set of rules specified by regular expressions. Due to the increasing number of rules and the complex semantics of regular expressions, state-of-the-art regular expression matching techniques hardly meet the demands of network development. The rapid growth of parallel technology calls for an efficient parallel regular expression matching method. In this paper, we propose ParaRegex, a novel approach for fast parallel regular expression matching with high efficiency and low overhead. ParaRegex is a framework that implements data-parallel regular expression matching for finite automaton based methods. Experimental evaluation shows that ParaRegex produces a high-performance regular expression matching engine with low memory overhead and linear speed-up ratio, and obtains up to 6 times faster processing speed on a commodity multi-core workstation.

Kai Wang,Yaxuan Qi,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icc.2011.5963291

2011-01-01

Abstract:Regular expression matching has become a critical yet challenging technique in content-aware network processing, such as application identification and deep inspection. To meet the requirement for processing heavy network traffic at line rate, Deterministic Finite Automata (DFA) is widely used to accelerate regular expression matching at the expense of large memory usage. In this paper, we propose a DFA-based algorithm named RCDFA (Reorganized and Compact DFA), which dramatically reduces the memory usage while maintaining fast and deterministic lookup speed. Based on the dissection of real-life DFA tables, we observe that almost every state has multiple similar states, i.e. they share identical next-state transitions for most input characters. However, these similar states often distribute at nonadjacent positions in the original DFA table. RCDFA aims at reorganizing all similar states into adjacent entries, so that identical transitions become consecutive along the state dimension, then compresses the reorganized DFA table utilizing bitmap technique. Coupled with mapping along the character dimension, RCDFA is not only efficient in DFA compression, but also effective for hardware implementation. Experiment results show, RCDFA has superior performance in terms of high processing speed, low memory usage and short preprocessing time. RCDFA consistently achieves over 95% compression ratio for existing real-life rule sets. Implemented in a single Xilinx Virtex-6 FPGA platform, RCDFA matching engine achieved 12Gbps throughput.

Kai Wang,Zhe Fu,Xiaohe Hu,Jun Li

DOI: https://doi.org/10.1016/j.comcom.2014.08.005

IF: 5.047

2014-01-01

Computer Communications

Abstract:Regular expressions (regexes) provide rich expressiveness to specify the signatures of intrusions and are widely used in contemporary network security systems for signature-based intrusion detection. To perform very fast regex matching, deterministic finite automata (DFA) has been the first choice because its time complexity is constant O ( 1 ) . Unfortunately, DFA often suffers the well known state explosion problem and, consequently, tends to require prohibitive memory overhead in practical applications. To address the problem, a wide variety of DFA compression techniques have been proposed; however, few can keep up with the ever increasing network traffic bandwidth and regex set complexity. This paper proposes that the DFA problem is rooted in regexes (rather than in DFA), i.e., semantic overlapping of regexes, and accordingly presents a complete algorithmic solution PaCC (Partition, Compression, and Combination), that can transform the given large-scale set of complex regexes into a compact and fast matching engine using DFA as its core. PaCC fundamentally defuses state explosion for DFA by partitioning complex regexes into overlapping-free segments. By exploiting the massive repetitiveness among the resulting segments, PaCC can further deflate corresponding DFA in terms of the number of states. Moreover, on the basis of the characteristics of these segments, PaCC takes a tailor-made compression approach and reduces over 96% of the state transitions for the corresponding DFA. In the final matching engine, the combination of DFA and a small relation mapping table, built from segments and their syntagmatic relations, respectively, guarantees high performance and semantic equivalence. Experimental evaluation shows that PaCC produces succinct matching engines with memory usage proportional to the size of the real-world Snort and Bro regex sets, with speeds of up to 1.7Gbps per core on a HP Z220 SFF workstation with a 3.40GHz Intel Core i7-3770.

