Saturday, December 18, 2010

How to Build DPI Products? (Part VI - Regular Expression Matching-2)

Yet another paper on regular expression optimization (see previous post - here) - this time by 4 staff members from the Computer Sciences department of the University of Wisconsin-Madison, USA: Randy Smith (picture below), Cristian Estan, Somesh Jha and Shijin Kong.

See "Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata Inspection with Extended Finite Automata" - here.

Deep packet inspection is playing an increasingly important role in the design of novel network services. Regular expressions are the language of choice for writing signatures, but standard DFA or NFA representations are unsuitable for high-speed environments, requiring too much memory, too much time, or too much per-flow state. DFAs are fast and can be readily combined, but doing so often leads to statespace explosion. NFAs, while small, require large per-flow state and are slow. We propose a solution that simultaneously addresses all these problems. We start with a first-principles characterization of state-space explosion and give conditions that eliminate it when satisfied. We show how auxiliary variables can be used to transform automata so that they satisfy these conditions, which we codify in a formal model that augments DFAs with auxiliary variables and simple instructions for manipulating them. Building on this model, we present techniques, inspired by principles used in compiler optimization, that systematically reduce runtime and per-flow state. In our experiments, signature sets from Snort and Cisco Systems achieve state-space reductions of over four orders of magnitude, per-flow state reductions of up to a factor of six, and runtimes that approach DFAs.

No comments:

Post a Comment