Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher: IEEE INFOCOM 2014 Presenter: Yen-Chun Tseng Date: 2014/09/24 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
Introduction Use DFA-tree to improve the speed of matching in NFA and the state- space explosion problem in DFA. Use the concept of Compact Overapproximate DFA (CODFA) as the building block for the DFA-tree construction. National Cheng Kung University CSIE Computer & Internet Architecture Lab 2
DFA-tree National Cheng Kung University CSIE Computer & Internet Architecture Lab 3
DFA combination National Cheng Kung University CSIE Computer & Internet Architecture Lab 4
CODFA( Compact Overapproximate DFA ) only keeps the most frequent or “hot” states of DFA and the transitions between them, and collapses the remaining states into a single state. call this “shrink” National Cheng Kung University CSIE Computer & Internet Architecture Lab 5
CODFA National Cheng Kung University CSIE Computer & Internet Architecture Lab 6
DFA-tree National Cheng Kung University CSIE Computer & Internet Architecture Lab 7
Encounter problem If input strings are dirty. Approximation errors. How to choose the “hot” state. National Cheng Kung University CSIE Computer & Internet Architecture Lab 8
If input strings are dirty Such attacks or poor performance are easy to detect and, if persistent, the ISP can temporary switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 9
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 10 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 11 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 12 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 13 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 14 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 15 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 16 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 17 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 18 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 19 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 20 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 21 D12 D9 D10 D11 D1 D2 D3 D4D5D8D7 D6 It need to check 12 states in the worst case
switch to DFA-set matching National Cheng Kung University CSIE Computer & Internet Architecture Lab 22 D1 D2 D3 D4D5D8D7 D6 This is 1.5X (50%) faster than if DFA-trees was used Only needs 8 states
Approximation Errors National Cheng Kung University CSIE Computer & Internet Architecture Lab 23 D3 D1D2 VIRUSVIRAL VIR* Input : VIRUL
Approximation Errors National Cheng Kung University CSIE Computer & Internet Architecture Lab 24 D3 D1D2 VIRUSVIRAL VIR* Input : VIRUL
Approximation Errors National Cheng Kung University CSIE Computer & Internet Architecture Lab 25 D3 D1D2 VIRUSVIRAL VIR* Input : VIRUL
Approximation Errors National Cheng Kung University CSIE Computer & Internet Architecture Lab 26 D3 D1D2 VIRUSVIRAL VIR* Input : VIRUL
Approximation Errors Select more hot states. National Cheng Kung University CSIE Computer & Internet Architecture Lab 27
choose the “hot” state a solution may exist, but we may fail to find it. However, we have not encountered this in practice. National Cheng Kung University CSIE Computer & Internet Architecture Lab 28
choose the “hot” state If Q is ordered as {q 0, q 1,..., q |Q| −1}, we restrict our search for H to the |Q| sets of valid candidates of the form H k ={q 0, q 1,..., q k } {q 0 }=H 0 ⊂ H 1 ⊂...H k... ⊂ H |Q| −1=Q. We aim F+I (D Hk,D) ≤ ɛ. National Cheng Kung University CSIE Computer & Internet Architecture Lab 29
Experimental Evaluation The average space overhead was 15%. Worst-case attacks can only achieve a 26% slow- down on average. Shrinking is effective: an approximation error rate of 0.2% the average compression is 97%. National Cheng Kung University CSIE Computer & Internet Architecture Lab 30
Experimental Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab 31