Li Xu,Ouyang Fan,Chen WenZhi

DOI: https://doi.org/10.1007/s12528-022-09321-6

2022-01-01

Journal of Computing in Higher Education

Abstract:Group formation is a critical factor which influences collaborative processes and performances in computer-supported collaborative learning (CSCL). Automatic grouping has been widely used to generate groups with heterogeneous attributes and to maximize the diversity of students' characteristics within a group. But there are two dominant challenges that automatic grouping methods need to address, namely the barriers of uneven group size problem, and the inaccessibility of student characteristics. This research proposes an optimized, genetic algorithm-based grouping method that includes a conceptual model and an algorithm module to address these challenges. Through a quasi-experiment research, we compare collaborative groups' performance, processes, and perceptions in China's higher education. The results indicate that the experimental groups outperform the traditional grouping methods (i.e., random groups and student-formed groups) in terms of final performances, collaborative processes, and student perceptions. Based on the results, we propose implications for implementation of automatic grouping methods, and the use of collaborative analytics methods in CSCL.

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1145/1882486.1882507

2009-01-01

Abstract:Multiple pattern matching architecture is critical for content inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage for multiple string or regular expression matching by the idea of combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multiple pattern matching algorithm is proposed, which is based on Cached DFA (CDFA). Compared to extended AC algorithm based on DFA, our method on CDFA can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. More important is that our method can be embedded to other algorithms as the optimization.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Xiaofei Wang,Junchen Jiang,Wei Lin,Yi Tang,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/iccomta.2009.5349207

2009-01-01

Abstract:Deep packet inspection at high speed has become extremely important due to its application in a wide range of network applications, such as network security and network monitoring. Network intrusion detection system (NIDS) uses a collection of signatures of known security threats and viruses to scan the payload of each packet. Signatures are often specified in the form of regular expressions (regex), called patterns, which are traditionally implemented as finite automata. Deterministic finite automata (DFA) is fast, but requires prohibitive amounts of memory which limits their practical use. Instead of matching an incoming packet with each individual regex in a ruleset, we match the packet with a fixed substring, called fingerprint, of a regex first. Fixed string matching is faster and consumes less energy than regex matching. The fact is that if a packet does not match with the fingerprint of a regex, it will not match the regex itself. So fingerprints can be used in a prefilter engine to filter out those packets and do not match any of the fingerprints of the regex in a rule set, which represents normal non-malicious traffic. This actually reduces the number of regex rules being matched, which results in increased throughput of the NIDS. We present a weight scheme to extract a good fingerprint from a regex. A good fingerprint is the one that not only indicates the regex uniquely, but also occurs as less as possible in the matching procedure. We demonstrate how to use fingerprints for efficient prefiltering by means of Bloom filters in practice.

Yang Xu,Junchen Jiang,Rihua Wei,Yang Song,H. J. Chao

2011-01-01

Abstract:Deterministic Finite Automatons (DFAs) and Nondeterministic Finite Automatons (NFAs) are two typical automatons used in the Network Intrusion Detection System (NIDS). Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called Tunable Finite Automaton (TFA), to resolve the DFAs’ state explosion problem and the NFAs’ unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.

Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Gao Xia,Xiaofei Wang,Bin Liu

DOI: https://doi.org/10.1109/dasc.2009.71

2009-01-01

Abstract:Deep packet inspection (DPI) relies highly on regular expression due to its power of description, generalization and flexibility. In DPI, packet payload is compared against a large number of rules written in regular expression. To achieve high throughput, multiple regular expressions are combined and compiled into one DFA, which leads to two problems: a) State explosion; b) Sub-rule distinguishing in the combined rule set. While the first problem has been extensively studied in the recent years, we did not find any literature which formally discusses the second problem in detail. We formulate it and propose sub-rule distinguishable DFA (SRD-DFA), an extended DFA structure, and develop techniques to distinguish sub-rules from multiple regular expressions upon this structure. SRD-DFA can achieve the same throughput as minimized DFA, since it only incurs little extra memory consumption without extra run-time computation. Experimental results under the L7-filter rule set and a subset of Snort rule set demonstrate that our approach achieves 8 to 14 times higher throughput than the DFA without rule combination, while only introducing less than 8.4% overhead of state increase compared to the minimized DFA after rule combination. SRD-DFA can be easily used with advanced DFA compression algorithms to achieve much less memory consumption.