Shuhui Chen

A 60Gbps DPI Prototype based on Memory-Centric FPGA

Deep packet inspection (DPI) is widely used in content-aware network applications to detect string features. It is of vital importance to improve the DPI performance due to the ever-increasing link speed. In this demo, we propose a novel DPI architecture with a hierarchy memory structure and parallel matching engines based on memory-centric FPGA. The implemented DPI prototype is able to provide up to 60Gbps full-text string matching throughput and fast rules update speed.

Exploring Efficient NFA Data Structures to Accelerate DFA Generation

Deterministic finite automata (DFA) is widely employed in regular expression matching for content-aware applications, such as protocol identification, NIDS, load balancing, traffic billing, etc. Subset construction is the most time-consuming process when converting regular expressions to the corresponding DFA, which brings a great challenge for fast update application scenarios. Subset construction mainly consists of subset computation and subset comparison. The subset comparison is efficiently processed with the trie tree structure, but the subset computation still remains inefficient for the massive and repetitive memory accesses of NFA state transitions. Through the theoretical analysis and the example demonstration, we prove that the inefficiency mainly originates from the traditional list structures for the NFA state transitions. Then, we proposed two improved data structures for the NFA state transitions, namely the ordered list structure and the ordered array structure. These structures leverage the alphabetical order of the transitions to avoid the huge irrelevant memory accesses during subset computation. Experiments on practical rule sets demonstrate that the subset computation procedure achieves a speedup of 6x to 8x and the total DFA generation achieves a speedup of 2x to 4x.

Privacy-Preserving Mining of Association Rule on Outsourced Cloud Data from Multiple Parties

It has been widely recognized as a challenge to carry out data analysis and meanwhile preserve its privacy in the cloud. In this work, we mainly focus on a well-known data analysis approach namely association rule mining. We found that the data privacy in this mining approach have not been well considered so far. To address this problem, we propose a scheme for privacy-preserving association rule mining on outsourced cloud data which are uploaded from multiple parties in a twin-cloud architecture. In particular, we mainly consider the scenario where the data owners and miners have different encryption keys that are kept secret from each other and also from the cloud server. Our scheme is constructed by a set of well-designed two-party secure computation algorithms, which not only preserve the data confidentiality and query privacy but also allow the data owner to be offline during the data mining. Compared with the state-of-art works, our scheme not only achieves higher level privacy but also reduces the computation cost of data owners.

Exploring efficient grouping algorithms in regular expression matching

Background Regular expression matching (REM) is widely employed as the major tool for deep packet inspection (DPI) applications. For automatic processing, the regular expression patterns need to be converted to a deterministic finite automata (DFA). However, with the ever-increasing scale and complexity of pattern sets, state explosion problem has brought a great challenge to the DFA based regular expression matching. Rule grouping is a direct method to solve the state explosion problem. The original rule set is divided into multiple disjoint groups, and each group is compiled to a separate DFA, thus to significantly restrain the severe state explosion problem when compiling all the rules to a single DFA. Objective For practical implementation, the total number of DFA states should be as few as possible, thus the data structures of these DFAs can be deployed on fast on-chip memories for rapid access. In addition, to support fast pattern update in some applications, the time cost for grouping should be as small as possible. In this study, we aimed to propose an efficient grouping method, which generates as few states as possible with as little time overhead as possible. Methods When compiling multiple patterns into a single DFA, the number of DFA states is usually greater than the total number of states when compiling each pattern to a separate DFA. This is mainly caused by the semantic overlaps among different rules. By quantifying the interaction values for each pair of rules, the rule grouping problem can be reduced to the maximum k-cut graph partitioning problem. Then, we propose a heuristic algorithm called the one-step greedy (OSG) algorithm to solve this NP-hard problem. What’s more, a subroutine named the heuristic initialization (HI) algorithm is devised to further optimize the grouping algorithms. Results We employed three practical rule sets for the experimental evaluation. Results show that the OSG algorithm outperforms the state-of-the-art grouping solutions regarding both the total number of DFA states and time cost for grouping. The HI subroutine also demonstrates its significant optimization effect on the grouping algorithms. Conclusions The DFA state explosion problem has became the most challenging issue in the regular expression matching applications. Rule grouping is a practical direction by dividing the original rule sets into multiple disjoint groups. In this paper, we investigate the current grouping solutions, and propose a compact and efficient grouping algorithm. Experiments conducted on practical rule sets demonstrate the superiority of our proposal.

