Fast 2D filter with low false positive for network packet inspection

Abstract

Deep packet inspection (DPI) represents the major process in network intrusion detection and prevention systems. In DPI each security threat is represented as a signature, and the payload of every incoming data packet is matched against the set of current signatures. Moreover, DPI is also used for other networking applications such as packet classification, quality of service techniques, protocol identification and so on. DPI exhausts extra central processing unit and memory resources, and as a result, several attempts have been proposed to improve this process. In this study, the authors proposed a fast two-dimensional (2D) filter with low false positive (FP) rate for DPI purposes. It consists of 2D array that employs single hash function and has very low FP rate. Using this filter as an identification tool in a DPI technique will result in more accurate and higher throughput than other systems that employ Bloom (BFs) and quotient filters (QFs). Our experiments show that the proposed solution has time improvement up to 94% over others that employ BFs or QFs and the achieved average throughput is 1.8 Gbps.