Abstract
Regular expression matching plays an important role in modern Deep Packet Inspection (DPI) engines, to classify or filter packets by matching their payloads toward a series of pre-defined rules represented as regular expressions. Generally, finite automaton-based approaches are utilized to perform fast and scalable regular expression matching. Among those approaches, Deterministic Finite Automaton (DFA) has the fastest speed yet suffers from the state space explosion problem. By contrast, Nondeterministic Finite Automaton (NFA) can achieve the highest memory efficiency at the cost of complicated and thus low-speed matching process.Instead of seeking for a reasonable trade-off between memory efficiency and processing throughput from DFA, this paper chooses the NFA as the start point for optimization. Based on two important observations, a Multi-Stride Index (MSI) table is designed for pre-processing before going into the NFA. As the MSI table can filter most of unsuccessful matchings and thus significantly reduce the chance of processing on the NFA, the proposed MSI-NFA approach achieves a fast speed approximate to the DFA when processing real-world HTTP packets. As demonstrated in the experimental results, its speed is at most \(10\,\%\) lower than that of DFA. Moreover, the additional memory cost is as low as 20 KB compared with NFA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A group of n continuous characters.
References
Cisco IOS IPS (2015). http://www.cisco.com/
Regular Expression Pocessor (2015). http://regex.wustl.edu
Snort Website (2015). http://www.snort.org/
TippingPoint IPS (2015). http://www.tippingpoint.com/
Alicherry, M., Muthuprasanna, M., Kumar, V.: High speed pattern matching for network ids/ips. In: Proceedings of the 2006 14th IEEE International Conference on Network Protocols, 2006, ICNP 2006, pp. 187–196, November 2006
Brodie, B., Cytron, R., Taylor, D.: A scalable architecture for high-throughput regular-expression pattern matching. In: 33rd International Symposium on Computer Architecture, 2006, ISCA 2006, pp. 191–202, April 2006
Clark, C.R., Schimmel, D.E.: Efficient reconfigurable logic circuits for matching complex network intrusion detection patterns. In: Cheung, Peter Y.K., Constantinides, George A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 956–959. Springer, Heidelberg (2003)
Clark, C., Schimmel, D.: Scalable pattern matching for high speed networks. In: 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2004, FCCM 2004, pp. 249–257, April 2004
Dharmapurikar, S., Lockwood, J.: Fast and scalable pattern matching for content filtering. In: Proceedings of the 2005 ACM Symposium on Architecture for Networking and Communications Systems, ANCS 2005, pp. 183–192. ACM (2005)
Hua, N., Song, H., Lakshman, T.: Variable-stride multi-pattern matching for scalable deep packet inspection. In: INFOCOM 2009. IEEE, April 2009
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2006. ACM (2006)
Lu, H., Zheng, K., Liu, B., Zhang, X., Liu, Y.: A memory-efficient parallel string matching architecture for high-speed intrusion detection. IEEE J. Sel. Areas Commun. 24(10), 1793–1804 (2006)
Luchaup, D., De Carli, L., Jha, S., Bach, E.: Deep packet inspection with dfa-trees and parametrized language overapproximation. In: INFOCOM, 2014 Proceedings IEEE, pp. 531–539, April 2014
Paxson, V.: Application Layer Packet Classifier for Linux (2008). http://l7-filter.sourceforge.net/. Accessed 19 July 2008
Paxson, V., Asanović, K., Dharmapurikar, S., Lockwood, J., Pang, R., Sommer, R., Weaver, N.: Rethinking hardware support for network analysis and intrusion prevention. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Security, p. 11 (2006)
Paxson, V.: Bro: A system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Sen, S., Spatscheck, O., Wang, D.: Accurate, scalable in-network identification of P2P traffic using application signatures. In: Proceedings of WWW.Manhantan. ACM (2004)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration (1999)
Sidhu, R., Prasanna, V.: Fast regular expression matching using fpgas. In: The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2001, FCCM 2001, pp. 227–238, March 2001
Smith, R., Estan, C., Jha, S.: Xfa: Faster signature matching with extended automata. In: IEEE Symposium on Security and Privacy, 2008, SP 2008, May 2008
Smith, R., Estan, C., Jha, S.: Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. In: Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication, SIGCOMM 2008. ACM (2008)
Sourdis, I., Pnevmatikatos, D.: Pre-decoded cams for efficient and high-speed nids pattern matching. In: 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2004, FCCM 2004, pp. 258–267, April 2004
Tan, L., Brotherton, B., Sherwood, T.: Bit-split string-matching engines for intrusion detection and prevention. ACM Trans. Archit. Code Optim. 3(1), 3–34 (2006)
Yu, F., Chen, Z., Diao, Y., Lakshman, T., Katz, R.: Fast and memory-efficient regular expression matching for deep packet inspection. In: ACM/IEEE Symposium on Architecture for Networking and Communications systems, 2006, ANCS 2006, pp. 93–102, December 2006
Yu, F., Katz, R., Lakshman, T.: Gigabit rate packet pattern-matching using tcam. In: Proceedings of the 12th IEEE International Conference on Network Protocols, 2004, ICNP 2004, pp. 174–183 October 2004
Yu, X., Becchi, M.: Gpu acceleration of regular expression matching for large datasets: exploring the implementation space. In: Proceedings of the ACM International Conference on Computing Frontiers, CF 2013. ACM (2013)
Zu, Y., Yang, M., Xu, Z., Wang, L., Tian, X., Peng, K., Dong, Q.: Gpu-based nfa implementation for memory efficient high speed regular expression matching. In: Proceedings of the 17th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, PPoPP 2012, pp. 129–140. ACM (2012)
Acknowledgments
This work is supported by the National Science Foundation of China under Grant 61173167, 61472130, the National Basic Research Program of China (973) under Grant 2012CB315805, the Prospective Research Project on Future Networks of Jiangsu Future Networks Innovation Institute under Grant BY2013095-1-05, and the Hunan Provincial Innovation Foundation For Postgraduate under Grant CX2014B150.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Huo, S., Zhang, D., Li, Y. (2015). Fast and Scalable Regular Expressions Matching with Multi-Stride Index NFA. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9530. Springer, Cham. https://doi.org/10.1007/978-3-319-27137-8_43
Download citation
DOI: https://doi.org/10.1007/978-3-319-27137-8_43
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27136-1
Online ISBN: 978-3-319-27137-8
eBook Packages: Computer ScienceComputer Science (R0)