A DFA with Extended Character-Set for Fast Deep Packet Inspection 2018/6/2 A DFA with Extended Character-Set for Fast Deep Packet Inspection Author: Cong Liu, Yan Pan, Ai Chen, and Jie Wu Presenter: Xiao-Min Zheng Date:2016/11/09 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1
2018/6/2 Introduction DPI is becoming increasing important in classifying and controlling network traffic. We focus on a general-purpose processor approach. NFA implementations of regular expression will cause a nondeterministic number of main memory accesses per byte. DFA implementations of regular expression will cause a very large memory space to store their transition table. 第二點:新的DPI系統,軟體部分像SNORT的regular expression,硬體部分提出平行機制和快速on-chip memory,小型on-chip lookup engines,或者有特殊目的的processor approach。 第三點和第四點:特殊目的的設備的查詢速度受限於processor的記憶體頻寬,為了加快,需要減少the number of main memory accesses per bytes in the traffic payload. NFA 和DFA有各自的缺點不是很理想,DFA雖然可以take only one main memory accesses per byte,但是。。。 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 Introduction DFA/EC as a general model of DFA, removes part of each DFA state and incorporates it with the next input character. This novel solution focuses on state reduction, through doubling the size of the character-set. our solution requires only a single main memory access for each byte in the traffic payload. DFA/EC is simple, easy to implement, and easy to update due to fast construction speed. DFA/EC can be combined with other compression approaches to provide a better level of compression. 第三點:和其他state reduction不同的 第二点在第13 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
The Conceptual DFA/EC A DFA can be constructed from a set of NFAs. 2018/6/2 The Conceptual DFA/EC A DFA can be constructed from a set of NFAs. The number of DFA states is the number of possible combinations of active DFA states that can be simultaneously active, which can be exponential to the number of NFA states Let N be the set of NFA states, and let D be the set of DFA states. 1) d∈D,d⊆N; 2) D⊂2N ; 3) |N|≪ |D| ≪| 2N | =2|N| |N|≪ |D| 由于state explosion problem National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 The Conceptual DFA/EC 這個state explosion problem導致了 DFA size過大的問題,為了解決這個問題提出DFA/EC The reasons why NFAs cause state explosion: 1) The states 2,6, and 7 are more likely to be active; 2) A frequently active NFA state is more likely to be active simultaneously with other sets of states. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 The Conceptual DFA/EC In DFA/EC we select some of the most frequently active NFA states and incorporate them into the character-set(or the alphabet) of the DFA to form a slightly larger extended character-set. Three states of DFA/EC: 1) main DFA(D1): A main DFA in a DFA/EC that implements the rest of the infrequently active NFA states; 2) complementary states(N2):NFA states that are selected and incorporated into the character-set; 3) main states(N1):Remaining NFA states. 簡單講下如何區分這三種狀態 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 The Conceptual DFA/EC 1)0,4 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
The Formal Model of DFA/EC Theorem 1: For any DFA, there exists an DFA/EC A DFA/EC can be defined by (D1,D2,C,Ce,He,Te,M) C D Set of simultaneously active sets of main states Set of simultaneously active sets of complementary states Original character-set (or alphabet) Extended character-set Set of conventional DFA states National Cheng Kung University CSIE Computer & Internet Architecture Lab
The Formal Model of DFA/EC 2018/6/2 The Formal Model of DFA/EC He: Generates an extended character ce∈Ce Te: Generates a pair of partial states M: Generates another partial state d1 is the next state of the main DFA D2 is the next state of the complementary program H,M應用在complementary program T應用在transition table National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
The Formal Model of DFA/EC 2018/6/2 The Formal Model of DFA/EC DFA defined by (D,C,T),T:D x C →D can be equivalent to another form of DFA(D1,D2,C,T11,T12,T21,T22) D1交集D2為空,D1聯集D2為D d1聯集d2為d T11 is a transition function ,which returns the set of newly active NFA states in D1 that is activated through transitions from the set of previously active states d1属于D1 on character c. d1 and d2 as sets of simultaneously active NFA states National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation Two constraints on the complementary states 1) conflicting constraint 2) binary constraint The purpose of these constraints is to reduce the range of function He 在证明相等之后,就开始分析complementary state的限制条件,如何选出complementary state A large extended character-set would undermine the advantage of reducing the number of states D1 in the main DFA National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation conflicting constraint complementary state 下一个state不能同一个 Under the non-conflicting constraint, for a given c, their can be at most one complementary state n2 in d2 that has a transition to one or several main states,{n1 }. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation binary constraint 感觉有错 The binary constraint is in terms of the transitions with in N2, while the non-conflicting constraint, concerns transitions from states in N2 to states in N1. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation Determine the complementary states by independent-state method. 1)First step is to estimate the extent to which each NFA state causes state explosion; 2)Second step is to determine the complementary states based on the results in the first step and the two constraints. 如果沒有這兩個限制,太大的extended character-set會降低減少D1的優勢 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation The number of states of a DFA constructed from an NFA depends on the level of independence among the states in the NFA: 1) if every pair of states in the NFA is not independent, the size of the DFA equals that of the NFA; 2) if every pair of states in the NFA is independent, the size of the DFA is 2|N| We measure the level of independence of an NFA state among other NFA states by using the number of times it appears in a pair of independent states, which we call the independent number of the state. N is the size of the NFA National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation Priority是作为一个惩罚数值,来排除大量的状态 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
An Efficient implementation 2018/6/2 An Efficient implementation Main DFA state 的建立 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 Evaluation We developed several compilers, which read files of rules and created the corresponding inspection programs and the transition tables. We extracted rule-sets from the Snort rules. We developed a synthetic payload generator. We generate the inspection programs for the rule-sets, measure their storages, and load them with the synthetic payloads to measure their performance. Results 1) On storage size 2) On memory bandwidth and speed 如果沒有這兩個限制,太大的extended character-set會降低減少D1的優勢 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation The total number of states (percentage to DFA) 2018/6/2 Evaluation The total number of states (percentage to DFA) The significant reduction is due of the removal of the frequently active complementary state in DFA/EC. 表格左方那些奇奇怪怪的是Snort的rule-set National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation The total number of transitions (percentage to DFA) 2018/6/2 Evaluation The total number of transitions (percentage to DFA) The number of transitions is the sum of the numbers of transitions of each state. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation The transition storage(Bits/Percentage to DFA) 2018/6/2 Evaluation The transition storage(Bits/Percentage to DFA) The total minimum memory (storage) requirement of the transition tables in terms of bits. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation The size of the per-flow state(Bits) 2018/6/2 Evaluation The size of the per-flow state(Bits) We measure the sizes of the per-flow state of the inspection programs in terms of bits and words. The per-flow states for DFA , MDFA and DFA/EC are , and + N2 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation Memory bandwidth (bits) with different rule-sets 2018/6/2 Evaluation Memory bandwidth (bits) with different rule-sets The memory bandwidths of DFA, MDFA, and DFA/EC are Figure shows that the memory bandwidth of DFA/EC is very close to that of DFA and is much smaller than MDFAs. Memory bandwidth is the amount of memory accesses per byte in the payload National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation Memory accesses (times/KB) 2018/6/2 Evaluation Memory accesses (times/KB) The number of main memory accesses per KB of payload. DFA/EC and DFA have the minimum number of main memory accesses, MDFAs increases in proportional to M. Memory bandwidth is the amount of memory accesses per byte in the payload National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Evaluation Inspection speed(Java) 2018/6/2 Evaluation Inspection speed(Java) We measure the speed of the inspection programs with both Java and C++ implementations in a Unix machine with 16GB of 1333MHz DDR3 memory and a 2.66 GHz Inter Core i5 CPU. The speeds of the inspection programs depend on the hardware and software on which they are implemented. Memory bandwidth is the amount of memory accesses per byte in the payload National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 Evaluation Java MDFA is fast because of its compact transition table size and the relatively large amount of cache memory in our platform. C++ National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/2 Conclusion DFA/EC a general-purpose processor and regular expressions-based deep packet inspection algorithm. This solution requires only a single main memory access for each byte in the traffic payload. DFA/ECs are very compact, has a smaller memory bandwidth, and runs faster than DFA. We will combine DFA/EC with the existing transition compression and character-set compression techniques, and perform experiments with more rule-sets. CSIE CIAL Lab