350 likes | 554 Views
Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection. Author: Nan Hua, Haoyu Song, T. V. Lakshman Publisher: INFOCOM 2009 Presenter: Chun-Yi Li Date: 2009/04/22. Outline. Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance.
E N D
Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Author: Nan Hua, Haoyu Song, T. V. Lakshman Publisher: INFOCOM 2009 Presenter:Chun-Yi Li Date:2009/04/22
Outline • Related Work • Winnowing Algorithm • Variable-Stride DFA • Algorithm Optimizations • Performance
Related Work Winnowing Algorithm delimiter Winnowing with k= 2 and w= 3 • Calculate the hash value of every consecutive k characters. • Use a sliding window of size w to select the minimum hash value in the window.A tie is broken by selecting the rightmost minimum value.
Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance Outline
Variable-Stride DFA Segmentation Scheme Properties Coreless pattern Indivisible pattern • Property 1: • The size of any segmented block is in the range [1, w]. • Tail block sizes are in the range [k−1, w+k−2]. • Indivisible pattern sizes are in the range [1, w+k − 2]. • Coreless pattern sizes are in the range [w+k−1, 2w+k−2].
Variable-Stride DFA Segmentation Scheme Properties Property 2: If a pattern appears in a data stream then segmenting the data stream results in exactly the same delimiters for the core blocks of the pattern. The head block can be affected by the preifix and the tail block can be affected by the suffix. However, the core blocks are totally confined to the pattern and isolated from the context. ex: input stream: ...A|BCh|ij|kl|m|nD|EF|... pattern: hij|kl|mn
Variable-Stride DFA Finite Automaton Construction quasi-match state
Variable-Stride DFA System Design and Basic Data Structure
Variable-Stride DFA System Design and Basic Data Structure State Transition Table(STT) Match Table(MT)
Variable-Stride DFA System Design and Basic Data Structure To enable match verification on the Quasi-match states, we need to maintain a Head Queue (HQ) that remembers the Block-matching history. w bytes D entries (D is the length of the longest forwarding path of the VS-DFA) 10
Variable-Stride DFA System Design and Basic Data Structure ex: Data Stream: ‥‥A|BCr|id|ic|ulo|u|sD|EF‥‥ 0 1 2 3 4
Variable-Stride DFA System Design and Basic Data Structure ex: Data Stream: ‥ ‥ABCD|Eau|th|ent|ica|te‥ ‥ 0 1 2 3 4 12
Variable-Stride DFA Short Pattern Handling Using TCAM for short pattern lookups Coreless Pattern Indivisible Pattern
Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance Outline
Algorithm Optimizations Reducing Single-Byte Blocks It is possible to generate specific inputs that result in only single-byte streams being produced independent of the chosen hash functions and window parameters.
Algorithm Optimizations Combination Rule 1 (applied on data stream) w = 3
Algorithm Optimizations Combination Rule 1 (applied on pattern) Step 1: window size w = 3
Algorithm Optimizations Combination Rule 1 (applied on pattern) Step 2: Replicate 1. 2. 3. 4. 5. 6. window size w = 3
Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 Match pattern 1: window size w = 3
Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 2: Match window size w = 3
Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 3: Match window size w = 3
Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 Match pattern 4: window size w = 3 22
Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 5: Match window size w = 3 23
Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 6: Match window size w = 3 24
Algorithm Optimizations Combination Rule 2 (applied on data stream) Applying Combination Rule 2 window size w’= w+1 = 3+1 = 4
Algorithm Optimizations Combination Rule 2 (applied on pattern) Step 1: window size w’= w+1 = 3+1 = 4
Algorithm Optimizations Combination Rule 2 (applied on pattern) Step 2: Replicate 1. 2. window size w’= w+1 = 3+1 = 4
Algorithm Optimizations Combination Rule 2 (applied on pattern) Applying Combination Rule 2 Match pattern 1: window size w’= w+1 = 3+1 = 4
Algorithm Optimizations Combination Rule 2 (applied on pattern) Applying Combination Rule 2 Match pattern 2: window size w’= w+1 = 3+1 = 4
Algorithm Optimizations Three STTs Design Start STT Main STT Jump STT
Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance Outline 31
Performance Mem1 denotes the memory consumed by “Start STT” Mem2 denotes that for “Three STT”.
Performance Fixed:patterns extracted from the fixed string rules. Full: the expanded pattern sets that also include the fixed strings extracted from the regular expression rules.
Performance ClamAV-fixed SNORT-fixed