Advanced Regular Expression Matching for Line-Rate Deep Packet Inspection Sailesh Kumar, Jon Turner Michela Becchi, Patrick Crowley, George Varghese

2 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Motivation n Network security applications scan packet content to detect viruses, worms, etc. »typically use signatures common to suspicious packets »regular expressions provide powerful, general way to describe signatures n So what’s new? »reg-ex matching well-understood for >30 years »reg-exes in network applications are different –union of thousands of component patterns –state explosion from interacting “repeat patterns” »tight performance constraints –wire speed processing at 10 Gb/s rates (and up) –limited memory space

3 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Regular Expression Refresher n Sample regular expressions »a.*b matches ab, aab, abb, accdb,... »a(ab|c) + [^d] matches aabc, aca, acabb,... n (a.*b)|(a(ab|c) + [^d]) a b a,b,c,da,b,c,d c a a b a,b,c,da,b,c,d 0 ab a,b,ca,b,c c NFA – nondeterministic finite automaton abdc DFA state subsets

4 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Challenges for Intrusion Detection n Hundreds to thousands of patterns »many fairly simple, but not all »significant number include “repeats” with infinite or bounded iteration n Large space requirements »DFA formed by combining patterns may require many more states than NFA »for ASCII inputs, tabular representation of DFAs can be very large n Demanding real-time requirements »1 or 2 off-chip memory accesses per input character n Must maintain state across many (>100K) flows »constrains affordable per-flow context

5 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Three-Way Tradeoff n Memory space »on-chip vs. off-chip »pattern matching automata and flow state n Parallelism »hardware solutions allow substantial parallelism »in NPs, parallelism more limited »more parallelism reduces automata space, increases flow state throughput space parallelism

6 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Problems Addressed n Reducing space used by DFAs »typical tabular DFA is highly redundant –states share many common successors »reduce redundancy using default transitions –trades off space for throughput n Making it compact and fast »choose default transitions for amortized performance »use content-addressing to skip over default transitions n Coping with state space explosion »process flows that stay in shallow states separately from flows that “go deep” – fast-path/slow-path processing

7 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Delayed Input Finite Automata (D 2 FA) n In tabular DFA representation »for ASCII characters, 256 transitions per state »50+ distinct transitions per state in real world datasets »need storage for 50+ edges n But, many states share similar sets of edges Note that states 1 and 3 have common transitions for symbols a, b, d. Can we exploit this redundancy to reduce space? Three patterns: a +, b + c, c*d + 4 transitions per state b 4 5 a c a b d a c b c b a c d c d a d bd

8 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Default Transitions If (s 1,a)=(s 2,a) and (s 1,b)=(s 2,b), »can replace explicit transitions (s 1,a), (s 1,b) with default transition from s 1 to s 2 (or could go other way) »when parsing input, follow default transition when no outgoing transition defined on input character »no input consumed when following default transition b 4 5 a c a b d a c b c b a c d c d a d bd 2 1 b 4 5 a c b d c b a c d c a 3 d

9 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Selecting Default Transitions b 4 5 a c a b d a c b c b a c d c d a d bd 1 c c a d b alternate (and better) solution space reduction graph max wt spanning tree potential savings 1 c a d b c tree edges directed towards chosen root 20  9 edges

10 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Trading off Time and Space n Sort edges in space-reduction graph by length n For each edge, add to “forest” so long as does not create cycle or create tree with excessive diameter n Choose root for each tree at “most central node” n Direct default transitions towards roots sorted edge list {1,2} {4,5} {1,5} {2,4} {1,4} {2,5} {1,3} {3,5} {3,4} {2,3}    diameter bound 2        b 4 5 a d c b a c c d

11 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Sample Results n Sample data set of 612 regular expressions n Original DFA has 11.3K states, 2.3M transitions n Transitions in D 2 FA »with no depth bound, 0.75% of original »with depth bound of 5, 1.07% »with depth bound of 2, 2.54% »with depth bound of 1, 20.70% n Depth bound of d implies d+1 memory accesses per input character

12 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Representing D 2 FA list vector n 95% of states have ≤2 outgoing transitions n Represent states with few transitions using list n Represent others with vector (for direct access)

