Author :
Liu, Cong ; Chen, Ai ; Wu, Di ; Wu, Jie
Abstract :
Deep packet inspection (DPI), based on regular expressions, is expressive, compact, and efficient in specifying attack signatures. We focus on their implementations based on general-purpose processors that are cost-effective and flexible to update. In this paper, we propose a novel solution, called deterministic finite automata with extended character-set (DFA/EC), which can significantly decrease the number of states through slightly extending the character-set. Different from existing state reduction algorithms, our solution requires only a single memory access for each byte in the traffic payload, which is the minimum. We perform experiments with the Snort rule-sets. Results show that, compared to DFA, a DFA/EC can be over four orders of magnitude smaller, has smaller memory bandwidth, and runs faster. We believe that DFA/EC will lay a groundwork for a new type of state compression technique in fast packet inspection.
Keywords :
character sets; deterministic automata; finite automata; security of data; Snort rule-set; attack signature specification; deep packet inspection; deterministic finite automata with extended character-set; general-purpose processor; state compression technique; state reduction; Automata; Doped fiber amplifiers; Encoding; Inspection; Memory management; Payloads; Program processors; Deep packet inspection; deterministic finite automata; extended character-set; regular expression;
