COIN: A fast packet inspection method over compressed traffic

Abstract Matching multiple patterns simultaneously is a key technique in Deep Packet Inspection systems, such as firewall, Intrusion Detection Systems, etc. However, most web services nowadays tend to compress their traffic for less data transferring and better user experience, which has challenged the original multi-pattern matching method that work on raw content only. The straightforward solutions directly match decompressed data which multiply the data to be matched. The state-of-the-art works skip scanning some data in compressed segments, but still exist the redundant checking, which are not efficient enough. In this paper, we propose COmpression INspection (COIN) method for multi-pattern matching over compressed traffic. COIN does not recheck the patterns within compressed segment if it has been matched before, so as to further improve the performance of matching, we have collected real traffic data from Alexa top sites and performed the experiments. The evaluation results show that COIN achieves 20.3% and 17.0% in the average of improvement than the state-of-the-art approaches on the string and regular expression matching with real traffic and rule sets.

[1]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[2]  Patrick Crowley,et al.  An improved algorithm to accelerate regular expression evaluation , 2007, ANCS '07.

[3]  Michela Becchi,et al.  Accelerating regular expression matching over compressed HTTP , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[4]  Anat Bremler-Barr,et al.  Shift-based pattern matching for compressed web traffic , 2011, 2011 IEEE 12th International Conference on High Performance Switching and Routing.

[5]  Siu-Ming Yiu,et al.  A Survey on Regular Expression Matching for Deep Packet Inspection: Applications, Algorithms, and Hardware Platforms , 2016, IEEE Communications Surveys & Tutorials.

[6]  Shmuel Tomi Klein,et al.  Pattern matching in Huffman encoded texts , 2001, Proceedings DCC 2001. Data Compression Conference.

[7]  Anat Bremler-Barr,et al.  Accelerating Multipattern Matching on Compressed HTTP Traffic , 2012, IEEE/ACM Transactions on Networking.

[8]  Ayumi Shinohara,et al.  A Boyer-Moore Type Algorithm for Compressed Pattern Matching , 2000, CPM.

[9]  Anat Bremler-Barr,et al.  Decompression-free inspection: DPI for shared dictionary compression over HTTP , 2012, 2012 Proceedings IEEE INFOCOM.

[10]  Yuming Jiang,et al.  Deep semantics inspection over big network data at wire speed , 2016, IEEE Network.

[11]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[12]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[13]  Yehuda Afek,et al.  Space efficient deep packet inspection of compressed web traffic , 2012, Comput. Commun..

[14]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[15]  Hao Li,et al.  Towards a fast packet inspection over compressed HTTP traffic , 2017, 2017 IEEE/ACM 25th International Symposium on Quality of Service (IWQoS).

[16]  Anat Bremler-Barr,et al.  Deep Packet Inspection as a Service , 2014, CoNEXT.

[17]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[18]  Dana Shapira,et al.  Adapting the Knuth-Morris-Pratt algorithm for pattern matching in Huffman encoded texts , 2004, Data Compression Conference, 2004. Proceedings. DCC 2004.

[19]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[20]  Abraham Lempel,et al.  A universal algorithm for sequential data compression , 1977, IEEE Trans. Inf. Theory.

[21]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[22]  Ayumi Shinohara,et al.  Multiple pattern matching in LZW compressed text , 1998, Proceedings DCC '98 Data Compression Conference (Cat. No.98TB100225).

[23]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[24]  Min Sik Kim,et al.  DFA-Based Regular Expression Matching on Compressed Traffic , 2011, 2011 IEEE International Conference on Communications (ICC).