research-article

Free access

Deflating the big bang: fast and scalable deep packet inspection with extended finite automata

Authors:

Cristian Estan,

Shijin KongAuthors Info & Claims

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

Pages 207 - 218

https://doi.org/10.1145/1402958.1402983

Published: 17 August 2008 Publication History

Abstract

Deep packet inspection is playing an increasingly important role in the design of novel network services. Regular expressions are the language of choice for writing signatures, but standard DFA or NFA representations are unsuitable for high-speed environments, requiring too much memory, too much time, or too much per-flow state. DFAs are fast and can be readily combined, but doing so often leads to state-space explosion. NFAs, while small, require large per-flow state and are slow.

We propose a solution that simultaneously addresses all these problems. We start with a first-principles characterization of state-space explosion and give conditions that eliminate it when satisfied. We show how auxiliary variables can be used to transform automata so that they satisfy these conditions, which we codify in a formal model that augments DFAs with auxiliary variables and simple instructions for manipulating them. Building on this model, we present techniques, inspired by principles used in compiler optimization, that systematically reduce runtime and per-flow state. In our experiments, signature sets from Snort and Cisco Systems achieve state-space reductions of over four orders of magnitude, per-flow state reductions of up to a factor of six, and runtimes that approach DFAs.

References

[1]

A. V. Aho and M. Corasick. Efficient string matching: An aid to bibliographic search. In Communications of the ACM, June 1975.

Digital Library

[2]

T. Ball and S. Rajamani. The SLAM project: Debugging system software via static analysis. January 2002.

Digital Library

[3]

M. Becchi and S. Cadambi. Memory-efficient regular expression search using state merging. In IEEE Infocom 2007.

[4]

M. Becchi and P. Crowley. An improved algorithm to accelerate regular expression evaluation. In ANCS 2007.

Digital Library

[5]

B. Brodie, R., and D. Taylor. A scalable architecture for high-throughput regular-expression pattern matching. SIGARCH Comput. Archit. News, 34(2):191--202, 2006.

Digital Library

[6]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[7]

C. R. Clark and D. E. Schimmel. Scalable pattern matching for high-speed networks. In IEEE FCCM, April 2004.

Digital Library

[8]

E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. The MIT Press, 1999.

Digital Library

[9]

S. Crosby and D. Wallach. Denial of service via algorithmic complexity attacks. In Usenix Security, August 2003.

Digital Library

[10]

S. Dharmapurikar and J. W. Lockwood. Fast and scalable pattern matching for network intrusion detection systems. IEEE Journal on Selected Areas in Comm., 24(10):1781--1792, 2006.

Digital Library

[11]

The Guardian. Trouble on the line. http://technology. guardian.co.uk/weekly/story/0,1747343,00.html, 2006.

[12]

M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Usenix Security, August 2001.

Digital Library

[13]

S. W. Hawking. A brief history of time. From the Big Bang to Black Holes. Bantam Book, 1988.

[14]

John L. Hennessy and David A. Patterson. Computer Architecture: A Quantitative Approach, 2nd Edition. Morgan Kaufmann, 1996.

Digital Library

[15]

J. Hopcroft, R. Motwani, and J. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 2006.

Digital Library

[16]

Myles Jordan. Dealing with metamorphism. Virus Bulletin Weekly, 2002.

[17]

C. Kachris and S. Vassiliadis. Design of a web switch in a reconfigurable platform. In ANCS 2006.

Digital Library

[18]

P. Kapustka. Vonage complaining of VoIP blocking. http://www.networkcomputing.com/channels/~networkinfrastructure/60400413, 2005.

[19]

S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese. Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia. In ANCS 2007, pages 155--164.

Digital Library

[20]

S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In ACM SIGCOMM, September 2006.

Digital Library

[21]

S. Kumar, J. Turner, and J. Williams. Advanced algorithms for fast and scalable deep packet inspection. In ANCS 2006, pages 81--92.

Digital Library

[22]

R. Liu, N. Huang, C. Chen, and C. Kao. A fast string-matching algorithm for network processor--based intrusion detection system. Trans. on Embedded Computing Sys., 3(3):614--633, 2004.

Digital Library

[23]

H. McGhan. Niagara 2 opens the floodgates. In Microprocessor Report, November 2006.

[24]

S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann, 1997.

Digital Library

[25]

M. Neider. Deep packet inspection: A service provider's solution for secure VoIP. VoIP Magazine, Oct 2005.

[26]

V. Paxson. Bro: a system for detecting network intruders in real-time. In Computer Networks, volume 31, pages 2435--2463, 1999.

Digital Library

[27]

T. Ptacek and T. Newsham. Insertion, evasion and denial of service: Eluding network intrusion detection. In Secure Networks, Inc., January 1998.

[28]

M. Roesch. Snort -- lightweight intrusion detection for networks. In 13th Systems Administration Conference. USENIX, 1999.

Digital Library

[29]

U. Shankar and Vern Paxson. Active mapping: Resisting nids evasion without altering traffic. In IEEE Symp. on Security and Privacy, May 2003.

Digital Library

[30]

R. Smith, C. Estan, and S. Jha. Backtracking algorithmic complexity attacks against a NIDS. In ACSAC 2006, pages 89--98.

Digital Library

[31]

R. Smith, C. Estan, and S. Jha. XFA: Faster signature matching with extended automata. In IEEE Symposium on Security and Privacy, May 2008.

Digital Library

[32]

R. Sommer and V. Paxson. Enhancing byte--level network intrusion detection signatures with context. In ACM CCS, Oct. 2003.

