NFA-Based Pattern Matching for Deep Packet Inspection

Many network security applications in today's networks a0re based on deep packet inspection, checking not only the header portion but also the payload portion of a packet. For example, traffic monitoring, layer-7 filtering, and network intrusion detection all require an accurate analysis of packet content in search for predefined patterns to identify specific classes of applications, viruses, attack signatures, etc. Pattern matching is a major task in deep packet inspection. The two most common implementations of Pattern matching are based on Non-deterministic Finite Automata (NFAs) and Deterministic Finite Automata (DFAs), which take the payload of a packet as an input string. In this paper, we propose an efficient NFA-based pattern matching in Binary Content Addressable Memory(BCAM), which uses data search words consisting of 1s and 0s. Our approach can process multiple characters at a time using limited BCAM entries, which makes our approach scalable well. We evaluate our algorithm using patterns provided by Snort, a popular open-source intrusion detection system. The simulation results show that our approach outperforms existing CAM-based and software-based approaches.

[1]  Li Xuandong,et al.  Hybrid Regular Expressions , 1998 .

[2]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[3]  Patrick Crowley,et al.  A hybrid finite automaton for practical deep packet inspection , 2007, CoNEXT '07.

[4]  Marco D. Santambrogio,et al.  ReCPU: A parallel and pipelined architecture for regular expression matching , 2007, 2007 IFIP International Conference on Very Large Scale Integration.

[5]  Anat Bremler-Barr,et al.  CompactDFA: Generic State Machine Compression for Scalable Pattern Matching , 2010, 2010 Proceedings IEEE INFOCOM.

[6]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[7]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[8]  Victor C. Valgenti,et al.  Hybrid Regular Expression Matching for Deep Packet Inspection on Multi-Core Architecture , 2010, 2010 Proceedings of 19th International Conference on Computer Communications and Networks.

[9]  George Varghese,et al.  Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia , 2007, ANCS '07.

[10]  Glen Gibb,et al.  NetFPGA—An Open Platform for Teaching How to Build Gigabit-Rate Network Switches and Routers , 2008, IEEE Transactions on Education.

[11]  Vijay Kumar,et al.  High Speed Pattern Matching for Network IDS/IPS , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[12]  K. Pagiamtzis,et al.  Content-addressable memory (CAM) circuits and architectures: a tutorial and survey , 2006, IEEE Journal of Solid-State Circuits.

[13]  Marco D. Santambrogio,et al.  An adaptable FPGA-based System for Regular Expression Matching , 2008, 2008 Design, Automation and Test in Europe.

[14]  Jonathan S. Turner,et al.  Advanced algorithms for fast and scalable deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[15]  Norio Yamagaki,et al.  High-speed regular expression matching engine using multi-character NFA , 2008, 2008 International Conference on Field Programmable Logic and Applications.

[16]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[17]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[18]  Stefano Giordano,et al.  An improved DFA for fast regular expression matching , 2008, CCRV.

[19]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[20]  Laxmi N. Bhuyan,et al.  Compiling PCRE to FPGA for accelerating SNORT IDS , 2007, ANCS '07.

[21]  Wei Lin,et al.  Pipelined Parallel AC-Based Approach for Multi-String Matching , 2008, 2008 14th IEEE International Conference on Parallel and Distributed Systems.

[22]  Michela Becchi,et al.  Evaluating regular expression matching engines on network and general purpose processors , 2009, ANCS '09.

[23]  Patrick Crowley,et al.  An improved algorithm to accelerate regular expression evaluation , 2007, ANCS '07.

[24]  Srihari Cadambi,et al.  Memory-Efficient Regular Expression Search Using State Merging , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[25]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..