Yang Xu,Junchen Jiang,Rihua Wei,Yang Song,H. J. Chao

2011-01-01

Abstract:Deterministic Finite Automatons (DFAs) and Nondeterministic Finite Automatons (NFAs) are two typical automatons used in the Network Intrusion Detection System (NIDS). Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called Tunable Finite Automaton (TFA), to resolve the DFAs’ state explosion problem and the NFAs’ unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.

Junchen Jiang,Yang Xu,Tian Pan,Yi Tang,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501973

2010-01-01

Abstract:In Network Intrusion Detection System, De-terministic Finite Automaton (DFA) is widely used to compare packet content at a constant speed against a set of patterns specified in regular expressions (regex patterns). However, combining many regex patterns into a single DFA causes a serious state explosion. Partitioning the pat-tern set into several subsets, each of which produces a small DFA, is a practical way to deflate the state explosion. In this paper, we propose a regex pattern grouping scheme based on a new DFA model called Pattern-Based DFA (P-DFA) which supports efficient pattern-based op-erations, such as insertion, deletion, and etc. By using these basic operations, one can easily measure the state explo-sion when combining a set of regex patterns into a single DFA. Based on the privilege, we develop regex grouping algorithms for mitigating the state explosion in parallel and sequential matching environments, respectively. The evaluation shows that under the same constraints, our ap-proach requires only half the number of groups compared with the most well-known algorithms.

Kunyang Peng,Qunfeng Dong,Min Chen

DOI: https://doi.org/10.1109/iwqos.2011.5931323

2011-01-01

Abstract:Regular expression matching is the foundation of many network functions including intrusion detection, worm detection, traffic analysis and so on, where known patterns such as worm fingerprints are characterized using regular expressions and searched in network traffic for pattern match. As the quantity and diversity of known patterns keep increasing, regular expression pattern sets have rapidly grown in both size and complexity, while having to be matched in network traffic at accelerating wire speeds. Fast and scalable regular expression matching, therefore, is fundamental to the development of practical network systems.

Kai Wang,Yaxuan Qi,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icc.2011.5963291

2011-01-01

Abstract:Regular expression matching has become a critical yet challenging technique in content-aware network processing, such as application identification and deep inspection. To meet the requirement for processing heavy network traffic at line rate, Deterministic Finite Automata (DFA) is widely used to accelerate regular expression matching at the expense of large memory usage. In this paper, we propose a DFA-based algorithm named RCDFA (Reorganized and Compact DFA), which dramatically reduces the memory usage while maintaining fast and deterministic lookup speed. Based on the dissection of real-life DFA tables, we observe that almost every state has multiple similar states, i.e. they share identical next-state transitions for most input characters. However, these similar states often distribute at nonadjacent positions in the original DFA table. RCDFA aims at reorganizing all similar states into adjacent entries, so that identical transitions become consecutive along the state dimension, then compresses the reorganized DFA table utilizing bitmap technique. Coupled with mapping along the character dimension, RCDFA is not only efficient in DFA compression, but also effective for hardware implementation. Experiment results show, RCDFA has superior performance in terms of high processing speed, low memory usage and short preprocessing time. RCDFA consistently achieves over 95% compression ratio for existing real-life rule sets. Implemented in a single Xilinx Virtex-6 FPGA platform, RCDFA matching engine achieved 12Gbps throughput.

Yang Xu,Junchen Jiang,Rihua Wei,Yang Song,H. Jonathan Chao

DOI: https://doi.org/10.1109/jsac.2014.2358856

IF: 16.4

2014-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called tunable finite automaton (TFA), to deal with the DFAs' state explosion problem and the NFAs' unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that, with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.

