Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata

Date:101/3/21Publisher:SIGCOMM 08Author:Randy Smith Cristian Estan Somesh Jha Shijin KongIoannidisPresenter : Shi-qu Yu

IntroductionRegular expressions are typically implemented as either

deterministic finite automata (DFAs) or nondeterministic finite automata (NFAs). Like strings, DFAs are fast and can be readily combined. However, for many common signatures their combination exhibits an explosion in the state space

UNDERSTANDING STATE EXPLOSION

Eliminating Ambiguity Through Auxiliary Variables

Theorem 1. Let D1 and D2 be DFAs with D1+D2 their standard product combination. If D1 and D2 are unambiguous, then |D1 + D2| < |D1| + |D2|, where |D| is the number of states in D.

Theorem 2. If D1 and D2 are unambiguous, then D1 + D2 is unambiguous.

XFAXFA Construction[31]Combining XFAsMatching to Input

OPTIMIZATIONExposing Runtime InformationCombining Independent VariablesCode Motion and Instruction Merging

Combining Independent Variables

Dataflow AnalysisCompatibility Analysis

Dataflow Analysis

Definition 2. Let Q be the set of states containing a set operation for counter C. Then, C is active at state S if there is at least one sequence of input symbols forming a path of states from a state in Q to S in which no state in the path contains a reset operation for C. Otherwise C is inactive.

Compatibility AnalysisTwo counters can be reduced to one if they are

compatible at all states in the automaton

Combining Independent Variables

Dataflow AnalysisA stream is a sequence of operations that

execute in order. While the stream is executing, the CPU is able

to collect the next batch of packets.

EXPERIMENTAL EVALUATIONData Set:XFAs on FTP, SMTP, and HTTP signatures

from Snort [28] and Cisco Systems.CPU:3.0 GHz Pentium 4