1

A Memory Efficient DFA based on Pattern Segmentation for Deep Packet Inspection

Author: Yeim-Kuan Chang and Jo-Ning Yu Publisher: Presenter: Yuen-Shuo Li Date: 2013/04/24

2

Background

As the role of NIDS has become more important, we have to develop a new high-throughput algorithm to find out the hidden virus in packet payload because the performance of pattern match algorithm is the bottleneck of NIDS.

3

Method of improving AC

Cutting pattern into sub-patterns (pattern segmentation) Parallel Match Top k Levels Bitmap-based compression

4

Pattern segmentation

Backward Transitions can avoid repeat matching with the same sub-pattern. It can improve the performance of match process.

backward Transitions

5

Pattern segmentation(cont.)

16 states 10 states

6

Parallel Match Top k Levels

The transitions going back to one of the top k levels account for a very large proportion of all transitions.

7

Parallel Match Top k Levels

To reduce memory usage, we adopt the parallel architecture to remove these transitions.

8

Bitmap-based compression

e h i r s0 0...

00 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0…0

1 0...0

1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0…0

2 0...0

0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0...0

3 0...0

0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0...0

4 0...0

1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0...0

5 0...0

0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0...0

6 0...0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0...0

7 0...0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0...0

index

array of NS

State 0

0 1 3

State 1

1 2 6

State 2

2 8

State 3

3 4

State 4

4 5

State 5

5 8

State 6

6 7

State 7

7

State 8

6 9

State 9

7

h

7s

0 1 2e 8r 9s

4h 5e

6i

3sr

9

Overview of architecture

10

Overview of architecture(Cont.)

11

11

Pattern set : { heroes, rose, hohero }

Pattern set’ : { he, ro, es, se, ho }

Input stream : h e x r o s e

he

o

3r

se

o 4

6

0

1 2

5

7e

s8 9

sub pattern match FSMMain optimized AC automaton

(Optimized AC automata)

Search cycle

Currrent state

Input id

# of scanned byte

cu_len

Next state

Detected pattern

Cycle 1 0 0 2 0 1Cycle 2 1 1 5 2 4Cycle 3 4 3 7 5 5 rose

12

Performance

13

Performance

Original AC optimized automaton

Our proposed scheme

Pattern # 28.10K 28.10KTotal character # 1.83M 1.83MState # of AC optimized automaton(our scheme includes parallel prefix optimized AC automaton)

1.75M 1.42M

Transition # of AC optimized automaton (our scheme includes parallel prefix optimized AC automaton)

446.77M 2.70M

Total memory 1.75GB 15.84MB

14

Performance

AC Types # of Partitions

Memory/char

AC automaton optimized AC 1 975.36 B

(2D) P2-Hash [2]

un-optimized AC 1 11.1 B

(2D) P2-Hash [2] optimized AC 1 9.53 B

CDFA [21] optimized AC 32 6.1 B

Our Scheme optimized AC 1 8.6 B