Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Regular Expression Matching for Line-Rate Deep Packet Inspection Sailesh Kumar, Jon Turner Michela Becchi, Patrick Crowley, George Varghese.

Published byEmory Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Regular Expression Matching for Line-Rate Deep Packet Inspection Sailesh Kumar, Jon Turner Michela Becchi, Patrick Crowley, George Varghese."— Presentation transcript:

1 Advanced Regular Expression Matching for Line-Rate Deep Packet Inspection Sailesh Kumar, Jon Turner Michela Becchi, Patrick Crowley, George Varghese

2 2 - Sailesh Kumar - 12/26/2015 2 - Jon Turner - 12/26/2015 Motivation n Network security applications scan packet content to detect viruses, worms, etc. »typically use signatures common to suspicious packets »regular expressions provide powerful, general way to describe signatures n So what’s new? »reg-ex matching well-understood for >30 years »reg-exes in network applications are different –union of thousands of component patterns –state explosion from interacting “repeat patterns” »tight performance constraints –wire speed processing at 10 Gb/s rates (and up) –limited memory space

3 3 - Sailesh Kumar - 12/26/2015 3 - Jon Turner - 12/26/2015 Regular Expression Refresher n Sample regular expressions »a.*b matches ab, aab, abb, accdb,... »a(ab|c) + [^d] matches aabc, aca, acabb,... n (a.*b)|(a(ab|c) + [^d]) 1 3 2 a b a,b,c,da,b,c,d c a 5 6 7 4 a b a,b,c,da,b,c,d 0 ab a,b,ca,b,c c NFA – nondeterministic finite automaton 67859 7 9 8 2 3 5 4 0 1 2654 1355 7859 2654 1355 7859 1355 abdc 1000 2354 DFA 0125 01367 0157 0127 0134 012 01 015 0 013 state subsets

4 4 - Sailesh Kumar - 12/26/2015 4 - Jon Turner - 12/26/2015 Challenges for Intrusion Detection n Hundreds to thousands of patterns »many fairly simple, but not all »significant number include “repeats” with infinite or bounded iteration n Large space requirements »DFA formed by combining patterns may require many more states than NFA »for ASCII inputs, tabular representation of DFAs can be very large n Demanding real-time requirements »1 or 2 off-chip memory accesses per input character n Must maintain state across many (>100K) flows »constrains affordable per-flow context

5 5 - Sailesh Kumar - 12/26/2015 5 - Jon Turner - 12/26/2015 Three-Way Tradeoff n Memory space »on-chip vs. off-chip »pattern matching automata and flow state n Parallelism »hardware solutions allow substantial parallelism »in NPs, parallelism more limited »more parallelism reduces automata space, increases flow state throughput space parallelism

6 6 - Sailesh Kumar - 12/26/2015 6 - Jon Turner - 12/26/2015 Problems Addressed n Reducing space used by DFAs »typical tabular DFA is highly redundant –states share many common successors »reduce redundancy using default transitions –trades off space for throughput n Making it compact and fast »choose default transitions for amortized performance »use content-addressing to skip over default transitions n Coping with state space explosion »process flows that stay in shallow states separately from flows that “go deep” – fast-path/slow-path processing

7 7 - Sailesh Kumar - 12/26/2015 7 - Jon Turner - 12/26/2015 Delayed Input Finite Automata (D 2 FA) n In tabular DFA representation »for ASCII characters, 256 transitions per state »50+ distinct transitions per state in real world datasets »need storage for 50+ edges n But, many states share similar sets of edges Note that states 1 and 3 have common transitions for symbols a, b, d. Can we exploit this redundancy to reduce space? Three patterns: a +, b + c, c*d + 4 transitions per state 2 1 3 b 4 5 a c a b d a c b c b a c d c d a d bd

8 8 - Sailesh Kumar - 12/26/2015 8 - Jon Turner - 12/26/2015 Default Transitions If (s 1,a)=(s 2,a) and (s 1,b)=(s 2,b), »can replace explicit transitions (s 1,a), (s 1,b) with default transition from s 1 to s 2 (or could go other way) »when parsing input, follow default transition when no outgoing transition defined on input character »no input consumed when following default transition 2 1 3 b 4 5 a c a b d a c b c b a c d c d a d bd 2 1 b 4 5 a c b d c b a c d c a 3 d

9 9 - Sailesh Kumar - 12/26/2015 9 - Jon Turner - 12/26/2015 Selecting Default Transitions 2 1 3 b 4 5 a c a b d a c b c b a c d c d a d bd 1 c 2 5 4 3 c a d b alternate (and better) solution 2 1 3 4 5 3 3 3 3 2 2 2 3 3 2 space reduction graph max wt spanning tree potential savings 1 c 2 5 4 3 a d b c tree edges directed towards chosen root 20  9 edges

