1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher: IEEE GLOBECOM, 2007 Presenter: Chen – Yu Lin Date: Aug, 4, 2008

2 Outline Introduction String matching as LPM (Longest Prefix Matching) Evaluation and analysis

3 Introduction (1/2) Deep packet content inspection is one of the most significant challenges and important issues to provide security service in high speed network. Boyer-Moore algorithm has the best search performance amount current well-known single pattern matching algorithm. Aho-Corasick and Wu-Manber are the two most well-known multiple- pattern matching algorithm.

4 Introduction (2/2) A novel scheme, “String Matching as Longest Prefix Matching”, is presented for applying the existing layer-3 LPM techniques of IP lookup to the layer-7 packet content inspection. In this paper, we show that IP lookup can be applied to the content inspection by employing the analogy between IP lookup and automaton-based string matching algorithms.

5 String Matching as LPM (1/11) The proposed model for performing string matching by LPM consists of two stages. 1. State transition by LPM-based table lookup. 2. Searches the pattern ID if the output of the first stage is an accept state. The fundamentality of all kinds of FSA operations is based on state transitions. Ascii code (u=8) Snort 2.4 patterns is (v=16) Input symbol : a Current state : b Index = { a:b } 8 16 a b

6 String Matching as LPM (2/11) The index is used to lookup the corresponding next state in the state table. The major job of the 2 nd stage, pattern search, is to determine whether the output state of state table lookup is an accepting state or not. If it is, then find the matched pattern ID. The state table in state table lookup stage can be represented as a state transition matrix as follows: e (x,y) : next state when current state y receives the input symbol x

7 String Matching as LPM (3/11) An IP lookup algorithm : Multibit trie It segments the 32bit IP address a.b.c.d into two parts: a.b.c & d The concept of this IP lookup algorithm can be adopted straightforwardly to use 24 bits as the index in our proposal. The original 2 24 elements in the automaton matrix can be rearranged as follows: Determine the next state

8 String Matching as LPM (4/11) We straightforwardly assume the combination of the current state and input symbol to be the index and determine the next state using directly-lookup mechanism. The next state and Index are seen as the next hop and IP address in LPM,respectively. Definitions: Index (x,y) = { w 23, w 22, …, w 15, …, w 0 } There are two ways to design the data structure of the state table: State-wise prefix : { v 15, …, v 0, u 7, …, u 0 } This design is suitable for the case when M is an NFA. Symbol-wise prefix : {u 7, …, u 0, v 15, …, v 0 }

9 String Matching as LPM (5/11) Nevertheless, it is interesting to see that when M is a DFA, for each symbol x, most of e (x,y) have the same next state for different current state y. Magic state of x (denoted as ms(x)).

10 String Matching as LPM (6/11) This provides the opportunity to aggregate many consecutive entries into one entry with shorter prefix length. For example: u=2, v=3, and e (x,y-1) = e (x,y) Assume that x = 3(11), y = 5(101), then we have e (11,100) = e (11,101) In other words, the 28 th (11100) and 29 th (11101) entry of state table can be merged into one entry with prefix 1110*. This symbol-wise prefix is the primary key that enables the state table lookup to be processed by using the LPM lookup algorithm.

11 String Matching as LPM (7/11) When u = 8 and v = 16, for the matrix M constructed by the Snort 2.4 patterns, the number of entries is dramatically reduced to from 16-million(2 24 ) entries when the symbol-wise prefix is employed, requiring only 3.5% of original number of entries.

12 String Matching as LPM (8/11) The magic state feature can be further applied to the symbol-wise prefix to reduce the prefix length. In matrix M, if e (x,y) = ms(x), the corresponding Index (x,y) will be transformed to Index ’ (x,y) = { w 23, w 22, …, w 16, *, *,…,* } More precisely, all the entries with the next state equals to the magic state can be merged into one symbol-wise prefix with a length of 8.

13 String Matching as LPM (9/11) With the magic state, the total number of prefix entries decreases to , and the total number of the lookup table entries is dramatically reduced to only 1.5% (273k / 16-million).

14 String Matching as LPM (10/11) [12] presented a data structure for forwarding table named Lulea algorithm designed for fast routing lookups. By ingenious design, it enables the IP routing table to be compressed for storing in the cache of a processor through three elegant structures: Code word array Base index array Maptable In Lulea, the routing prefix is segmented into three levels: One 16-bit level. Two 8-bit levels.

15 String Matching as LPM (11/11) When precessing the next state lookup: Use first 8 bits of Index to decide which code word array and base index array are needed for the lookup. Then, execute level-1 of the Lulea algorithm with the last 16 bits to obtain the next state value.

16 Evaluation and analysis E m (MB) : memory size E t (Mbps) : throughput E : overall efficiency [16] [12]