Bypassing Space Explosion in High-Speed Regular Expression Matching

Patel, Jignesh; Liu, Alex X.; Torng, Eric

doi:10.1109/tnet.2014.2309014

Cited by 18 publications

(9 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Patel et al . has found another drawback of automata construction algorithm where multiple NAFs are joined into a large DFA and then minimize it. That leads to an expensive subset construction from NFAs to DFAs for large NFAs and maybe a small final minimized DFA cannot be generated because of the failure of subset construction.…”

Section: Related Workmentioning

confidence: 99%

“…Compared with D 2 FA, A-DFA results in at most 2N.k C 1/=k state traversals when processing an input string of length N, k being a positive integer, and yields a 10fold improvement in compression ratio. Patel et al [10] has found another drawback of automata construction algorithm where multiple NAFs are joined into a large DFA and then minimize it. That leads to an expensive subset construction from NFAs to DFAs for large NFAs and maybe a small final minimized DFA cannot be generated because of the failure of subset construction.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

RICS‐DFA: a space and time‐efficient signature matching algorithm with Reduced Input Character Set

Tang

Jiang

Dai

et al. 2016

Concurrency and Computation

View full text Add to dashboard Cite

Summary Regular expression matching as a core component of deep packet inspection is widely used in various kinds of modern network intrusion detection system, traffic classification system, network monitoring system, and so on. In these systems, regular expressions are typically converted to a deterministic finite automaton (DFA), which takes O(1) to scan each input character. However, DFA generally consumes a large amount of memory. This paper proposes a novel, space‐efficient and time‐efficient DFA presentation, called reduced input character set DFA (RICS‐DFA). A character escaping and replacing scheme is first introduced to decrease the size of DFA's character set and then to reduce DFA's space requirement with a series of optimization techniques. Based on transition rewriting, a RICS‐DFA constructing algorithm with time complexity of O(n) is presented in this paper. For real rule‐sets, RICS‐DFA reduces the memory consumption by 68–92%, compared with the original DFA. Finally, this paper designs a scalable RICS‐DFA matching engine on field‐programmable gate array platform in which the reduced state transition matrix is mapped to on‐chip memories. The throughput of executing deep packet inspection for real rule‐sets can achieve 7–50.5 Gbps. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

RICS‐DFA: a space and time‐efficient signature matching algorithm with Reduced Input Character Set

Tang

Jiang

Dai

et al. 2016

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…Existing proposals targeting DFA-based solutions have focused on two aspects: (i) designing compression schemes aimed at minimizing the DFA memory footprint; and (ii) devising new automata to alternate DFAs in case of state explosion. Alphabet reduction [5,[22][23][24], run-length encoding [5], default transition compression [22,25], state merging [7] and delta-FAs [26] fall in the first category, while multiple-DFAs [5,6], hybrid-FAs [7], history-based-FAs [8], XFAs [9], counting-FAs [10], and JFAs [11] fall in the second category. All of these solutions, however, have been designed to operate on reassembled packet streams.…”

Section: Background and Related Workmentioning

confidence: 99%

O3fa

Feng

Yao

et al. 2016

Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems

View full text Add to dashboard Cite

To match the signatures of malicious traffic across packet boundaries, network-intrusion detection (and prevention) systems (NIDS) typically perform pattern matching after flow reassembly or packet reordering. However, this may lead to the need for large packet buffers, making detection vulnerable to denial-of-service (DoS) attacks, whereby attackers exhaust the buffer capacity by sending long sequences of out-of-order packets. While researchers have proposed solutions for exact-match patterns, regular-expression matching on out-of-order packets is still an open problem. Specifically, a key challenge is the matching of complex sub-patterns (such as repetitions of wildcards matched at the boundary between packets). Our proposed approach leverages the insight that various segments matching the same repetitive sub-pattern are logically equivalent to the regular-expression matching engine, and thus, interchanging them would not affect the final result. In this paper, we present O 3 FA, a new finite automata-based, deep packet-inspection engine to perform regular-expression matching on out-of-order packets without requiring flow reassembly. O 3 FA consists of a deterministic finite automaton (FA) coupled with a set of prefix-/suffix-FA, which allows processing outof-order packets on the fly. We present our design, optimization, and evaluation for the O 3 FA engine. Our experiments show that our design requires 20x-4000x less buffer space than conventional buffering-and-reassembling schemes on various datasets and that it can process packets in real-time, i.e., without reassembly. Several solutions have been proposed to address the problem of processing out-of-order packets in NIDS. One approach that is widely adopted in current network devices is packet buffering and stream reassembling [14, 16-18]. In this case, incoming packets are buffered and packet streams are reassembled based on the

show abstract

“…Most studies have focused on compression technologies [ 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 ] to restrain the DFA expansion problem. Classical compression algorithms such as D

FA [ 25 ] and A-DFA [ 26 ] were devised to reduce the space cost of DFA with performance guarantees.…”

Section: Introductionmentioning

confidence: 99%

Offset-FA: A Uniform Method to Handle Both Unbounded and Bounded Repetitions in Regular Expression Matching

Yu²,

Xu³

et al. 2022

Sensors

View full text Add to dashboard Cite

With the exponential growth of cyber–physical systems (CPSs), security challenges have emerged; attacks on critical infrastructure could result in catastrophic consequences. Intrusion detection is the foundation for CPS security protection, and deep-packet inspection is the primary method for signature-matched mechanisms. This method usually employs regular expression matching (REM) to detect possible threats in the packet payload. State explosion is the critical challenge for REM applications, which originates primarily from features of large character sets with unbounded (closures) or bounded (counting) repetitions. In this work, we propose Offset-FA to handle these repetitions in a uniform mechanism. Offset-FA eliminates state explosion by extracting the repetitions from the nonexplosive string fragments. Then, these fragments are compiled into a fragment-DFA, while a fragment relation table and a reset table are constructed to preserve their connection and offset relationship. To our knowledge, Offset-FA is the first automaton to handle these two kinds of repetitions together with a uniform mechanism. Experiments demonstrate that Offset-FA outperforms state-of-the-art solutions in both space cost and matching speed on the premise of matching correctness, and achieves a comparable matching speed with that of DFA on practical rule sets.

show abstract

Bypassing Space Explosion in High-Speed Regular Expression Matching

Cited by 18 publications

References 30 publications

RICS‐DFA: a space and time‐efficient signature matching algorithm with Reduced Input Character Set

RICS‐DFA: a space and time‐efficient signature matching algorithm with Reduced Input Character Set

O3fa

Offset-FA: A Uniform Method to Handle Both Unbounded and Bounded Repetitions in Regular Expression Matching

Contact Info

Product

Resources

About