Accelerating Multi-Patterns Matching on Compressed HTTP Traffic

One of the fundamental technique which is used today by network security tools to detect malicious activities is ´signature based´ detection. Today, the performance of the security tools is dominated by the speed of the string-matching algorithms that detect these signatures. Currently these security tools do not deal with compressed traffic, which becomes more and more common in HTTP. HTTP protocol uses the GZIP compression, which first requires some kind of decompression phase before performing the multi-patterns matching task. Thus, there is a high performance penalty in pattern matching on compressed data. In this paper we present a novel algorithm, Aho-Corasick-based algorithm for compressed HTTP (ACCH) that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho-Corasick pattern matching algorithm. We show by analyzing real HTTP traffic and real WAF signatures patterns, that we can skip scanning up to 75% of the data. Surprisingly, we show that in some situations, it is faster to do pattern matching on the compressed data, with the penalty of decompression, than doing pattern matching on regular traffic. As far as we know we are the first paper, that analyzes the problem of ´on-the-fly´ multi-patterns matching algorithms on compressed HTTP traffic and suggest a solution.