Abstract

Deep Packet Inspection (DPI) is widely used in network management and network security systems. The core part of existing DPI is signature matching, and many researchers focus on improving the signature-matching algorithms. In this paper, we work from a different angle: The scheduling of signature matching. We propose a Delayed Signature Matching (DSM) method, in which we do not always immediately match received packets to the signatures since there may be not enough packets received yet. Instead, we predefine some rules, and evaluate the packets against these rules first to decide when to start signature matching and which signatures to match. The predefined rules are convenient to create and maintain since they support custom expressions and statements and can be created in a text rule file. The correctness and performance of the DSM method are theoretically analyzed as well. Finally, we implement a prototype of the DSM method in the open-source DPI library nDPI, and find that it can reduce the signature-matching time about 30∼84% in different datasets, with even smaller memory consumption. Note that the abstract syntax trees (ASTs) used to implement DSM rule evaluation are usually symmetric, and the DSM method supports asymmetric (i.e., single-direction) traffic as well.

Highlights

  • Deep Packet Inspection (DPI) is a type of packet processing that examines the whole packet payload, some packet fields like transport-layer (TCP and UDP) ports, and it is widely used in many network systems today [1,2,3]

  • Our method is based on two simple ideas: delaying signature matching until receiving enough packets, and finding the probable protocol parsers to match first

  • We designed the Delayed Signature Matching (DSM) processing algorithm together with what we call DSM rules, to guide when to start signature matching for a flow and which protocol parsers to use

Read more

Summary

Introduction

Deep Packet Inspection (DPI) is a type of packet processing that examines the whole packet payload, some packet fields like transport-layer (TCP and UDP) ports, and it is widely used in many network systems today [1,2,3]. DPI is used in network routers for quality of service (QoS) management [4], where different protocols may have different levels of service (e.g., different bandwidths). DPI is used in user profiling [5] or network auditing systems [6], to recognize which websites users are visiting and which applications users are using. This is usually for advertising [5], or government regulation ( known as lawful interception). Improving the Symmetry 2020, 12, 2011; doi:10.3390/sym12122011 www.mdpi.com/journal/symmetry

Results
Discussion
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.