Gianni Antichi

An improved DFA for fast regular expression matching

Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Finite Automata (FAs) are used to implement regular expressions matching, but they require a large amount of memory. Many recent works have proposed improvements to address this issue. This paper presents a new representation for deterministic finite automata (orthogonal to previous solutions), called Delta Finite Automata (δFA), which considerably reduces states and transitions and requires a transition per character only, thus allowing fast matching. Moreover, a new state encoding scheme is proposed and the comprehensive algorithm is tested for use in the packet classification area.

Differential encoding of DFAs for fast regular expression matching

Deep packet inspection is a fundamental task to improve network security and provide application-specific services. State-of-the-art systems adopt regular expressions due to their high expressive power. They are typically matched through deterministic finite automata (DFAs), but large rule sets need a memory amount that turns out to be too large for practical implementation. Many recent works have proposed improvements to address this issue, but they increase the number of transitions (and then of memory accesses) per character. This paper presents a new representation for DFAs, orthogonal to most of the previous solutions, called delta finite automata ( δFA), which considerably reduces states and transitions while preserving a transition per character only, thus allowing fast matching. A further optimization exploits Nth order relationships within the DFA by adopting the concept of “temporary transitions”.

Counting bloom filters for pattern matching and anti-evasion at the wire speed

Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems

Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Instead of standard strings to represent the dataset to be matched, state-of-the-art systems adopt regular expressions, due to their high expressive power. The current trend is to use Deterministic Finite Automata (DFAs) to match regular expressions. However, while the problem of the large memory consumption of DFAs has been solved in many different ways, only a few works have focused on increasing the lookup speed. This paper introduces a novel yet simple idea to accelerate DFAs for security applications: payload sampling. Our approach allows to skip a large portion of the text, thus processing less bytes. The price to pay is a slight number of false alarms which require a confirmation stage. Therefore, we propose a double-stage matching scheme providing two new different automata. Results show a significant speed-up in regular traffic processing, thus confirming the effectiveness of the approach.

Enabling open-source high speed network monitoring on NetFPGA

Network measurement both as diagnostic and within measurement-based techniques of traffic engineering and management, alongside network measurement for security has maintained the needs of researchers and network operators for the ongoing development of measurement tools for traffic monitoring/characterisation and to support Intrusion Detection Systems (IDSs). Many such tools capitalise on the pricing of commodity hardware by operating on general purpose architectures. Many are based on the well known libpcap API, a de facto standard in this area. Despite the many improvements that have been applied to packet capturing, packet-monitoring implementations still suffer from either: performance flaws on commodity hardware due mainly to unresolvable hardware bottlenecks, or costly and inflexible niche systems. To address such issues, the paper proposes a system architecture based on the cooperation of NetFPGA and a general purpose host PC. The NetFPGA is an open networking platform accelerator that enables rapid development of hardware-accelerated packet processing applications. The objective is to combine the high performance of a hardware-oriented solution with the flexibility of general purpose PCs.

Design and Development of an OpenFlow Compliant Smart Gigabit Switch

In this paper we propose a novel hardware-software co-design vision that aims at enhancing flexibility and reusability of hardware based packet forwarding engines. In particular, we move on the path of the well-known OpenFlow architecture that allows the user to decide the action to be performed over the packet (drop, forward through a given port etc.) upon interaction with a software control plane. Although such an approach is certainly powerful and is gaining more and more attention in both academia and industry, it is biased towards routing application: its main goal is to allow the software control plane to arbitrarily route a packet flow. However, we think that a similar paradigm, encompassing high performance packet forwarding hardware driven by a flexible software control plane, may be beneficial even to other kinds of applications, like monitoring and measurements. However, the primitives that the OpenFlow protocol provides are not flexible enough for such purposes. For this reason, we propose a flexible packet forwarding architecture based on regular expression that, besides enabling standard-compliant OpenFlow switching, can be easily reconfigured through its control plane to support other kinds of applications.

From 1G to 10G: code reuse in action

Ever increasing traffic quantities and link-bandwidths force network devices to meet ever-increasing demands; the march to 100G is well under way. The high-speed networking of today is no longer that of five years ago: Unfortunately, such growth contrasts with current financial forces and this leads organisations to find ways to save money. As a result many developers face the common problem: how to make existing, systems reusable in this new, higher-speed scenario? To attack this problem, we propose new, flexible, legacy support mechanics for designs built using System on a Chip (SoC) and System on FPGA (SoFPGA). We illustrate our approach using the widely used, open-source, NetFPGA platform presenting a migration path for existing 1G designs to plugin into the new NetFPGA 10G board without alteration to code structure.

Blooming Trees for Minimal Perfect Hashing

Hash tables are used in many networking applications, such as lookup and packet classification. But the issue of collisions resolution makes their use slow and not suitable for fast operations. Therefore, perfect hash functions have been introduced to make the hashing mechanism more efficient. In particular, a minimal perfect hash function is a function that maps a set of n keys into a set of n integer numbers without collisions. In literature, there are many schemes to construct a minimal perfect hash function, either based on mathematical properties of polynomials or on graph theory. This paper proposes a new scheme which shows remarkable results in terms of space consumption and processing speed. It is based on an alternative to Bloom Filters and requires about 4 bits per key and 12.8 seconds to construct a MPHF with 3.8times109 elements.

Design of a High Performance Traffic Generator on Network Processor

Evaluating the performance of high-speed networks is a critical task due to the lack of reliable tools to generate traffic workloads at high rates. The current open-source software tools are not suitable to deal with high-speed networks as they present poor performance in terms of generated frames per second and scarce timing/rate accuracy in traffic generation. These issues are due to the intrinsic limitations of the PC architecture, for which these tools are designed. This paper proposes a different approach based on the Intel Network Processor IXP2400. The design aims to maintain the high flexibility of PC solutions while outperforming them in terms of throughput and packet rate. This is obtained by combining a general-purpose PC with the processing units of a network processor.

On the use of compressed DFAs for packet classification

The process of categorizing packets into flows in an Internet router is called packet classification. All packets belonging to the same flow obey a predefined rule and are processed in a similar manner by the router itself. For example, all packets with the same destination IP address and protocol may be defined as a flow. Packet classification is the foundation of many Internet functions such as Quality of Service enforcement, monitoring applications, security, and so on. This paper presents a novel classification scheme designed for NetFPGA boards which takes advantage of a very compressed version of Deterministic Finite Automata (DFA) in order to process packets at line rate.