Chengcheng Xu,Jinshu Su,Shuhui Chen,Biao Han

DOI: https://doi.org/10.1109/SC2.2017.50

2017-01-01

Abstract:Fast regular expression matching (REM) is the core issue in deep packet inspection (DPI). Traditional REM mainly relies on deterministic finite automaton (DFA) to achieve fast matching. However, state explosion usually makes the DFA infeasible in practice. We propose the offset-FA to solve the state explosion problem in REM. The state explosion is mainly caused by the features of the large character set with closures or counting repetitions. We extract these features from original patterns, and represent them as an offset relation table and a reset table to keep semantic equivalence, and the rest fragments are compiled to a DFA called fragment-DFA. The fragment-DFA along with the offset relation table and reset table compose our Offset-FA. Experiments show that the offset-FA supports large rule sets and outperforms state-of-the-art solutions in space cost and matching speed.

Chengcheng Xu,Kun Yu,Xinghua Xu,Xianqiang Bao,Songbing Wu,Baokang Zhao

DOI: https://doi.org/10.3390/s22207781

IF: 3.9

2022-01-01

Sensors

Abstract:With the exponential growth of cyber–physical systems (CPSs), security challenges have emerged; attacks on critical infrastructure could result in catastrophic consequences. Intrusion detection is the foundation for CPS security protection, and deep-packet inspection is the primary method for signature-matched mechanisms. This method usually employs regular expression matching (REM) to detect possible threats in the packet payload. State explosion is the critical challenge for REM applications, which originates primarily from features of large character sets with unbounded (closures) or bounded (counting) repetitions. In this work, we propose Offset-FA to handle these repetitions in a uniform mechanism. Offset-FA eliminates state explosion by extracting the repetitions from the nonexplosive string fragments. Then, these fragments are compiled into a fragment-DFA, while a fragment relation table and a reset table are constructed to preserve their connection and offset relationship. To our knowledge, Offset-FA is the first automaton to handle these two kinds of repetitions together with a uniform mechanism. Experiments demonstrate that Offset-FA outperforms state-of-the-art solutions in both space cost and matching speed on the premise of matching correctness, and achieves a comparable matching speed with that of DFA on practical rule sets.

Yi Tang,Junchen Jiang,Xiaofei Wang,Yi Wang,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5683142

2010-01-01

Abstract:Regular expression (Regex) becomes the standard signature language for security and application detection. Deterministic finite automata (DFAs) are widely used to perform regex matching in linear time. Previously researches mostly focus on how to compress DFA to reduce memory requirements in recent years. However, memory requirement is not the only problem caused by DFA explosion when implementation DFA matching system. In this paper, we propose a new issue in DFA matching procedure. We notice that the DFA produced from regex never considers the physical locality of logical neighbor, which results in a low cache hit rate when using cache as matching accelerator. This problem becomes severe for current increasingly complex security regex which producing huge DFA with nearly no locality in physical location. We propose to solve this problem through reordering the state number of existing DFA and further put forward two methods on reordering DFA from different viewpoints. In our algorithms, we achieve more than twice cache hit rate compared with traditional method. Moreover, our methods will not affect the existing matching system. Hence, all the cache hit rate improvement is achieved without any cost in wire speed matching.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Yang Xu,Junchen Jiang,Yang Song,Tang Jiang,H Jonothan Chao

2010-01-01

Abstract:Deterministic Finite Automatons (DFAs) and ondeterministic Finite Automatons (FAs) are two typical automatons used in etwork Intrusion Detection System (IDS). Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance, but suffer from the well-known state explosion problem. FAs are compact, but their matching performance is non-deterministic and difficult to bound. In this paper, we propose a new automaton representation of regular expressions, called i-DFA, to resolve DFAs’ state explosion problem. Different from a DFA, which has only one active state, an i-DFA allows multiple concurrent active states. Thus, the total number of states required to track real-time matching information is much smaller than that required by the DFA. Different from an FA, an i-DFA can guarantee the number …

Xiaofei Wang,Junchen Jiang,Wei Lin,Yi Tang,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/iccomta.2009.5349207

