A Memory Efficient DFA based on Pattern Segmentation for Deep Packet Inspection

1. A Memory Efficient DFA based on Pattern Segmentation for Deep Packet Inspection • Author: Yeim-Kuan Chang and Jo-Ning Yu • Publisher: • Presenter: Yuen-Shuo Li • Date: 2013/04/24

2. Background As the role of NIDS has become more important, we have to develop a new high-throughput algorithm to find out the hidden virus in packet payload because the performance of pattern match algorithm is the bottleneck of NIDS.

3. Method of improving AC • Cutting pattern into sub-patterns (pattern segmentation) • Parallel Match Top k Levels • Bitmap-based compression

4. Pattern segmentation Backward Transitionscan avoid repeat matching with the same sub-pattern. It can improve the performance of match process. backward Transitions

5. Pattern segmentation(cont.) 10 states 16 states

6. Parallel Match Top k Levels The transitions going back to one of the top k levels account for a very large proportion of all transitions.

7. Parallel Match Top k Levels To reduce memory usage, we adopt the parallel architecture to remove these transitions.

8. h e r s Bitmap-based compression 1 2 8 0 9 i s 7 6 r s h e 4 5 3

9. Overview of architecture

10. Overview of architecture(Cont.)

11. Input stream : h e x r o s e Pattern set : { heroes, rose, hohero } Pattern set’ : { he, ro,es, se, ho } e sub pattern match FSM Main optimized AC automaton (Optimized AC automata) 2 1 h o 5 0 r o 3 4 s e e 7 6 s 9 8 11

12. Performance

13. Performance

14. Performance