• DocumentCode
    170437
  • Title

    Deep packet inspection with DFA-trees and parametrized language overapproximation

  • Author

    Luchaup, Daniel ; De Carli, Lorenzo ; Jha, Somesh ; Bach, Eric

  • Author_Institution
    U. of Wisconsin-Madison, Madison, WI, USA
  • fYear
    2014
  • fDate
    April 27 2014-May 2 2014
  • Firstpage
    531
  • Lastpage
    539
  • Abstract
    IPSs determine whether incoming traffic matches a database of vulnerability signatures defined as regular expressions. DFA representations are popular, but suffer from the state-explosion problem. We introduce a new matching structure: a tree of DFAs where the DFA associated with a node over-approximates those at its children, and the DFAs at the leaves represent the signature set. Matching works top-down, starting at the root of the tree and stopping at the first node whose DFA does not match. In the common case (benign traffic) matching does not reach the leaves. DFA-trees are built using Compact Overapproximate DFAs (CODFAs). A CODFA D´ for D over-approximates the language accepted by D, has a smaller number of states than D, and has a low false-match rate. Although built from approximate DFAs, DFA-trees perform exact matching faster than a commonly used method, have a low memory overhead and a guaranteed good worst case performance.
  • Keywords
    computational complexity; deterministic automata; digital signatures; finite automata; formal languages; pattern matching; tree data structures; CODFAs; DFA-trees; IPSs; NP-hard problem; benign traffic matching; compact overapproximate DFAs; deep packet inspection; deterministic finite automata; intrusion prevention system; low false-match rate; low memory overhead; matching structure; parametrized language overapproximation; regular expressions; state-explosion problem; vulnerability signatures; Approximation error; Automata; Computers; Conferences; DH-HEMTs; Payloads; Training;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    INFOCOM, 2014 Proceedings IEEE
  • Conference_Location
    Toronto, ON
  • Type

    conf

  • DOI
    10.1109/INFOCOM.2014.6847977
  • Filename
    6847977