Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,

Published byNicholas Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,"— Presentation transcript:

1 1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley, jointly with Zhifeng Chen (Google Inc); Yanlei Diao (Umass, Amherst); T. V. Lakshman (Bell Labs); Randy H. Katz (UC Berkeley)

2 Regular Expressions Flexible way to describe pattern –Example: for detecting yahoo messenger traffic ^(ymsg|ypns|yhoo).?.?.?.?.?.?.? [lwt].*\xc0\x80 Used in many payload scanning applications –L7-filter: protocol identifiers –Bro: intrusion patterns –SNORT: No regular expression in April 2003 1131 out of 4867 intrusion rules contain regular expressions as of Jan 2006 2

3 Challenges Features specific to packet scanning applications Large set of patterns, order of 100s or 1000s SnortL7-filterXML filtering # of regular expressions analyzed1555701,000-100,000 % of patterns with wildcards “., +, ?, *”74.9%75.7%50% -100% Average # of wildcards per pattern4.77.01-2 % of patterns with class “[ ]”31.6%52.8%0 Average # of classes per pattern8.04.80 % of patterns with length restrictions on classes or wildcards 56.3%21.4% 00 3

4 Design Space 4 Automata-based Approaches DFA-basedNFA-based Patterns (A|B)C and (A|D)E A group of states can be activated simultaneously Only one state is activated High percentage of wildcards  NFA-based approaches can be slow, sometimes less than 1Mb/s Repeated ScanOne Pass Scan Start scanning from one position, if no match, start again at the next position Good for parsers Packets may not contain any patterns No guarantee of high speed Scan the input only once Fast and deterministic throughput Add.* before patterns Some patterns generate very large DFA m Individual DFA for m patterns One composite DFA for m patterns O(m) processing complexity for each input character O(1) processing complexity for each input character Rewrite techniques to reduce memory usage Make DFA-based approach feasible Contributions Selectively group patterns into k groups (e.g., k=3) Avoid exponential memory growth Further speed up matching process (Space Problem)

5 DFA Sizes of Regular Expressions Pattern featuresExample# of states % of patterns Average # of states 1) Explicit strings with k characters^ABCD.*ABCD k+125.1%23.63 2) Wildcards^AB.*CD.*AB.*CD k+118.82%27.20 3) Patterns with ^, a wildcard, and a length restriction j ^AB.{j+}CD ^AB.{0, j}CD ^AB.{j}CD O(k*j)44.7%180.31 4) Patterns with ^, a class of characters overlaps with the prefix, and a length restriction j ^A+[A-Z]{j}DO(k+j 2 ) j~370 5.11%136903 5) Patterns with a length restriction j, where a wildcard or a class of characters overlaps with the prefix.*AB.{j}CD.*A[A-Z]{j+}D O(k+2 j ) j~344 6.27%>2 214 5 Typical patterns in network payload scanning applications Rewrite Rule 2 Focus of this talk Rewrite Rule 1

6 Design Considerations Completeness of matching results for one pattern –Complete matching Report all the possible substrings E.g., a pattern ab* and an input abbb –Four possible matches, i.e., a, ab, abb, and abbb –Non-overlapping matching Common practice: left-most longest match, shortest match results In most payload scanning applications, for one pattern, reporting non-overlapping matching result is sufficient 6

7 Patterns with Exponential DFA Sizes Often for detecting buffer overflow attempts, e.g.,.*AUTH\s[^\n]{100} DFA needs to remember all the possible AUTH\s –A second AUTH\s can either match [^\n]{100} or be counted as a new match of the start of the pattern AUTH\s –Generate a DFA of >100,000 states Can’t be efficiently processed by an NFA-based approach either 7 AUTH\s[\^n] 100 states ε NFA for.*AUTH\s[^\n]{100} Input AUTH\sAUTH\s AUTH\s\s AUTH\s\s\s …

8 Rewriting Intuition Only the first AUTH\s matters –If there is a ‘\n’ within the next 100 bytes None of the AUTH\s matches the pattern –Otherwise, the first AUTH\s and the following characters have already matched the pattern  Rewrite the pattern to: ([^A]|A[^U]|AU[^T]|AUT[^H]|AUTH[^\s]|AUTH\s[^\n]{0,99}\n)*AUTH\s[^\ n]{100} generates a DFA of only 106 states This rewritten pattern –Report different numbers of matches from the original pattern in identifying complete matches –Equivalent in identifying non-overlapping patterns 8

9 Rewriting Effect on the SNORT Rule Set 9 Pattern featuresExample# of states % of patterns Average # of states 1) Explicit strings with k characters^ABCD.*ABCD k+125.1%23.63 2) Wildcards^AB.*CD.*AB.*CD k+118.82%27.20 3) Patterns with ^, a wildcard, and a length restriction j ^AB.{j+}CD ^AB.{0, j}CD ^AB.{j}CD O(k*j)44.7%180.31 4) Patterns with ^, a class of characters overlaps with the prefix, and a length restriction j ^A+[A-Z]{j}DO(k+j 2 ) O(k+j) 5.11%136903 5) Patterns with a length restriction j, where a wildcard or a class of characters overlaps with the prefix.*AB.{j}CD.*A[A-Z]{j+}D O(k+2 j ) O(k+j) 6.27%>2 214 v

