Domenico Ficara

An improved DFA for fast regular expression matching

Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Finite Automata (FAs) are used to implement regular expressions matching, but they require a large amount of memory. Many recent works have proposed improvements to address this issue. This paper presents a new representation for deterministic finite automata (orthogonal to previous solutions), called Delta Finite Automata (δFA), which considerably reduces states and transitions and requires a transition per character only, thus allowing fast matching. Moreover, a new state encoding scheme is proposed and the comprehensive algorithm is tested for use in the packet classification area.

Differential encoding of DFAs for fast regular expression matching

Deep packet inspection is a fundamental task to improve network security and provide application-specific services. State-of-the-art systems adopt regular expressions due to their high expressive power. They are typically matched through deterministic finite automata (DFAs), but large rule sets need a memory amount that turns out to be too large for practical implementation. Many recent works have proposed improvements to address this issue, but they increase the number of transitions (and then of memory accesses) per character. This paper presents a new representation for DFAs, orthogonal to most of the previous solutions, called delta finite automata ( δFA), which considerably reduces states and transitions while preserving a transition per character only, thus allowing fast matching. A further optimization exploits Nth order relationships within the DFA by adopting the concept of “temporary transitions”.

Counting bloom filters for pattern matching and anti-evasion at the wire speed

Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems

Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Instead of standard strings to represent the dataset to be matched, state-of-the-art systems adopt regular expressions, due to their high expressive power. The current trend is to use Deterministic Finite Automata (DFAs) to match regular expressions. However, while the problem of the large memory consumption of DFAs has been solved in many different ways, only a few works have focused on increasing the lookup speed. This paper introduces a novel yet simple idea to accelerate DFAs for security applications: payload sampling. Our approach allows to skip a large portion of the text, thus processing less bytes. The price to pay is a slight number of false alarms which require a confirmation stage. Therefore, we propose a double-stage matching scheme providing two new different automata. Results show a significant speed-up in regular traffic processing, thus confirming the effectiveness of the approach.

Enhancing counting bloom filters through Huffman-coded multilayer structures

Bloom Filters are efficient randomized data structures for membership queries on a set with a certain known false positive probability. Counting Bloom Filters (CBFs) allow the same operation on dynamic sets that can be updated via insertions and deletions with larger memory requirements. This paper first presents a simple tight upper bound for counters overflow probability in CBFs, which is adopted in the design of more efficient CBFs. On the basis of such theoretical achievements, we introduce the idea of a hierarchical structure as well as the use of Huffman code to improve standard CBFs in terms of fast access and limited memory consumption (up to 50% of memory saving). The target could be the implementation of the compressed data structures in the small (but fast) local memory or “on-chip SRAM” of devices such as network processors. As an application of our algorithms, an anti-evasion system is finally proposed.

Divide and discriminate: algorithm for deterministic and fast hash lookups

Exact and approximate membership lookups are among the most widely used primitives in a number of network applications. Hash tables are commonly used to implement these primitive functions as they provide O(1) operations at moderate load (table occupancy). However, at high load, collisions become prevalent in the table, which makes lookup highly non-deterministic and reduces the average performance. Slow and non-deterministic lookups are detrimental to the performance and scalability of modern platforms such as ASIC/FPGA and multi-core that use highly parallel compute and memory structures. To combat non-determinism and achieve high rate lookups, a recent series of papers employ compact on-chip memory that augments the main hash table and stores certain key information. Unfortunately, they require substantial on-chip memory space and bandwidth, and fail to provide 100% guarantee on lookup rate. In this paper, we solve this with a novel construction that requires 10-fold smaller on-chip memory and guarantees that all lookups require a single hash table access at near full load. The on-chip memory uses only between 1- and 2-bit per item and also needs a small number of accesses (between two and four) per lookup. This represents a substantial improvement over previous schemes and therefore can help realize highly scalable and deterministic lookup tables in modern parallel platforms.

Blooming Trees: Space-Efficient Structures for Data Representation

A Bloom filter is an efficient randomized data structure for membership queries on a set with a certain known false positive probability. A counting Bloom filter (CBF) allows the same operations on dynamical sets that can be updated via insertions and deletions with larger memory requirements. This paper presents a novel hierarchical data structure, called Blooming tree, that replicates the functionalities of a CBF with lower memory consumption and tunable false positive probability. The hierarchical multi-layer design of Blooming trees allows for distributing the structure in different memory levels, thus exploiting small but fast on-chip memories for most frequently accessed substructures. The proposed algorithm is compared to previous existing schemes on a target platform: Intel IXP2XXX Network Processors (NPs).

Blooming Trees for Minimal Perfect Hashing

Hash tables are used in many networking applications, such as lookup and packet classification. But the issue of collisions resolution makes their use slow and not suitable for fast operations. Therefore, perfect hash functions have been introduced to make the hashing mechanism more efficient. In particular, a minimal perfect hash function is a function that maps a set of n keys into a set of n integer numbers without collisions. In literature, there are many schemes to construct a minimal perfect hash function, either based on mathematical properties of polynomials or on graph theory. This paper proposes a new scheme which shows remarkable results in terms of space consumption and processing speed. It is based on an alternative to Bloom Filters and requires about 4 bits per key and 12.8 seconds to construct a MPHF with 3.8times109 elements.

Design of a High Performance Traffic Generator on Network Processor

Evaluating the performance of high-speed networks is a critical task due to the lack of reliable tools to generate traffic workloads at high rates. The current open-source software tools are not suitable to deal with high-speed networks as they present poor performance in terms of generated frames per second and scarce timing/rate accuracy in traffic generation. These issues are due to the intrinsic limitations of the PC architecture, for which these tools are designed. This paper proposes a different approach based on the Intel Network Processor IXP2400. The design aims to maintain the high flexibility of PC solutions while outperforming them in terms of throughput and packet rate. This is obtained by combining a general-purpose PC with the processing units of a network processor.

A cooperative PC/Network-Processor architecture for multi gigabit traffic analysis

The extensive availability of cost effective commodity PC hardware pushed the development of flexible and versatile traffic monitoring software such as protocol analyzers, protocol dissectors, traffic sniffers, traffic characterizers and IDSs (Intrusion Detection Systems). The largest part of these pieces of software is based on the well known libpcap API, which in the last few years has become a de facto standard for PC based packet capturing. Many improvements have been applied to this library but it still suffers from several performance flaws that are due not to the software itself but rather to the underlying hardware bottlenecks. In this paper we present a new traffic monitoring device, implemented by an Intel IXP2400 Network Processor PCI-X card connected to a gigabit Ethernet LAN hosting a cluster of common personal computers running any libpcap based application. This architecture outperforms the previous solutions in terms of packet capturing power and timestamp accuracy.