Title :
Accelerating Multipattern Matching on Compressed HTTP Traffic
Author :
Bremler-Barr, Anat ; Koral, Yaron
Author_Institution :
Interdiscipl. Center, Efi Arazi Sch. of Comput. Sci., Herzlia, Israel
fDate :
6/1/2012 12:00:00 AM
Abstract :
Current security tools, using “signature-based” detection, do not handle compressed traffic, whose market-share is constantly increasing. This paper focuses on compressed HTTP traffic. HTTP uses GZIP compression and requires some kind of decompression phase before performing a string matching. We present a novel algorithm, Aho-Corasick-based algorithm for Compressed HTTP (ACCH), that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho-Corasick pattern-matching algorithm. By analyzing real HTTP traffic and real Web application firewall signatures, we show that up to 84% of the data can be skipped in its scan. Surprisingly, we show that it is faster to perform pattern matching on the compressed data, with the penalty of decompression, than on regular traffic. As far as we know, we are the first paper that analyzes the problem of “on-the-fly” multipattern matching on compressed HTTP traffic and suggest a solution.
Keywords :
Internet; authorisation; computer network security; data compression; hypermedia; string matching; telecommunication traffic; transport protocols; ACCH; Aho-Corasick-based algorithm for Compressed HTTP; GZIP compression; compressed HTTP traffic; data compression; decompression phase; market-share; multipattern matching acceleration; pattern matching; real Web application firewall signatures; security tools; signature-based detection; string matching; Acceleration; Browsers; Dictionaries; Doped fiber amplifiers; Memory management; Pattern matching; Security; Compressed HTTP; computer security; intrusion detection; pattern matching;
Journal_Title :
Networking, IEEE/ACM Transactions on
DOI :
10.1109/TNET.2011.2172456
