Fast and memory-efficient regular expression matching for deep packet inspection

Fang, Yu; Chen, Zhifeng; Diao, Yanlei; Lakshman, T. V.; Katz, Randy H.

doi:10.1145/1185347.1185360

Cited by 411 publications

(324 citation statements)

References 17 publications

Supporting

Mentioning

314

Contrasting

Unclassified

Order By: Relevance

“…For each input character, the DFA makes one access to the state transition table (STT), performs a constant amount of computation, and finds a single transition target. While being computationally efficient (and optimal), the DFA can suffer from state explosion [12,22,27] during its construction, where the number of states required by the DFA is quadratically or exponentially larger than the original NFA [17,27]. State explosion can be caused by certain regex patterns, or by combining several non-exploding patterns in one DFA [27].…”

Section: Rem By Deterministic Finite Automatamentioning

confidence: 99%

“…For some regexes, converting the O(n)-state NFA to a DFA can generate an excessively large STT with up to O(2 n ) states and O(2 n |Σ|) transitions, a phenomenon known as the exponential state explosion [17,27]. In these cases, DFA-based REM becomes impractical on multi-core systems for several reasons.…”

Section: Introductionmentioning

confidence: 99%

“…Alternatively, the regex can be converted to a deterministic finite automaton (DFA) for efficient matching, which however may require an extremely large state transition table (STT) due to exponential state explosion [17,27]. We propose the segmented regex-NFA (SR-NFA) architecture, where the regex is first compiled into modular nondeterministic finite automata (NFA), then partitioned, optimized, and matched efficiently on modern multi-core processors.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems

Yang

Prasanna

2011

2011 International Conference on Parallel Architectures and Compilation Techniques

View full text Add to dashboard Cite

Abstract-Conventionally, regular expression matching (REM) has been performed by sequentially comparing the regular expression (regex) to the input stream, which can be slow due to excessive backtracking [21]. Alternatively, the regex can be converted to a deterministic finite automaton (DFA) for efficient matching, which however may require an extremely large state transition table (STT) due to exponential state explosion [17,27]. We propose the segmented regex-NFA (SR-NFA) architecture, where the regex is first compiled into modular nondeterministic finite automata (NFA), then partitioned, optimized, and matched efficiently on modern multi-core processors. SR-NFA offers attack-resilient multi-gigabit per second matching throughput, does not suffer from either backtracking or state explosion, and can be rapidly constructed. For regex sets that construct a DFA with moderate state explosion, i.e., on average 200k states in the STT, the proposed SR-NFA is 367k times faster to construct and update and use 23k times less memory than the DFA approach. Running on an 8-core 2.6 GHz Opteron platform, our prototype achieves 2.2 Gbps average matching throughput for regex sets with up to 4,000 SR-NFA states per regex set.

show abstract

Section: Rem By Deterministic Finite Automatamentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems

Yang

Prasanna

2011

2011 International Conference on Parallel Architectures and Compilation Techniques

View full text Add to dashboard Cite

show abstract

“…In [6] Fang Yu et al systematically analyze the regular expressions which are commonly used in networking applications. They analyze individual regular expressions that will lead DFAs with quadratic size or exponential size, and show that traditional methods are prohibitively high for patterns used in packet scanning applications.…”

Section: Related Workmentioning

confidence: 99%

“…However, memory requirements are high in practical deep packet inspection. For practical networking applications, since we don't have any prior knowledge of whether/where a matching substring may appear, most applications compile the rules together into a single one-pass search mode DFA [6] to achieve O (1) processing complexity. This means ".…”

Section: Introductionmentioning

confidence: 99%

Fast and Memory-Efficient Regular Expression Matching Using Transition Sharing

Zhang

Luo

Fang

et al. 2009

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYScanning packet payload at a high speed has become a crucial task in modern network management due to its wide variety applications on network security and application-specific services. Traditionally, Deterministic finite automatons (DFAs) are used to perform this operation in linear time. However, the memory requirements of DFAs are prohibitively high for patterns used in practical packet scanning, especially when many patterns are compiled into a single DFA. Existing solutions for memory blow-up are making a trade-off between memory requirement and memory access of processing per input character. In this paper we proposed a novel method to drastically reduce the memory requirements of DFAs while still maintain the high matching speed and provide worst-case guarantees. We removed the duplicate transitions between states by dividing all the DFA states into a number of groups and making each group of states share a merged transition table. We also proposed an efficient algorithm for transition sharing between states. The high efficiency in time and space made our approach adapted to frequently updated DFAs. We performed several experiments on real world rule sets. Overall, for all rule sets and approach evaluated, our approach offers the best memory versus run-time trade-offs.

show abstract

References

2010

System Design for Telecommunication Gateways

View full text Add to dashboard Cite

Fast and memory-efficient regular expression matching for deep packet inspection

Cited by 411 publications

References 17 publications

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems

Fast and Memory-Efficient Regular Expression Matching Using Transition Sharing

References

Contact Info

Product

Resources

About