1 / 35

Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection

Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection. Author: Nan Hua, Haoyu Song, T. V. Lakshman Publisher: INFOCOM 2009 Presenter: Chun-Yi Li Date: 2009/04/22. Outline. Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance.

claire-pittman
Download Presentation

Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Author: Nan Hua, Haoyu Song, T. V. Lakshman Publisher: INFOCOM 2009 Presenter:Chun-Yi Li Date:2009/04/22

  2. Outline • Related Work • Winnowing Algorithm • Variable-Stride DFA • Algorithm Optimizations • Performance

  3. Related Work Winnowing Algorithm delimiter Winnowing with k= 2 and w= 3 • Calculate the hash value of every consecutive k characters. • Use a sliding window of size w to select the minimum hash value in the window.A tie is broken by selecting the rightmost minimum value.

  4. Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance Outline

  5. Variable-Stride DFA Segmentation Scheme Properties Coreless pattern Indivisible pattern • Property 1: • The size of any segmented block is in the range [1, w]. • Tail block sizes are in the range [k−1, w+k−2]. • Indivisible pattern sizes are in the range [1, w+k − 2]. • Coreless pattern sizes are in the range [w+k−1, 2w+k−2].

  6. Variable-Stride DFA Segmentation Scheme Properties Property 2: If a pattern appears in a data stream then segmenting the data stream results in exactly the same delimiters for the core blocks of the pattern. The head block can be affected by the preifix and the tail block can be affected by the suffix. However, the core blocks are totally confined to the pattern and isolated from the context. ex: input stream: ...A|BCh|ij|kl|m|nD|EF|... pattern: hij|kl|mn

  7. Variable-Stride DFA Finite Automaton Construction quasi-match state

  8. Variable-Stride DFA System Design and Basic Data Structure

  9. Variable-Stride DFA System Design and Basic Data Structure State Transition Table(STT) Match Table(MT)

  10. Variable-Stride DFA System Design and Basic Data Structure To enable match verification on the Quasi-match states, we need to maintain a Head Queue (HQ) that remembers the Block-matching history. w bytes D entries (D is the length of the longest forwarding path of the VS-DFA) 10

  11. Variable-Stride DFA System Design and Basic Data Structure ex: Data Stream: ‥‥A|BCr|id|ic|ulo|u|sD|EF‥‥ 0 1 2 3 4

  12. Variable-Stride DFA System Design and Basic Data Structure ex: Data Stream: ‥ ‥ABCD|Eau|th|ent|ica|te‥ ‥ 0 1 2 3 4 12

  13. Variable-Stride DFA Short Pattern Handling Using TCAM for short pattern lookups Coreless Pattern Indivisible Pattern

  14. Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance Outline

  15. Algorithm Optimizations Reducing Single-Byte Blocks It is possible to generate specific inputs that result in only single-byte streams being produced independent of the chosen hash functions and window parameters.

  16. Algorithm Optimizations Combination Rule 1 (applied on data stream) w = 3

  17. Algorithm Optimizations Combination Rule 1 (applied on pattern) Step 1: window size w = 3

  18. Algorithm Optimizations Combination Rule 1 (applied on pattern) Step 2: Replicate 1. 2. 3. 4. 5. 6. window size w = 3

  19. Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 Match pattern 1: window size w = 3

  20. Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 2: Match window size w = 3

  21. Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 3: Match window size w = 3

  22. Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 Match pattern 4: window size w = 3 22

  23. Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 5: Match window size w = 3 23

  24. Algorithm Optimizations Combination Rule 1 (applied on pattern) data stream: Applying Combination Rule 1 pattern 6: Match window size w = 3 24

  25. Algorithm Optimizations Combination Rule 2 (applied on data stream) Applying Combination Rule 2 window size w’= w+1 = 3+1 = 4

  26. Algorithm Optimizations Combination Rule 2 (applied on pattern) Step 1: window size w’= w+1 = 3+1 = 4

  27. Algorithm Optimizations Combination Rule 2 (applied on pattern) Step 2: Replicate 1. 2. window size w’= w+1 = 3+1 = 4

  28. Algorithm Optimizations Combination Rule 2 (applied on pattern) Applying Combination Rule 2 Match pattern 1: window size w’= w+1 = 3+1 = 4

  29. Algorithm Optimizations Combination Rule 2 (applied on pattern) Applying Combination Rule 2 Match pattern 2: window size w’= w+1 = 3+1 = 4

  30. Algorithm Optimizations Three STTs Design Start STT Main STT Jump STT

  31. Related Work Winnowing Algorithm Variable-Stride DFA Algorithm Optimizations Performance Outline 31

  32. Performance Mem1 denotes the memory consumed by “Start STT” Mem2 denotes that for “Three STT”.

  33. Performance Fixed:patterns extracted from the fixed string rules. Full: the expanded pattern sets that also include the fixed strings extracted from the regular expression rules.

  34. Performance ClamAV-fixed SNORT-fixed

  35. Performance

More Related