Skip to main content
SpringerLink
Log in

Managing DFA History with Queue for Deflation DFA

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

There is an increasing demand for network devices to perform deep packet inspection (DPI) in order to enhance network security. In DPI, the packet payload is compared against a set of predefined patterns that can be specified using regular expressions (regexes). It is well-known that mapping regexes to deterministic finite automaton (DFA) may suffer from the state explosion problem. Through observation, we attribute DFA explosion to the necessity of remembering matching history. In this paper, we investigate how to manage matching history efficiently and propose an extended DFA approach for regex matching called fcq-FA, which can make a memory size reduction of about 1,000 times with a fully automated approach. In fcq-FA, we use pipeline queues and counters to help record the matching history. Hence, state explosion caused by Kleene closure and length restriction can be completely avoided. Furthermore, it achieves a fully automated signature compilation with polynomial running time and space. The equivalence between fcq-FA and the traditional DFA is guaranteed by a strict theoretical proof, which means fcq-FA can process all the regexes supported by the traditional DFA.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2003)

  2. Roesch, M.: Snort: The lightweight network intrusion detection system. http://www.snort.org/ (2001)

  3. Smith, R., Estan, C., Jha, S.: XFAs: Faster signature matching with extended automata. In: IEEE Symposium on Security and Privacy (Oakland) (2008)

  4. Smith, R., Estan, C., Jha, S., Kong, S.: Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. In: Proceedings of ACM SIGCOMM (2008)

  5. Yu, F., Chen, Z., Diao, Y., Lakshman, T.V., Katz, R.H.: Fast and memory-efficient regular expression matching for deep packet inspection. In: Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communcations Systems (ANCS) (2006)

  6. Kumar, S., Chandrasekaran, B., Turner, J., Varghese, G.: Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia. In: Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communcations Systems (ANCS) (2007)

  7. Kumar, S., Turner, J., Williams, J.: Advanced algorithms for fast and scalable deep packet inspection. In: Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communcations Systems (ANCS) (2006)

  8. Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of ACM SIGCOMM (2007)

  9. Becchi, M., Crowley, P.: An improved algorithm to accelerate regular expression evaluation. In: Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communcations Systems (ANCS) (2007)

  10. Paxson, V.: Bro: A system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435 (1999) http://www.snort.org/

  11. Pcre: Perl compatible regular expressions. http://www.pcre.org/

  12. L7-filter: Application layer packet classifier for linux. http://l7-filter.sourceforge.net/ (2007)

  13. Regular expression. http://en.wikipedia.org/wiki/Regular_expression

  14. Sidhu, R., Prasanna, V.: Fast regular expression matching using FPGAs. In: Proceedings of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM) (2001)

  15. Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In: Proceedings of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM) (2004)

  16. Brodie, B.C., Taylor, D.E., Cytron, R.K.: A scalable architecture for high-throughput regular-expression pattern matching. In: Proceedings of ACM/IEEE International Symposium on Computer Architecture (ISCA) (2006)

  17. Becchi, M., Crowley, P.: A hybrid finite automaton for practical deep packet inspection. In: Proceedings of ACM International Conference on emerging Networking EXperiments and Technologies(CoNEXT) (2007)

  18. Song, T., Zhang, W., Wang, D., Xue, Y.: A memory efficient multiple pattern matching architecture for network security. In: Proceedings of IEEE Conference on Computer Communications(INFOCOM) (2008)

  19. Bando, M., Artan, N., Chao, H.: LaFA: Lookahead finite automata for scalable regular expression detection. In: Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communcations Systems (ANCS) (2009)

  20. Ficara, D., Giordano, S., Procissi, G.: An improved DFA for fast regular expression matching. ACM SIGCOMM Computer Communication Review (CCR) 38(5) (2008)

  21. Tang, Y., Xue, T., Jiang, J., Liu, B.: Deflation DFA: remembering history is adequate. In: Proceedings of IEEE International Conference on Communications (ICC) (2010)

  22. Smith, R., Estan, C., Jha, S., Siahaan, I.: Fast signature matching using extended finite automaton (XFA). In: Proceedings of International Conference on Information System Security (ICISS) (2008)

Download references

Acknowledgments

This paper is supported by NSFC (60625201, 60873250, 60903182, 61073171), 973 project (2007CB310702), Tsinghua University Initiative Scientific Research Program and open project of State Key Laboratory of Networking and Switching Technology, BUPT.

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Tsinghua Univerisity, Beijing, China

    Yi Tang, Junchen Jiang, Chengchen Hu & Bin Liu

  2. Guest researcher of the State Key Laboratory of Networking and Switching Technology, University of Posts and Telecommunications, Beijing, China

    Chengchen Hu

Authors
  1. Yi Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Junchen Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chengchen Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bin Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bin Liu.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Tang, Y., Jiang, J., Hu, C. et al. Managing DFA History with Queue for Deflation DFA. J Netw Syst Manage 20, 155–180 (2012). https://doi.org/10.1007/s10922-010-9179-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-010-9179-4

Keywords

Search

Navigation