10 Rewriting Effect on the SNORT Rule Set Created scripts to automatically rewrite patterns 10 Type of RewriteRule SetNumber of Patterns Average Length Restriction DFA Reduction Rate Rewrite Rule for Quadratic case Snort17370>98% Bro000 Rewrite Rule for Exponential Case Snort19344>99% Bro49214.4>99% –After rewriting, patterns in SNORT and Bro can be compiled into DFAs

11 Design Choices 11 Automata-based Approaches DFA-basedNFA-based Repeated ScanOne Pass Scan m Individual DFA for m patterns One composite DFA for m patterns O(m) processing complexity for each input character O(1) processing complexity for each input character Rewrite techniques to reduce memory usage Make DFA-based approach feasible Contributions Selectively group patterns into k groups (e.g., k=3) Further speedup matching process Avoid exponential memory growth

12 State Explosion Problem Randomly adding patterns from the L7-filters into one DFA 12

13 Interactions of Regular Expressions Some patterns generate DFA of exponential sizes –E.g., A DFA for pattern.*AB.*CD and.*EF.*GH 13

14 Grouping Algorithms –Fixed local memory limitation ( NPU or multi-core architectures) Compute pair-wise interactive results, form a graph Keep adding patterns until reaching limit –Pick a pattern with the fewest interactions to the new group –Fixed total memory limitation (General single-core CPU architecture) First compute the DFA of individual patterns and compute the leftover memory size Distribute the leftover memory evenly among ungrouped expressions 14

15 Experimental Setup Regular expression pattern sets –Linux application layer filer (L7-filter): 70 regular expressions –Pattern sets from Bro intrusion detection systems HTTP related patterns: 648 patterns Payload related patterns: 223 patterns Packet traces: –MIT dump: with viruses and worms –Berkeley dump: normal traffic Scanners: –Generated one pass scanning DFA scanner –A NFA-based scanner Pcregrep –A repeated scanning DFA parser generated by flex 15

16 Grouping Results for Patterns in L7-filter (70 patterns) Total DFA state Limit Groups Compilation Time (s) 353370 3533125.602 4000107.335 6000813.189 8000637.098 10000537.928 16000441.870 32000349.976 16 Results of grouping algorithms for fixed total memory Sum of individual DFAs No extra memory cost 70/12=5.83 times less processing per character 6.83MB of memory 70/3=23.3 times less processing per character No grouping

17 Throughput Analysis 17 For Linux L7-filter (70 patterns) Using PCs with 3Ghz single core CPU and 4GB memory

18 Comparisons to Other Approaches Throughputs (Mb/s) Memory Consumption (KB) MIT dumpBerkeley dump Linux L7-filter (70 patterns) NFA0.983.41636 DFA RP16.334.67632 DFA OP 3 groups690.8728.313596 Bro HTTP (648 patterns) NFA30.456.11632 DFA RP117.283.21624 DFA OP 1 group14581612.84264 Bro Payload (223 patterns) NFA5.814.81632 DFA RP17.125.67628 DFA OP 4 groups566.1568.34312 18 NFA—Pcregrep DFA RP – Flex generated DFA-based repeated scan engine DFA OP – Our DFA one pass scanning engine DFA OP is 48 to 704 times faster over the NFA implementation 12-42 times faster than the commonly used DFA-based parser Use 2.6 to 8.4 times memory

19 Conclusions High speed regular expression matching scheme –Proposed two rewrite rules DFA-based approach is possible with our rewriting rules Can rewrite complicated patterns from our pattern sets In other pattern sets, there may be patterns not covered by our rewriting rules. –Developed grouping algorithm to selectively group patterns together Orders of magnitude faster than existing solutions –Can be applied to FPGA or ASIC based approaches as well 19

Download ppt "1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,"

Similar presentations

Gigabit Rate Packet Pattern-Matching Using TCAM

Gigabit Rate Packet Pattern-Matching Using TCAM
Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Fast Submatch Extraction using OBDDs Liu Yang 1, Pratyusa Manadhata 2, William Horne 2, Prasad Rao 2, Vinod Ganapathy 1 Rutgers University 1 HP Laboratories.

Fast Submatch Extraction using OBDDs Liu Yang 1, Pratyusa Manadhata 2, William Horne 2, Prasad Rao 2, Vinod Ganapathy 1 Rutgers University 1 HP Laboratories.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.
Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.

Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.
Genome-scale disk-based suffix tree indexing Benjarath Phoophakdee Mohammed J. Zaki Compiled by: Amit Mahajan Chaitra Venus.

Genome-scale disk-based suffix tree indexing Benjarath Phoophakdee Mohammed J. Zaki Compiled by: Amit Mahajan Chaitra Venus.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.

SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.

Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,

A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,
1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.

1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu

Similar presentations

Ads by Google