Abstract

As network speeds continue to increase, so does the need for scalable pattern matching for deep packet scanning applications such as signature-based network intrusion detection. Multiple-stride deterministic finite automaton (DFA) increases the performance of pattern matching, because they allow multiple bytes of a packet to be scanned simultaneously. However, traditional multiple-stride DFA either rely on specific hardware for parallel comparison or have a huge memory requirements due to state explosion. In this paper, we present a high throughput, multiple-stride pattern-matching architecture that requires a small storage cost and no specific hardware. The basic idea is to group DFA states/transitions into three coarse-grained and variable-size blocks, so that each individual block can employ different-specific methods to optimize storage requirements and performance. The blocks are naturally identified based on basic observations of DFA characteristics: prefix, linear trie and state dependencies. The performance evaluation is done using the Snort pattern sets. We show that multi-byte striding DFA achieves multi Gb/s pure content inspection in software, while utilizing <3 bytes per pattern character.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.