1 / 11

Cache-Based Scalable Deep Packet Inspection with Predictive Automaton

Cache-Based Scalable Deep Packet Inspection with Predictive Automaton. Presenter : Shi- qu Yu Date : 2011/08/31. INTRODUCTION.

herve
Download Presentation

Cache-Based Scalable Deep Packet Inspection with Predictive Automaton

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cache-Based Scalable Deep Packet Inspection with Predictive Automaton Presenter : Shi-qu Yu Date : 2011/08/31

  2. INTRODUCTION • Deterministic Finite Automata (DFAs) have become a popular matching technique because it can match multiple signatures simultaneously with a guaranteed worst-case performance of (1) time per character. • Problem:largesizes of DFAs.

  3. INTRODUCTION • Improving:hierarchical scheme of memory、cache • In this paper, we propose the concept of localprediction which shows the potentials in predicting DFA matching

  4. Local Prediction • Definition 1: Given a set of elements 𝐴 = {𝑎1, . . . , 𝑎𝑛} andan integer 𝑑, the elements are requested by a sequence 𝑠1, 𝑠2, . . .where 𝑠𝑖 ∈ 𝐴. The local prediction of 𝐴 with the predicteddiameter 𝑘 (for simplicity 𝐿𝑃𝑑) maps all element pairs (𝑎, 𝑎′)to [0, 𝑑], 𝑎, 𝑎′ ∈ 𝐴, so that 𝐿𝑃𝑑(𝑎∣𝑎′) = 𝐸(# of 𝑠𝑗 = 𝑎∣𝑠𝑖 =′, 𝑖 < 𝑗 ≤ 𝑖 + 𝑑), which is the expectation of the number ofrequest for 𝑎 in the 𝑑 data requests after a request for 𝑎′.

  5. Example of Using Local Prediction • The core idea is to treat all statesas elements and to store the states with high local predictionsas close as possible such that they tend to be appear togetherin the cache • We assume that the cache always replaceits content with a contiguous part of the secondary memory(main memory)

  6. Example of Using Local Prediction

  7. Local prediction vs. global prediction • Similar to the local prediction, we define the global prediction as the probability of each element to be requested at any time • global prediction specifies a class of element 𝑎 of which the 𝐿𝑃𝑑(𝑎∣𝑎′) is insensitive to 𝑎′,since 𝐿𝑃𝑑(𝑎∣𝑎′) = Σ=1 𝐺𝑃(𝑎)𝑗 . We call the elements that hold the above property, global elements, and otherwise, local elements.

  8. Local prediction vs. global prediction

  9. Local prediction vs. global prediction • 1) Global transitions make up of a very small part of the whole transition set. • 2) The local predictions of most local transitions differ greatly, i.e., the distribution of 𝐿𝑃𝑑(𝑎∣𝑎′) over all 𝑎’s are quite different between various 𝑎’s. • 3) Under randomly generated traces or normal traces, the global transitions are requested with high probabilities,whilein malicious traffics, such probabilities are greatly reduced.

  10. (a) Probability of access on each state under normal and malicious traces.

  11. Conclusively, given the size of the cache, caching policy for DFA matching needs to handle the following balances: • 1) The balance of preserving more global transitions with high 𝐺𝑃(𝑎) in cache on one hand and updating with more contents to track more local transitions in prevention of attacks on the other; • 2) The balance of speculating for more steps (i.e., using 𝑃𝑘(𝑎∣𝑎′) with larger 𝑘) to avoid cache misses in longer period of time on one hand and speculating for less steps but with raised predictive accuracy such that cache hits in near future are increased on the other.

More Related