Module-Based Finite Automata: A Scalable and Memory-Efficient Architecture for Multi-pattern Matching in Deep Packet Inspection

Abstract

Multi-pattern matching is a critical technique for building high performance Network Intrusion Detection Systems (NIDS) and Deep Packet Inspection System (DPIS). Given a set of signature database, multi-pattern matching compares packet against patterns to detect the known attacks. Deterministic Finite Automaton (DFA) is widely used for multi-pattern matching in NIDS for its constant matching speed even in the worst case. Existing DFA-based works have claimed to achieve a high speed throughput at expenses of extremely high memory cost and logic complexity, so it fails to meet the memory space requirements of embedded system or high performance routers. In this paper, we propose a novel a memory-efficient multi-pattern matching acceleration scheme called Module-based Finite Automata (MB-FA) which could achieve a great acceleration with little memory duplication. The basic idea of MB-FA is to store the original DFA in independent modules with a delicate algorithm so that inter-flow parallelism can be exploited to its largest scale. A full systematic design of MB-FA is presented, and support for rule update is also introduced. Evaluation experiments show that without any optimization, MB-FA can achieve an average speed-up of 20 times when the memory cost is almost the twice of original DFA.