Digital Library

[33]

I. Sourdis and D. Pnevmatikatos. Fast, large-scale string match for a 10gbps fpga-based network intrusion detection system. In Int. Conf. on Field Programmable Logic and Applications, sep. 2003.

[34]

L. Tan and T. Sherwood. A high throughput string matching architecture for intrusion detection and prevention. In ISCA, June 2005.

Digital Library

[35]

N. Tuck, T. Sherwood, B. Calder, and G. Varghese. Deterministic memory-efficient string matching algorithms for intrusion detection. In IEEE INFOCOM 2004, pages 333--340.

[36]

H. J. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In ACM SIGCOMM, August 2004.

Digital Library

[37]

F. Yu, Z. Chen, Y. Diao, T. V. Lakshman, and R. H. Katz. Fast and memory-efficient regular expression matching for deep packet inspection. In ANCS 2006.

Digital Library

Cited By

Ge TZhang TLiu HTsafrir DMUSUVATHI MGupta RAbu-Ghazaleh N(2024)ngAP: Non-blocking Large-scale Automata Processing on GPUsProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624848(268-285)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3617232.3624848
Wang SZhang MLi GLiu CWang ZLiu YXu M(2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3202523
Kong LYu QChattopadhyay ALe Glaunec AHuang YMamouras KYang KJhala RDillig I(2022)Software-hardware codesign for efficient in-memory regular pattern matchingProceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3519939.3523456(733-748)Online publication date: 9-Jun-2022
https://dl.acm.org/doi/10.1145/3519939.3523456
Show More Cited By

Index Terms

Deflating the big bang: fast and scalable deep packet inspection with extended finite automata
1. Security and privacy
  1. Network security

Recommendations

Advanced algorithms for fast and scalable deep packet inspection
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

Modern deep packet inspection systems use regular expressions to define various patterns of interest in network data streams. Deterministic Finite Automata (DFA) are commonly used to parse regular expressions. DFAs are fast, but can require ...
A hybrid finite automaton for practical deep packet inspection
CoNEXT '07: Proceedings of the 2007 ACM CoNEXT conference

Deterministic finite automata (DFAs) are widely used to perform regular expression matching in linear time. Several techniques have been proposed to compress DFAs in order to reduce memory requirements. Unfortunately, many real-world IDS regular ...
Deflating the big bang: fast and scalable deep packet inspection with extended finite automata

Deep packet inspection is playing an increasingly important role in the design of novel network services. Regular expressions are the language of choice for writing signatures, but standard DFA or NFA representations are unsuitable for high-speed ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

August 2008

452 pages

ISBN:9781605581750

DOI:10.1145/1402958

General Chairs:
Victor Bahl
Microsoft Research
,
David Wetherall
Intel Research & University of Washington
,
Program Chairs:
Stefan Savage
University of California, San Diego
,
Ion Stoica
University of California, Berkeley

ACM SIGCOMM Computer Communication Review Volume 38, Issue 4
October 2008
436 pages
ISSN:0146-4833
DOI:10.1145/1402946
Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '08

Sponsor:

SIGCOMM '08: ACM SIGCOMM 2008 Conference

August 17 - 22, 2008

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

210
Total Citations
View Citations
1,446
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)9

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ge TZhang TLiu HTsafrir DMUSUVATHI MGupta RAbu-Ghazaleh N(2024)ngAP: Non-blocking Large-scale Automata Processing on GPUsProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624848(268-285)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3617232.3624848
Wang SZhang MLi GLiu CWang ZLiu YXu M(2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3202523
Kong LYu QChattopadhyay ALe Glaunec AHuang YMamouras KYang KJhala RDillig I(2022)Software-hardware codesign for efficient in-memory regular pattern matchingProceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3519939.3523456(733-748)Online publication date: 9-Jun-2022
https://dl.acm.org/doi/10.1145/3519939.3523456
Qiu JSun XSabet AZhao ZSherwood TBerger EKozyrakis C(2021)Scalable FSM parallelization via path fusion and higher-order speculationProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446705(887-901)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446705
Davis JServant FLee D(2021)Using Selective Memoization to Defeat Regular Expression Denial of Service (ReDoS)2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00032(1-17)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00032
Hillblom JGarcia JWaldenborg A(2021)Building Efficient Regular Expression Matchers Through GA Optimization With ML Surrogates2021 12th International Conference on Network of the Future (NoF)10.1109/NoF52522.2021.9609828(1-9)Online publication date: 6-Oct-2021
https://doi.org/10.1109/NoF52522.2021.9609828
Prithi SSumathi S(2021)Automata Based Hybrid PSO–GWO Algorithm for Secured Energy Efficient Optimal Routing in Wireless Sensor NetworkWireless Personal Communications10.1007/s11277-020-07882-2Online publication date: 2-Jan-2021
https://doi.org/10.1007/s11277-020-07882-2
Liu HPai SJog ALarus JCeze LStrauss K(2020)Why GPUs are Slow at Executing NFAs and How to Make them FasterProceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3373376.3378471(251-265)Online publication date: 9-Mar-2020
https://dl.acm.org/doi/10.1145/3373376.3378471
Graves CLi CSheng XMiller DIgnowski JKiyama LStrachan J(2020)In‐Memory Computing with Memristor Content Addressable Memories for Pattern MatchingAdvanced Materials10.1002/adma.20200343732:37Online publication date: 6-Aug-2020
https://doi.org/10.1002/adma.202003437
Wang XHong YChang HPark KLangdale GHu JZhu HLorch JYu M(2019)HyperscanProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323286(631-648)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.5555/3323234.3323286
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents