O3FA: A scalable finite automata-based pattern-matching engine for out-of-order deep packet inspection

To match the signatures of malicious traffic across packet boundaries, network-intrusion detection (and prevention) systems (NIDS) typically perform pattern matching after flow reassembly or packet reordering. However, this may lead to the need for large packet buffers, making detection vulnerable to denial-of-service (DoS) attacks, whereby attackers exhaust the buffer capacity by sending long sequences of out-of-order packets. While researchers have proposed solutions for exact-match patterns, regular-expression matching on out-of-order packets is still an open problem. Specifically, a key challenge is the matching of complex sub-patterns (such as repetitions of wildcards matched at the boundary between packets). Our proposed approach leverages the insight that various segments matching the same repetitive sub-pattern are logically equivalent to the regular-expression matching engine, and thus, interchanging them would not affect the final result. In this paper, we present O3FA, a new finite automata-based, deep packet-inspection engine to perform regular-expression matching on out-of-order packets without requiring flow reassembly. O3FA consists of a deterministic finite automaton (FA) coupled with a set of prefix-/suffix-FA, which allows processing out-of-order packets on the fly. We present our design, optimization, and evaluation for the O3FA engine. Our experiments show that our design requires 20×–4000× less buffer space than conventional buffering-and-reassembling schemes on various datasets and that it can process packets in real-time, i.e., without reassembly.

[1]  Don Towsley,et al.  Measurement and classification of out-of-sequence packets in a tier-1 IP backbone , 2007, TNET.

[2]  Eric Torng,et al.  Bypassing Space Explosion in High-Speed Regular Expression Matching , 2014, IEEE/ACM Transactions on Networking.

[3]  Randy Smith,et al.  Efficient signature matching with multiple alphabet compression tables , 2008, SecureComm.

[4]  Patrick Crowley,et al.  Extending finite automata to efficiently match Perl-compatible regular expressions , 2008, CoNEXT '08.

[5]  Patrick Crowley,et al.  A hybrid finite automaton for practical deep packet inspection , 2007, CoNEXT '07.

[6]  Vern Paxson,et al.  End-to-end Internet packet dynamics , 1997, SIGCOMM '97.

[7]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[8]  George Varghese,et al.  Detecting evasion attacks at high speeds without reassembly , 2006, SIGCOMM.

[9]  Theodore Johnson,et al.  Monitoring Regular Expressions on Out-of-Order Streams , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[10]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[11]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[12]  Zhen Chen,et al.  AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[13]  Donald F. Towsley,et al.  Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone , 2002, IEEE/ACM Transactions on Networking.

[14]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[15]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[16]  Xiaodong Yu,et al.  Revisiting State Blow-Up: Automatically Building Augmented-FA While Preserving Functional Equivalence , 2014, IEEE Journal on Selected Areas in Communications.

[17]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, ISCA 2006.

[18]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[19]  Patrick Crowley,et al.  An improved algorithm to accelerate regular expression evaluation , 2007, ANCS '07.

[20]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[21]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  Xiaodong Yu,et al.  GPU acceleration of regular expression matching for large datasets: exploring the implementation space , 2013, CF '13.

[23]  George Varghese,et al.  Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia , 2007, ANCS '07.

[24]  Meng Zhang,et al.  Space-Economical Reassembly for Intrusion Detection System , 2003, ICICS.

[25]  Somesh Jha,et al.  Deflating the big bang: fast and scalable deep packet inspection with extended finite automata , 2008, SIGCOMM '08.

[26]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[27]  Sarang Dharmapurikar,et al.  Robust TCP Stream Reassembly in the Presence of Adversaries , 2005, USENIX Security Symposium.

[28]  Stefano Giordano,et al.  An improved DFA for fast regular expression matching , 2008, CCRV.

[29]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[30]  Patrick Crowley,et al.  A workload for evaluating deep packet inspection architectures , 2008, 2008 IEEE International Symposium on Workload Characterization.