Presentation is loading. Please wait.

Presentation is loading. Please wait.

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

Similar presentations


Presentation on theme: "StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:"— Presentation transcript:

1 StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher: 2011 IEEE International Conference on Communications Presenter: Ching-Hsuan Shih Date: 2014/06/11 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

2 Outline Introduction Related Work System Design Principles and Challenges Building StriD 2 FAs from Regex Optimization of False Positive Evaluation 2 National Cheng Kung University CSIE Computer & Internet Architecture Lab

3 Introduction (1/2) Signature-based deep packet inspection has taken root as a dominant security mechanism in networking devices and computer systems. Regular expressions are more expressive than simple patterns of strings and therefore able to describe a wider variety of payload signatures. National Cheng Kung University CSIE Computer & Internet Architecture Lab 3

4 Introduction (2/2) A novel length-based matching (LBM) is presented for accelerating regex matching. LBM has a DFA-like matcher called Stride-DFA (StriD 2 FA). Causing false positive. National Cheng Kung University CSIE Computer & Internet Architecture Lab 4

5 Related Work National Cheng Kung University CSIE Computer & Internet Architecture Lab 5 Dharmapurikar et al. presented a scheme [7] that can process multiple characters per clock cycle with Bloom-filter. A recent method [4] introduces the sampling techniques to accelerate regex matching, but it not all kinds of regex are supported.

6 A. Converting input stream into stride lengths (SL) stream In this manner, any SL sent to a StriD 2 FA must be in a finite alphabet set Σ = {1, …, w}. System Design Principles and Challenges (1/5) National Cheng Kung University CSIE Computer & Internet Architecture Lab 6

7 B. An Example of StriD 2 FA Suppose the regex rule is “.*abba.{2}caca”. Here ‘a’ is chosen as the tag and the window size is 3. i. F a (.*abba) = (1 | 2 | 3) + 3 ii. F a (.{2}caca) = 3 1 2 | 1 3 2 | 2 2 2 | 1 1 2 2 iii. Finally the regex F a (.*abba.{2}caca) = (1 | 2 | 3) + 3 (3 1 2 | 1 3 2 | 2 2 2 | 1 1 2 2), where the alphabet set is {1, 2, 3}. System Design Principles and Challenges (2/5) National Cheng Kung University CSIE Computer & Internet Architecture Lab 7

8 Given an byte stream T = “abcababbabccacabc”. It is first converted into SL stream F a (T) = 3 2 3 3 1 2 And it matched by the StriD 2 FA, then the input stream is sent to the verification module to make an accurate match by using some traditional methods (e.g., reversed DFA in [4]) System Design Principles and Challenges (3/5) National Cheng Kung University CSIE Computer & Internet Architecture Lab 8

9 C. Benefits of LBM Increased speed: According to the statistics in Section VI, average SLs of some characters are larger than 100. Small memory consumption: Firstly, the number of states is generally less than traditional DFA (e.g., StriD 2 FA has 5 less states than the traditional DFA in Figure 2). Secondly, the fanout of each state is controlled by the window size. System Design Principles and Challenges (4/5) National Cheng Kung University CSIE Computer & Internet Architecture Lab 9

10 D. Challenges Regex converting: In Section IV, a formal method to efficiently construct StriD 2 FA from any regex is described. False positive rate System Design Principles and Challenges (5/5) National Cheng Kung University CSIE Computer & Internet Architecture Lab 10

11 1. Compile Regex to standard DFA. 2. Restructure the DFA by classifying all the transitions. All labels are removed on transitions and mark each transition whether its character is the tag (solid transition if true and dashed transition otherwise). Building StriD 2 FAs from Regex (1/2) National Cheng Kung University CSIE Computer & Internet Architecture Lab 11

12 3. Transform the restructured DFA to a non-deterministic StriD 2 FA by the depth first search (DFS) algorithm. If a solid transition (pointing to state q’) is reachable in L steps where L ≦ w, add a transition labeled L from q to q’. Otherwise (i.e., there is an all-dashed-transition path of length w to state q’), add a transition labeled w from q to q’. 4. Determinize to the final StriD 2 FA (similar to the determinization in traditional DFA) Building StriD 2 FAs from Regex (2/2) National Cheng Kung University CSIE Computer & Internet Architecture Lab 12

13 Optimization of False Positive National Cheng Kung University CSIE Computer & Internet Architecture Lab 13

14 Evaluation (1/2) National Cheng Kung University CSIE Computer & Internet Architecture Lab 14

15 Evaluation (2/2) National Cheng Kung University CSIE Computer & Internet Architecture Lab 15


Download ppt "StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:"

Similar presentations


Ads by Google