Practical privacy-preserving deep packet inspection outsourcing: Practical privacy-preserving DPI outsourcing

Hardware‐based middleboxes are ubiquitous in computer networks, which usually incur high deployment and management expenses. A recently arising trend aims to address those problems by outsourcing the functions of traditional hardware‐based middleboxes to high volume servers in a cloud. This technology is promising but still faces a few challenges from different aspects, including privacy concerns, middlebox functionality, and performance. In this paper, we propose two practical approaches to implementing a cloud‐based DPI middlebox. The outsourced DPI middlebox performs payload inspection over encrypted traffic while preserving the privacy of both communication data and inspection rules. Our first approach employs a modified reversible sketch structure, which is used for efficient error‐free membership testing, and our second approach extends the famous AC pattern matching algorithm to the cipher text domain. We utilize unkeyed one‐way hash functions instead of complex cryptographic protocols to achieve the privacy preservation requirements. Our system supports a wide range of real‐world inspection rules. We conduct evaluations on the ClamAV rule set, and the experiment results demonstrate the effectiveness of our proposals.

CloudDPI: Cloud-Based Privacy-Preserving Deep Packet Inspection via Reversible Sketch

Hardware-based middleboxes are ubiquitous in computer networks, which usually incur high deployment and management expenses. A recently arsing trend aims to address those problems by outsourcing the functions of traditional hardware-based middleboxes to high volume servers in a cloud. This technology is promising but still faces a few challenges. First, the widely adopted data encryption techniques contradict with payload inspection needs of some middleboxes such as DPI and IDS devices. Second, the inspection rules of middleboxes may be commercial properties, thus the middlebox providers want to keep their rules confidential under third-party cloud environments, and this creates hindrances for the cloud to perform outsourced middlebox functions. Third, performance of the outsourced middlebox is an inevitable issue that needs deliberate consideration. In this paper, we propose a cloud-based DPI middlebox implementation which performs payload inspection over encrypted traffic while preserving the privacy of both communication data and inspection rules. Our design employs a modified reversible sketch structure which is used for efficient error-free membership testing, and we utilize unkeyed one-way hash functions instead of complex cryptographic protocols to achieve the privacy preservation requirements. CloudDPI supports a wide range of real-world inspection rules, we conduct evaluations on ClamAV rule set and the experiment results demonstrate the effectiveness of our proposal.

A Novel Hybrid Architecture for High Speed Regular Expression Matching

Mobile devices play an important role in our everyday lives, but they also bring great security threats. Deep packet inspection (DPI) is one of the most efficient methods to detect the malicious information hidden in the mobile traffic, and regular expression matching is widely used in DPI for its powerful expressive ability. However, with the increasing complexity of regular expressions, traditional solutions cannot meet the requirements of both storage and high performance. In this paper, we propose a novel hybrid matching architecture and two-stage memory architecture for the state of the art hybrid FA to solve this problem. Experiment results confirm that our architecture is scalable to complex rule sets, and the matching performance outperforms state of the art memory centric solution by up to 15x.

An Efficient Pre-filter to Accelerate Regular Expression Matching

Regular expression matching is widely used in content-aware applications, such as NIDS and protocol identification. However, wire-speed processing for large scale patterns still remains a great challenge in practice. Considering low hit rates in NIDS, a compact and efficient pre-filter is firstly proposed to filter most normal traffics and leave few suspicious traffics for further pattern matching. Experiment results show that, the pre-filter achieves a big improvement in both space and time consumption with its compact and efficient structure.

EGPS: An Efficient Privacy Preserving Scheme for Vehicular ad hoc Networks

In this paper, we propose EGPS, an efficient privacy preserving scheme for vehicular ad hoc networks. The EGPS scheme is based on a very efficient group signature and Identity Based Cryptography(IBC) techniques. Several security properties of EGPS, including the correctness and unforgeability have been proved. Furthermore, EGPS is also proved to be more efficient than GSIS, which is currently one of the best state‐of‐the‐art VANET privacy preserving schemes.