A Byte-Filtered String Matching Algorithm for Fast Deep Packet Inspection

As link rates and traffic volumes of Internet are constantly growing, string matching using the Deterministic Finite Automaton (DFA) will be the performance bottleneck of Deep Packet Inspection (DPI). The recently proposed bit-split string matching algorithm suffers from the unnecessary state transitions problem, limiting the efficiency of DPI. The root cause lies in the fact that each tiny DFA of the bit-split algorithm only processes a k-bit substring of each input character, but can't check whether the entire character belongs to the original alphabet for a set of signature rules or no. This paper proposes a byte-filtered string matching algorithm, where Bloom filters are used to preprocess each byte of every incoming packet payload to check whether the input byte belongs to the original alphabet or not, before performing bit-split string matching. Our experimental results show that compared to the bit-split algorithm, our byte-filtered algorithm enormously decreases the time of string matching as well as the number of state transitions of tiny DFAs on both synthetic and real signature rule sets.

[1]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[2]  John W. Lockwood,et al.  Fast and scalable pattern matching for content filtering , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[3]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[4]  Beate Commentz-Walter,et al.  A String Matching Algorithm Fast on the Average , 1979, ICALP.

[5]  Wayne Luk,et al.  Bitwise optimised CAM for network intrusion detection systems , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[6]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[7]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[8]  Timothy Sherwood,et al.  Bit-split string-matching engines for intrusion detection and prevention , 2006, TACO.

[9]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[10]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[11]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[12]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[13]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[14]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[15]  Bin Liu,et al.  A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection , 2006, IEEE Journal on Selected Areas in Communications.

[16]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[17]  Vijay Kumar,et al.  High Speed Pattern Matching for Network IDS/IPS , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[18]  M. V. Ramakrishna,et al.  Efficient Hardware Hashing Functions for High Performance Computers , 1997, IEEE Trans. Computers.

[19]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[20]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, ISCA 2006.

[21]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[22]  Yan Luo,et al.  Efficient memory utilization on network processors for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[23]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.