Condition Factorization: A Technique for Building Fast and Compact Packet Matching Automata

Rule-based matching on network packet headers is a central problem in firewalls, and network intrusion, monitoring, and access-control systems. To enhance performance, rules are typically compiled into a matching automaton that can quickly identify the subset of rules that are applicable to a given network packet. While deterministic automata provide the best performance, previous research has shown that such automata can be exponential in the size and/or number of rules. Nondeterministic automata can avoid size explosion, but their matching time can increase quickly with the number of rules. In contrast, we present a new technique that constructs polynomial size automata. Moreover, we show that the matching time of our automata is insensitive to the number of rules. The key idea in our approach is that of decomposing and reordering the tests on packet header fields so that the result of performing a test can be utilized on behalf of many rules. Our experiments demonstrate major reductions in space requirements over previous techniques, as well as significant improvements in matching speed. Our technique can uniformly handle prioritized and unprioritized rules, and support applications that require single-match as well as multi-match.

[1]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[2]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Yin Zhang,et al.  Detecting Backdoors , 2000, USENIX Security Symposium.

[4]  Christopher Krügel,et al.  Using Decision Trees to Improve Signature-Based Intrusion Detection , 2003, RAID.

[5]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[6]  Bin Liu,et al.  NetShield: massive semantics-based vulnerability signature matching for high-speed networks , 2010, SIGCOMM '10.

[7]  C. R. Ramakrishnan,et al.  A symbolic constraint solving framework for analysis of logic programs , 1995, PEPM '95.

[8]  Randy H. Katz,et al.  Efficient multi-match packet classification with TCAM , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[9]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Larry L. Peterson,et al.  PathFinder: A Pattern-Based Packet Classifier , 1994, OSDI.

[11]  T. N. Vijaykumar,et al.  EffiCuts: optimizing packet classification for memory and throughput , 2010, SIGCOMM '10.

[12]  Bin Liu,et al.  NetShield : Matching with a Large Vulnerability Signature R uleset for High Performance Network Defense , 2010 .

[13]  I. V. Ramakrishnan,et al.  Term Indexing , 2001, Handbook of Automated Reasoning.

[14]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[15]  Fulvio Risso,et al.  SPAF: Stateless FSA-Based Packet Filters , 2011, IEEE/ACM Transactions on Networking.

[16]  C. R. Ramakrishnan,et al.  Extracting Determinacy in Logic Programs , 1993, ICLP.

[17]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[18]  Patrick Crowley,et al.  A hybrid finite automaton for practical deep packet inspection , 2007, CoNEXT '07.

[19]  Helen J. Wang,et al.  ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[20]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[21]  Steven McCanne,et al.  BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[22]  I. V. Ramakrishnan,et al.  Automata-driven indexing of Prolog clauses , 1989, POPL '90.

[23]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[24]  Patrick Crowley,et al.  A-DFA: A Time- and Space-Efficient DFA Compression Algorithm for Fast Regular Expression Evaluation , 2013, TACO.

[25]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[26]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[27]  I. V. Ramakrishnan,et al.  Fast strictness analysis based on demand propagation , 1995, TOPL.

[28]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[29]  R. Sekar,et al.  A high-performance network intrusion detection system , 1999, CCS '99.

[30]  Alok Tongaonkar,et al.  Efficient techniques for fast packet classification , 2009 .

[31]  Ehab Al-Shaer,et al.  On Dynamic Optimization of Packet Matching in High-Speed Firewalls , 2006, IEEE Journal on Selected Areas in Communications.

[32]  Pankaj Gupta,et al.  Packet Classification using Hierarchical Intelligent Cuttings , 1999 .

[33]  I. V. Ramakrishnan,et al.  Adaptive Pattern Matching , 1992, SIAM J. Comput..

[34]  Eric Torng,et al.  Bypassing Space Explosion in High-Speed Regular Expression Matching , 2014, IEEE/ACM Transactions on Networking.

[35]  I. V. Ramakrishnan,et al.  Term Indexing , 1995, Lecture Notes in Computer Science.

[36]  Dawson R. Engler,et al.  DPF: Fast, Flexible Message Demultiplexing Using Dynamic Code Generation , 1996, SIGCOMM.

[37]  R. Sekar,et al.  Fast Packet Classification Using Condition Factorization , 2009, ACNS.

[38]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[39]  Konstantinos Sagonas,et al.  Efficient manipulation of binary data using pattern matching , 2006, J. Funct. Program..

[40]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[41]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[42]  Luigi Ciminiera,et al.  Modeling Complex Packet Filters With Finite State Automata , 2015, IEEE/ACM Transactions on Networking.

[43]  T. V. Lakshman,et al.  Multi-Layer Packet Classification with Graphics Processing Units , 2014, CoNEXT.