Evaluation of regular expression match engines for DPI system

Because of its superior expressive power and flexibility, regular expression is now widely used in intrusion detection system and deep packet inspection system to define various patterns of virus or attacks in network traffic[1][2]. Excellent regular expression engine used in DPI system must be fast, accuracy and less memory usage to match a large volume of data streams, especially in realtime network. In this paper, four open source regular expression match engines are introduced, include Henry Spencer´s regex library, PCRE, RE2, and TRE. An evaluation of the four libraries on expressive power, data structure, memory usage and performance is proposed. The evaluation is based on analysis of their source code and black-box testing. Also a list of benchmarks is presented to do this evaluation. The results indicate that PCRE supports more features but has worse performance than other libraries, RE2 performs well on both time and memory usage but does not support backreferences. Both of them are more suitable for DPI system than TRE and Spency´s library.