Title :
Deep packet inspection with DFA-trees and parametrized language overapproximation
Author :
Luchaup, Daniel ; De Carli, Lorenzo ; Jha, Somesh ; Bach, Eric
Author_Institution :
U. of Wisconsin-Madison, Madison, WI, USA
fDate :
April 27 2014-May 2 2014
Abstract :
IPSs determine whether incoming traffic matches a database of vulnerability signatures defined as regular expressions. DFA representations are popular, but suffer from the state-explosion problem. We introduce a new matching structure: a tree of DFAs where the DFA associated with a node over-approximates those at its children, and the DFAs at the leaves represent the signature set. Matching works top-down, starting at the root of the tree and stopping at the first node whose DFA does not match. In the common case (benign traffic) matching does not reach the leaves. DFA-trees are built using Compact Overapproximate DFAs (CODFAs). A CODFA D´ for D over-approximates the language accepted by D, has a smaller number of states than D, and has a low false-match rate. Although built from approximate DFAs, DFA-trees perform exact matching faster than a commonly used method, have a low memory overhead and a guaranteed good worst case performance.
Keywords :
computational complexity; deterministic automata; digital signatures; finite automata; formal languages; pattern matching; tree data structures; CODFAs; DFA-trees; IPSs; NP-hard problem; benign traffic matching; compact overapproximate DFAs; deep packet inspection; deterministic finite automata; intrusion prevention system; low false-match rate; low memory overhead; matching structure; parametrized language overapproximation; regular expressions; state-explosion problem; vulnerability signatures; Approximation error; Automata; Computers; Conferences; DH-HEMTs; Payloads; Training;
Conference_Titel :
INFOCOM, 2014 Proceedings IEEE
Conference_Location :
Toronto, ON
DOI :
10.1109/INFOCOM.2014.6847977
