Upload
art
View
58
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Memory Efficient DFA based on Pattern Segmentation for Deep Packet Inspection. Author: Yeim-Kuan Chang and Jo- Ning Yu Publisher : Presenter: Yuen- Shuo Li Date : 2013/04/24. Background. - PowerPoint PPT Presentation
Citation preview
1
A Memory Efficient DFA based on Pattern Segmentation for Deep Packet Inspection
Author: Yeim-Kuan Chang and Jo-Ning Yu Publisher: Presenter: Yuen-Shuo Li Date: 2013/04/24
2
Background
As the role of NIDS has become more important, we have to develop a new high-throughput algorithm to find out the hidden virus in packet payload because the performance of pattern match algorithm is the bottleneck of NIDS.
3
Method of improving AC
Cutting pattern into sub-patterns (pattern segmentation) Parallel Match Top k Levels Bitmap-based compression
4
Pattern segmentation
Backward Transitions can avoid repeat matching with the same sub-pattern. It can improve the performance of match process.
backward Transitions
5
Pattern segmentation(cont.)
16 states 10 states
6
Parallel Match Top k Levels
The transitions going back to one of the top k levels account for a very large proportion of all transitions.
7
Parallel Match Top k Levels
To reduce memory usage, we adopt the parallel architecture to remove these transitions.
8
Bitmap-based compression
e h i r s0 0...
00 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0…0
1 0...0
1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0…0
2 0...0
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0...0
3 0...0
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0...0
4 0...0
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0...0
5 0...0
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0...0
6 0...0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0...0
7 0...0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0...0
index
array of NS
State 0
0 1 3
State 1
1 2 6
State 2
2 8
State 3
3 4
State 4
4 5
State 5
5 8
State 6
6 7
State 7
7
State 8
6 9
State 9
7
h
7s
0 1 2e 8r 9s
4h 5e
6i
3sr
9
Overview of architecture
10
Overview of architecture(Cont.)
11
11
Pattern set : { heroes, rose, hohero }
Pattern set’ : { he, ro, es, se, ho }
Input stream : h e x r o s e
he
o
3r
se
o 4
6
0
1 2
5
7e
s8 9
sub pattern match FSMMain optimized AC automaton
(Optimized AC automata)
Search cycle
Currrent state
Input id
# of scanned byte
cu_len
Next state
Detected pattern
Cycle 1 0 0 2 0 1Cycle 2 1 1 5 2 4Cycle 3 4 3 7 5 5 rose
12
Performance
13
Performance
Original AC optimized automaton
Our proposed scheme
Pattern # 28.10K 28.10KTotal character # 1.83M 1.83MState # of AC optimized automaton(our scheme includes parallel prefix optimized AC automaton)
1.75M 1.42M
Transition # of AC optimized automaton (our scheme includes parallel prefix optimized AC automaton)
446.77M 2.70M
Total memory 1.75GB 15.84MB
14
Performance
AC Types # of Partitions
Memory/char
AC automaton optimized AC 1 975.36 B
(2D) P2-Hash [2]
un-optimized AC 1 11.1 B
(2D) P2-Hash [2] optimized AC 1 9.53 B
CDFA [21] optimized AC 32 6.1 B
Our Scheme optimized AC 1 8.6 B