1 / 19

Enhancing Network Traffic Matching with Speculative Parallel Pattern Matching

This paper presents a novel approach to network traffic matching by transitioning from traditional serial matching to speculative parallel pattern matching (SPPM). Traditional Deterministic Finite Automata (DFA) matching is fundamentally serial due to its pointer-chasing nature. Our method breaks this limitation by dividing input data into multiple chunks, allowing for parallel scanning. We propose initial state guesses for each chunk (except the first), ensuring accuracy through a validation mechanism. The evaluation demonstrates significant enhancements in processing efficiency while maintaining correct matching outcomes.

jela
Télécharger la présentation

Enhancing Network Traffic Matching with Speculative Parallel Pattern Matching

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Speculative Parallel Pattern Matching Author: Daniel Luchaup, Randy Smith, Cristian Estan, Somesh Jha Publisher: IEEE Transactions on Information Forensics and Security Presenter: Zi-Yang Ou Date: 2012/04/11

  2. Introduction • Matching network traffic against a DFA is inherently a serial activity. • We break this inherent serialization imposed by the pointer chasing nature of DFA matching using speculation. • Our method works by dividing the input into multiple chunks and scanning each of them in parallel using traditional DFA matching. • The main idea behind our algorithm is to guess the initial state for all but the first chunk, and then to make sure that this guess does not lead to incorrect results.

  3. Background

  4. Signature Types • Suffix-closed regular expressions • Prefix-closed regular expressions (PREs) Ex: .*VIRUS.* • Anchored regular expressions (Non-PRE) Ex: VIRUS • General regular expressions (GREs) unrestricted, arbitrary regular expressions

  5. Example of Using Speculation coupling validation region : IRUL

  6. Statistical Support for Speculative Matching The typical maximum TCP packet length is 1500 bytes. We contend that the length of the validation region will be small.

  7. Basic SPPM Algorithm

  8. SPPM for Single-Threaded Software

  9. SPPM for Parallel Hardware

  10. SPPM for Parallel Hardware

  11. Anchored Regular Expressions

  12. General Case: Matching GREs

  13. Bounding the Validation Region

  14. Experimental Setup

  15. Evaluation of Algorithm 3 (Single Threaded, Software Implementation)

  16. Evaluation of Algorithm 4 (Basic SPPM for Prefix Closed Regular Expressions) Using Simulation

  17. Validation Region

  18. Evaluation of Algorithm 6 (SPPM for GREs) Using Simulation

  19. Evaluation of Algorithm 7 (SPPM for PRE, With Bounded Validation Region) Using Simulation

More Related