2009-01-01

Abstract:Deep packet inspection at high speed has become extremely important due to its application in a wide range of network applications, such as network security and network monitoring. Network intrusion detection system (NIDS) uses a collection of signatures of known security threats and viruses to scan the payload of each packet. Signatures are often specified in the form of regular expressions (regex), called patterns, which are traditionally implemented as finite automata. Deterministic finite automata (DFA) is fast, but requires prohibitive amounts of memory which limits their practical use. Instead of matching an incoming packet with each individual regex in a ruleset, we match the packet with a fixed substring, called fingerprint, of a regex first. Fixed string matching is faster and consumes less energy than regex matching. The fact is that if a packet does not match with the fingerprint of a regex, it will not match the regex itself. So fingerprints can be used in a prefilter engine to filter out those packets and do not match any of the fingerprints of the regex in a rule set, which represents normal non-malicious traffic. This actually reduces the number of regex rules being matched, which results in increased throughput of the NIDS. We present a weight scheme to extract a good fingerprint from a regex. A good fingerprint is the one that not only indicates the regex uniquely, but also occurs as less as possible in the matching procedure. We demonstrate how to use fingerprints for efficient prefiltering by means of Bloom filters in practice.

Kunyang Peng,Qunfeng Dong

DOI: https://doi.org/10.1145/2318857.2254802

2012-01-01

Abstract:Regular expression matching as the core packet inspection engine of network systems has long been striving to be both fast in matching speed (like DFA) and scalable in storage space (like NFA). Recently, ternary content addressable memory (TCAM) has been investigated as a promising way out, by implementing DFA using TCAM for regular express matching. In this paper, we present the first method for implementing NFA using TCAM. Through proper TCAM encoding, our method matches each input byte with one single TCAM lookup --- operating at precisely the same speed as DFA, while using a number of TCAM entries that can be close to NFA size. These properties make our method an important step along a new path --- TCAM-based NFA implementation --- towards the long-standing goal of fast and scalable regular expression matching.

Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Luis Quesada,Fernando Berzal,Francisco J. Cortijo

DOI: https://doi.org/10.48550/arXiv.1110.1716

2011-11-06

Abstract:Regular expressions provide a flexible means for matching strings and they are often used in data-intensive applications. They are formally equivalent to either deterministic finite automata (DFAs) or nondeterministic finite automata (NFAs). Both DFAs and NFAs are affected by two problems known as amnesia and acalculia, and DFAs are also affected by a problem known as insomnia. Existing techniques require an automata conversion and compaction step that prevents the use of existing automaton databases and hinders the maintenance of the resulting compact automata. In this paper, we propose Parallel Finite State Machines (PFSMs), which are able to run any DFA- or NFA-like state machines without a previous conversion or compaction step. PFSMs report, online, all the matches found within an input string and they solve the three aforementioned problems. Parallel Finite State Machines require quadratic time and linear memory and they are distributable. Parallel Finite State Machines make very fast distributed regular expression matching in data-intensive applications feasible.

Formal Languages and Automata Theory

Zhe Fu,Kai Wang,Liangwei Cai,Jun Li

DOI: https://doi.org/10.1016/j.compeleceng.2018.03.040

IF: 4.152

2018-01-01

Computers & Electrical Engineering

Abstract:Regular expressions are widely used in various applications. Due to its low time complexity and stable performance, Deterministic Finite Automaton (DFA) has become the first choice to perform fast regular expression matching. Unfortunately, compiling a large set of regular expressions into one DFA often leads to the well-known state explosion problem, and consequently requires huge memory consumption. Regular expression grouping is a practical approach to mitigate this problem. However, existing grouping algorithms are either brute-force or locally optimal and thus not efficient for large-scale regular expressions. In this paper, we propose two grouping algorithms, namely Reevo and Reant, to solve this problem intelligently and efficiently. In addition, two optimization methods are presented to accelerate the convergence speed and reduce the running time of proposed algorithms. Experimental results on large-scale rulesets from real world show that our algorithms achieve around 25% to 45% improvement compared to previous regular expression grouping algorithms.

