A DFA with Extended Character-Set for Fast Deep Packet Inspection

Author

Cong Liu ; Yan Pan ; Ai Chen ; Jie Wu

Author_Institution

Sun Yat-sen Univ., Guangzhou, China

Volume

63

Issue

8

fYear

2014

fDate

Aug. 2014

Firstpage

1925

Lastpage

1937

Abstract

Deep packet inspection (DPI), based on regular expressions, is expressive, compact, and efficient in specifying attack signatures. We focus on their implementations based on general-purpose processors that are cost-effective and flexible to update. In this paper, we propose a novel solution, called deterministic finite automata with extended character-set (DFA/EC), which can significantly decrease the number of states through doubling the size of the character-set. Unlike existing state reduction algorithms, our solution requires only a single main memory access for each byte in the traffic payload, which is the minimum. We perform experiments with several Snort rule-sets. Results show that, compared to DFAs, DFA/ECs are very compact and are over four orders of magnitude smaller in the best cases; DFA/ECs also have smaller memory bandwidth and run faster. We believe that DFA/EC will lay a groundwork for a new type of state compression technique in fast packet inspection.

Keywords

data compression; deterministic automata; digital signatures; finite automata; inspection; DFA/EC; DPI; attack signatures; deterministic finite automata with extended character-set; fast deep packet inspection; general-purpose processors; regular expressions; snort rule-sets; state compression technique; traffic payload; Automata; Doped fiber amplifiers; Encoding; Inspection; Memory management; Payloads; Program processors; Deep packet inspection (DPI); deterministic finite automata (DFA); extended character-set (EC); regular expression;

fLanguage

English

Journal_Title

Computers, IEEE Transactions on

Publisher

ieee

ISSN

0018-9340

Type

jour

DOI

10.1109/TC.2013.93

Filename

6506070