10 10 - Sailesh Kumar - 12/26/2015 10 - Jon Turner - 12/26/2015 Trading off Time and Space n Sort edges in space-reduction graph by length n For each edge, add to “forest” so long as does not create cycle or create tree with excessive diameter n Choose root for each tree at “most central node” n Direct default transitions towards roots sorted edge list {1,2} {4,5} {1,5} {2,4} {1,4} {2,5} {1,3} {3,5} {3,4} {2,3}    2 1 3 4 5 3 3 3 3 2 2 2 3 3 2 diameter bound 2        2 1 3 b 4 5 a d c b a c c d

11 11 - Sailesh Kumar - 12/26/2015 11 - Jon Turner - 12/26/2015 Sample Results n Sample data set of 612 regular expressions n Original DFA has 11.3K states, 2.3M transitions n Transitions in D 2 FA »with no depth bound, 0.75% of original »with depth bound of 5, 1.07% »with depth bound of 2, 2.54% »with depth bound of 1, 20.70% n Depth bound of d implies d+1 memory accesses per input character

12 12 - Sailesh Kumar - 12/26/2015 12 - Jon Turner - 12/26/2015 Representing D 2 FA list vector n 95% of states have ≤2 outgoing transitions n Represent states with few transitions using list n Represent others with vector (for direct access)

13 13 - Sailesh Kumar - 12/26/2015 13 - Jon Turner - 12/26/2015 Changing Performance Criteria n Real objective is bounded time per packet »amortized complexity, not worst-case »earn “credit” for every normal transition »“spend” a credit for each default transition »choose default transitions to guarantee never in debt n Simple way to ensure ≥0 credits »label states according to distance from start state »restrict default transitions to go from larger labels to smaller »bonus – simpler computation –perform breadth-first search –at each node, select best edge allowed for default transition n ≤2 memory accesses per character 1 c 2 5 4 3 d b 0 1 2 1 1 a c

14 14 - Sailesh Kumar - 12/26/2015 14 - Jon Turner - 12/26/2015 How Well Does It Work? n On a typical set of patterns »number of transitions reduced to 1% of original »depth-bounded D 2 FA with bound of 1 requires 20% n Can extend to reduce number of accesses »default transitions from depth d states to depth ≤d–k »at most (k+1)/k memory accesses per input character –so for k=3, 1.33 accesses per char »number of transitions, usage relative to original –for k=2, 1.8% –for k=3, 5.5% –for k=4, 11.6%

15 15 - Sailesh Kumar - 12/26/2015 15 - Jon Turner - 12/26/2015 Content Addressing n For nodes with default transitions, »store selected “content” with predecessors »predecessors use content to skip over default transitions n Potential for collisions a b c d V U R X f/Rf/R Y g/R,ab Z h/R,ab,cd if next input  {a,b} goto R else goto hash(R,ab)=U if next input  {a,b,c,d} goto R else if next input  {c,d} goto hash(R,ab)=U else goto hash(R,abcd)=V

16 16 - Sailesh Kumar - 12/26/2015 16 - Jon Turner - 12/26/2015 Collisions in Content Addressing n Addressing conflicts must be resolved »in example, X and Y must go to different next states U and V, but would normally both use hash(R,ab) a b a b V U R X g/R,ab Y h/R,ab n Solution 1, use hash(R,ba) to reach V n Solution 2, add discriminator bits to both hashes h/R,ba h/R,ab101 g/R,ab011

17 17 - Sailesh Kumar - 12/26/2015 17 - Jon Turner - 12/26/2015 Selecting Content Addresses n For each state »list possible content addresses »compute hash for each n Construct bipartite graph »states at left »storage locations at right »edges from states to possible storage locations n Construct perfect matching »easy to do when enough choices (and usually, there are) »add discriminator bits to get more choices »or, add extra storage locations storage locations states V ab0 ab1 ba0 ba1 U Y X

18 18 - Sailesh Kumar - 12/26/2015 18 - Jon Turner - 12/26/2015 Coping with State Explosion n Large pattern sets can produce DFAs with too many states »even after conversion to D 2 FA, space can be impractically large »one solution: partition patterns and form several DFAs or D 2 FAs –greatly reduces number of states –but requires processing each packet multiple times n Observation: »well-behaved flows rarely visit states far from start state n Fast-path/slow-path »fast path for “shallow states” »slow path handles suspect flows (ab.*c)|(ac.*b)|(ba.*a) a 1 0 2 acac b c a,b b,c a,b c 3 1 of 3 DFAs – total 12 states resulting DFA has 20 states but state count nearly doubles with each additional pattern 1 5 b a a,b,ca,b,c NFA 0 6 4 8 a c b a 3 2 7 c a,b,ca,b,c a,b,ca,b,c b

