Chain-Based DFA Deflation for Fast and Scalable Regular Expression Matching Using TCAM

Regular expression matching is the core engine of many network functions such as intrusion detection, protocol analysis and so on. In spite of intensive research, we are still in need of a method for fast and scalable regular expression matching, where it takes one simple memory lookup to match each input character (like DFA) and storage space growing linearly with regular expression pattern set size (like NFA). Most recently, TCAM-based DFA implementation has been proposed as a promising approach, for TCAM´s unique parallel and wildcard matching capabilities. However, the number of TCAM entries needed is still above exponentially growing DFA size and hence not scalable. In this paper, we propose a chain-based DFA deflation method for fast and scalable regular expression matching using TCAM, which takes one simple TCAM lookup to match each input character and effectively deflates DFA size. Experiments based on real life pattern sets demonstrate that, the number of TCAM entries used by our DFA deflation method is up to two orders of magnitude lower than the DFA size, and comes quite close to the linearly growing NFA size. This not only means superior scalability, but also allows us to implement regular expression matching at extremely fast matching speed, up to two orders of magnitude faster than the existing TCAM-based DFA implementation method.