13 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Changing Performance Criteria n Real objective is bounded time per packet »amortized complexity, not worst-case »earn “credit” for every normal transition »“spend” a credit for each default transition »choose default transitions to guarantee never in debt n Simple way to ensure ≥0 credits »label states according to distance from start state »restrict default transitions to go from larger labels to smaller »bonus – simpler computation –perform breadth-first search –at each node, select best edge allowed for default transition n ≤2 memory accesses per character 1 c d b a c

14 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 How Well Does It Work? n On a typical set of patterns »number of transitions reduced to 1% of original »depth-bounded D 2 FA with bound of 1 requires 20% n Can extend to reduce number of accesses »default transitions from depth d states to depth ≤d–k »at most (k+1)/k memory accesses per input character –so for k=3, 1.33 accesses per char »number of transitions, usage relative to original –for k=2, 1.8% –for k=3, 5.5% –for k=4, 11.6%

15 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Content Addressing n For nodes with default transitions, »store selected “content” with predecessors »predecessors use content to skip over default transitions n Potential for collisions a b c d V U R X f/Rf/R Y g/R,ab Z h/R,ab,cd if next input  {a,b} goto R else goto hash(R,ab)=U if next input  {a,b,c,d} goto R else if next input  {c,d} goto hash(R,ab)=U else goto hash(R,abcd)=V

16 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Collisions in Content Addressing n Addressing conflicts must be resolved »in example, X and Y must go to different next states U and V, but would normally both use hash(R,ab) a b a b V U R X g/R,ab Y h/R,ab n Solution 1, use hash(R,ba) to reach V n Solution 2, add discriminator bits to both hashes h/R,ba h/R,ab101 g/R,ab011

17 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Selecting Content Addresses n For each state »list possible content addresses »compute hash for each n Construct bipartite graph »states at left »storage locations at right »edges from states to possible storage locations n Construct perfect matching »easy to do when enough choices (and usually, there are) »add discriminator bits to get more choices »or, add extra storage locations storage locations states V ab0 ab1 ba0 ba1 U Y X

18 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Coping with State Explosion n Large pattern sets can produce DFAs with too many states »even after conversion to D 2 FA, space can be impractically large »one solution: partition patterns and form several DFAs or D 2 FAs –greatly reduces number of states –but requires processing each packet multiple times n Observation: »well-behaved flows rarely visit states far from start state n Fast-path/slow-path »fast path for “shallow states” »slow path handles suspect flows (ab.*c)|(ac.*b)|(ba.*a) a acac b c a,b b,c a,b c 3 1 of 3 DFAs – total 12 states resulting DFA has 20 states but state count nearly doubles with each additional pattern 1 5 b a a,b,ca,b,c NFA a c b a c a,b,ca,b,c a,b,ca,b,c b

19 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Sample Fast Path Construction n Start with k DFAs for slow path n Construct vector-DFA that tracks states of smaller DFAs »cut off when past target depth »or, cut off based on probability of good flow reaching given state ab.*c a acac b c a,b b,c a,b c 3 a abab c b a,c b,c a,c b 3 b bcbc a a b,c a,c b,c a 3 ac.*b ba.*a fast path DFA abc state vector depth

20 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Fast Path/Slow Path Operation n Flows processed by fast path as long as stay in shallow states n Slow path flows processed by multiple DFAs »takes more per packet »keep more state between packets n Return to fast path after enough time in shallow states n Mitigating DoS attack »attacker can interfere with good flows in slow path by sending lots of slow path traffic »per flow queues in slow path can help, but not complete solution »adjust priority of flows based on time spent in slow path fast path state memory slow path state memory

21 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Simulation of DoS Mitigation n Constant attack traffic – adjust time spent in deep states time (seconds) slow path load thruput with no DOS mitigation thruput with DOS mitigation no overload moderate overload extreme overload good flows

22 - Sailesh Kumar - 12/26/ Jon Turner - 12/26/2015 Summary n Reducing space needed for reg-ex matching »D 2 FAs use default transitions joining similar states »constraining default transitions to go to shallower states ensures good amortized performance »content addressing for skipping over default transitions n Coping with state explosion »slow path processes packets through k small DFAs »fast path processes packets using DFA on shallow states »requires DoS mitigation to deal with attacks on slow path n Other issues »bounded iteration causes excessive growth in state table »requires systematic use of counters –state vector containing control state plus counter values –state machine transitions depend on & manipulate counters