19 19 - Sailesh Kumar - 12/26/2015 19 - Jon Turner - 12/26/2015 Sample Fast Path Construction n Start with k DFAs for slow path n Construct vector-DFA that tracks states of smaller DFAs »cut off when past target depth »or, cut off based on probability of good flow reaching given state ab.*c a 1 0 2 acac b c a,b b,c a,b c 3 a 1 0 2 abab c b a,c b,c a,c b 3 b 1 0 2 bcbc a a b,c a,c b,c a 3 ac.*b ba.*a fast path DFA 6--- 7 9 8 2 3 5 4 0 1 -6- --- --- 520 627 894 101112 abc 120 134 - 10--- 11--- 12--- state vector 212 300 031 120 001 201 112 020 000 110 113 202 022 3 3 3 3 1 2 2 2 0 1 3 3 3 depth

20 20 - Sailesh Kumar - 12/26/2015 20 - Jon Turner - 12/26/2015 Fast Path/Slow Path Operation n Flows processed by fast path as long as stay in shallow states n Slow path flows processed by multiple DFAs »takes more per packet »keep more state between packets n Return to fast path after enough time in shallow states n Mitigating DoS attack »attacker can interfere with good flows in slow path by sending lots of slow path traffic »per flow queues in slow path can help, but not complete solution »adjust priority of flows based on time spent in slow path fast path state memory slow path state memory

21 21 - Sailesh Kumar - 12/26/2015 21 - Jon Turner - 12/26/2015 Simulation of DoS Mitigation n Constant attack traffic – adjust time spent in deep states time (seconds) slow path load thruput with no DOS mitigation thruput with DOS mitigation no overload moderate overload extreme overload good flows

22 22 - Sailesh Kumar - 12/26/2015 22 - Jon Turner - 12/26/2015 Summary n Reducing space needed for reg-ex matching »D 2 FAs use default transitions joining similar states »constraining default transitions to go to shallower states ensures good amortized performance »content addressing for skipping over default transitions n Coping with state explosion »slow path processes packets through k small DFAs »fast path processes packets using DFA on shallow states »requires DoS mitigation to deal with attacks on slow path n Other issues »bounded iteration causes excessive growth in state table »requires systematic use of counters –state vector containing control state plus counter values –state machine transitions depend on & manipulate counters

Download ppt "Advanced Regular Expression Matching for Line-Rate Deep Packet Inspection Sailesh Kumar, Jon Turner Michela Becchi, Patrick Crowley, George Varghese."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
CSE 311 Foundations of Computing I

CSE 311 Foundations of Computing I
4b Lexical analysis Finite Automata

4b Lexical analysis Finite Automata
Nondeterministic Finite Automata CS 130: Theory of Computation HMU textbook, Chapter 2 (Sec 2.3 & 2.5)

Nondeterministic Finite Automata CS 130: Theory of Computation HMU textbook, Chapter 2 (Sec 2.3 & 2.5)
Finite Automata CPSC 388 Ellen Walker Hiram College.

Finite Automata CPSC 388 Ellen Walker Hiram College.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
1 CD5560 FABER Formal Languages, Automata and Models of Computation Lecture 2 Mälardalen University 2005.

1 CD5560 FABER Formal Languages, Automata and Models of Computation Lecture 2 Mälardalen University 2005.
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Compiler Construction

Compiler Construction
A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,

A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,
From Cooper & Torczon1 Automating Scanner Construction RE  NFA ( Thompson’s construction )  Build an NFA for each term Combine them with  -moves NFA.

From Cooper & Torczon1 Automating Scanner Construction RE  NFA ( Thompson’s construction )  Build an NFA for each term Combine them with  -moves NFA.
1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.

1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.
Finite Automata Chapter 5. Formal Language Definitions Why need formal definitions of language –Define a precise, unambiguous and uniform interpretation.

Finite Automata Chapter 5. Formal Language Definitions Why need formal definitions of language –Define a precise, unambiguous and uniform interpretation.
Automating Construction of Lexers. Example in javacc TOKEN: { ( | | _)* > | ( )* > | } SKIP: { | \n | \t } --> get automatically generated code.

Automating Construction of Lexers. Example in javacc TOKEN: { ( | | "_")* > | ( )* > | } SKIP: { " " | "\n" | "\t" } --> get automatically generated code.
Introduction to Finite Automata Adapted from the slides of Stanford CS154.

Introduction to Finite Automata Adapted from the slides of Stanford CS154.
1 HEXA : Compact Data Structures for Faster Packet Processing Department of Computer Science and Information Engineering National Cheng Kung University,

1 HEXA : Compact Data Structures for Faster Packet Processing Department of Computer Science and Information Engineering National Cheng Kung University,
1 Scanning Aaron Bloomfield CS 415 Fall 2005. 2 Parsing & Scanning In real compilers the recognizer is split into two phases –Scanner: translate input.

1 Scanning Aaron Bloomfield CS 415 Fall Parsing & Scanning In real compilers the recognizer is split into two phases –Scanner: translate input.

Similar presentations

Ads by Google