Yi Tang,Tianfan Xue,Junchen Jiang,Bin Liu

DOI: https://doi.org/10.1109/ICC.2010.5501976

2010-01-01

Abstract:There is an increasing demand for network devices to perform deep packet inspection (DPI) to enhance network security. In DPI the packet payload is compared against a set of predefined patterns which can be specified using regular expressions (regexes). It is well-known that mapping regexes to deterministic finite automata (DFA) will suffer from the state explosion problem. Through observation, we attribute DFA explosion to the necessity of remembering matching history. In this paper, we investigate how to record the matching history efficiently and propose an extended DFA approach for regex matching called fcq-FA, which can make a memory size reduction of about 1000 times with a fully automated approach. In fcq-FA, we use pipeline queues and counters to help recording the matching history. Hence, state explosion caused by Kleene closure and repetitions can be definitely avoided. Further, it achieves a fully automated signature compilation with polynomial running time and space.

Junchen Jiang,Xiaofei Wang,Keqiang He,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501748

2010-01-01

Abstract:Multi-pattern matching is a key technique for implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against predefined attack signatures written in regular expressions (regexes). To this end, Deterministic Finite Automaton (DFA) is widely used for multi-regex matching, but existing DFAbased researches have claimed high throughput at an expenses of extremely high memory cost. In this paper, we propose a parallel architecture of DFA called Parallel DFA (PDFA), using multiple flow aggregations to increase the throughput with nearly no extra memory cost. The basic idea is to selectively store the DFA in multiple memory modules which can be accessed in parallel and to explore the potential parallelism. The memory cost of our system in both the average cases and the worst cases is analyzed, optimized and evaluated by numerical results. The evaluation shows that we obtain an average speedup of about 0.5k to 0.7k where k is the number of parallel memory modules under our synthetic trace and compressed real trace in a statistical average case, compared with the traditional DFA-based matching approaches.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Jie Wang,Yanshuo Yu,Kuanjiu Zhou

2014-01-01

Abstract:There is a growing demand for wireless ad hoc network systems in examining the content of data packages in order to improve network security and application service. Whereas, each distributed wireless node has limited memory and computing power. Since regular expressions offer superior expression power and flexibility, taking advantage of distributed nodes and regular expression collaboratively can be a new perspective for wireless network security strategy. In this paper, a regular expression matching approach is introduced for distributed wireless network security system called DREM (Distributed Regular Expression Matching), which divides the matching into two stages: prefiltering stage and verifying stage. Intensive experiments were conducted on Snort and L7-Filter regular expression data sets to verify the system. The experimental results show that our strategy can speed up the efficiency to 1.7 times faster than conventional approaches for wireless security systems. It is also proved by emulation that our approach can be regarded as a firewall system and well applied in medium or large scale distributed wireless network systems.

Zhe Fu,Kai Wang,Liangwei Cai,Jun Li

DOI: https://doi.org/10.1109/ICCCN.2014.6911804

2014-01-01

Abstract:Deep inspection is widely used to identify network traffic. Due to the complexity of payload in traffic, regular expressions are becoming the preferred choice to specify the rules of deep inspection. Compiling a set of regular expressions into one Deterministic Finite Automata (DFA) often leads to state explosion, which means huge or even impractical memory cost. Distributing a set of regular expressions into multiple groups and building DFAs independently for each group mitigates the problem, but the previous grouping algorithms are either brute-force or locally optimal and thus not efficient in practice. Inspired by the Intelligent Optimization Algorithms, we propose new grouping algorithms based on Genetic Algorithm and Ant Colony Optimization algorithm, to effectively solve the problem of state explosion by acquiring the global optimum tradeoff between memory consumption and the number of groups. Besides, to accelerate the execution speed of the intelligent grouping algorithms, we employ and improve an approximation algorithm that estimates the DFA states according to the conflicting relationship between each pair of regular expressions. Experimental results verify that our solutions save around 25% memory consumption or reduce around 20% of group number compared with existing popular grouping algorithms.