Post on 14-Dec-2015
transcript
Space-Time Tradeoffs in Software-based Deep Packet Inspection
Author: Anat Bremler-Barr, Yotam Harchol, and David HayPublished in Proc. IEEE HPSR 2011
2
Goal
Software based DPI AC based (Exact Matching) Reduced memory size
Fit in CPU cache Worst case throughput
3
Aho-Corasick
Forward Transitions (To Deeper states)Failure Transitions
Given a states s,
Depth(s): Depth(S4) = 2, Depth(S13) = 3
Label(s): Label(S4) = BD, Label(S13) = BCA
Label(S12) = CDBCAB
Failure Transitions to S0 are omitted
4
A B C D E
S2 S0 S2 S5 S4 S3
S4 S0 S2 S7 S0 S1
S5 S0 S2 S7 S6 S1
S13 S14 S2 S7 S0 S1
…
Lookup Table format used in:
(# of Forward transitions) more than 64.
State Structure(1/3)Lookup Table Format
5
State Structure(2/3)Linear Format
A B C D E
S2 S0 S2 S5 S4 S3
S5 S0 S2 S7 S6 S1
S4 (S0)
S5 (S7) D S6
S2 (S0) C S5 D S4 E S3
6
State Structure(3/3)Bitmap Format
A B C D E
S2 S0 S2 S5 S4 S3
S5 S0 S2 S7 S6 S1
S5 (S7) D S6
S2 (S0) C S5 D S4 E S3
00010 S6
00111 S5 S4 S3 S0
S7
7
Path-Compression (1/3)
One-way branch states are compressed.
Problem: Incoming Failure Transition Outgoing Failure Transition
Solution: No incoming failure transition is allowed Multiple outgoing transition Fields
8
Path-Compression (2/3)
Sa Sb Sc SdA B C
Sa SdABC
Sx Sy Sz
A, Sx3, Sd
B, SyC, Sz
A, Sb*, Sx
B, Sc*, Sy
C, Sd*, Sz
9
Path-Compression (3/3)Tuck. (INFOCOM 2004)
Sa Sb Sc SdA B C
Sa SdABCSx Sy Sz
A, Sx3, Sd
B, SyC, Sz
A, Sb*, Sx
B, Sc*, Sy
C, Sd*, Sz
Si Sj SkA
T
TST, Sj*, Sp
A, Sk*, Sq
*, Sb
Si SkTA
T, Sp2, Sk
A, Sq
Before After
???
11
Leaves-Compression Trie leaves consists only failure transit
ion.
Sa SbA
ScB
Sa SbA
Sa
•Adding one bit for each forward transition => indicate an accept state
•The process can be applied recursively
A, Sb B, Sc *, Sx
A, Sb, 0 B, Sx, 1
AB, Sx, 1
Original
1st proces
s
2nd proces
s
12
Use both techniques
Add one bit for every symbol of compressed path.
Sa Sb ScS0
Sp Sq
A B, 0 C, 1
B
ESet the bit of i-th symbol when: (1) when a transition with the first i symbols of the path is t
oan accepting state
(2) if the failure transition of the pre-compressed state reached after the first i symbols of the path, is to a
leaf
SdD, 1
14
Pointer Compression
There are many transitions that go to states whose depth is small.
31% of the failure transitions go to depth 1 states
Additional 35% of the failure transitions go to depth 2 states.
15
Variable-Size Pointers Two lengths: 2 and 2+log2|S| 00: Go to state S0 01: Go to depth 1 states
(S0 occurs current symbols) 10: Go to depth 2 states
(S0 occurs last symbols + current symbols)(Valid pairs are less, thus use hashing)
11: Go to next states as regular pointer
16
Huffman Coding
Huffman coding allocates short code for frequent symbols and long code for infrequent ones.
A lookup table is used to provide symbol-to-Huffman-code conversion.
The idea is not used.
17
Evaluation Environment
Two Environment: Core 2 Duo 2.53 GHz (2 Core),
32KB L1, 3MB L2. Core i7 2.93 GHz (4 Core), 32 KB
L1, 256 KB L2, 8MB L3.
18
Evaluation Traffic
Pattern: Snort ClamAV (Partial)
Traffic: DARPA (Real Life) Exhaustive Traversal Failure path Traversal
Worst Case