deflating the big bang: fast and scalable deep packet inspection with extended finite automata
DESCRIPTION
Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata. Date:101/3/21 Publisher:SIGCOMM 08 Author: Randy Smith Cristian Estan Somesh Jha Shijin Kong Ioannidis Presenter : Shi- qu Yu. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata
Date:101/3/21Publisher:SIGCOMM 08Author:Randy Smith Cristian Estan Somesh Jha Shijin KongIoannidisPresenter : Shi-qu Yu
IntroductionRegular expressions are typically implemented as either
deterministic finite automata (DFAs) or nondeterministic finite automata (NFAs). Like strings, DFAs are fast and can be readily combined. However, for many common signatures their combination exhibits an explosion in the state space
UNDERSTANDING STATE EXPLOSION
Eliminating Ambiguity Through Auxiliary Variables
Theorem 1. Let D1 and D2 be DFAs with D1+D2 their standard product combination. If D1 and D2 are unambiguous, then |D1 + D2| < |D1| + |D2|, where |D| is the number of states in D.
Theorem 2. If D1 and D2 are unambiguous, then D1 + D2 is unambiguous.
XFAXFA Construction[31]Combining XFAsMatching to Input
OPTIMIZATIONExposing Runtime InformationCombining Independent VariablesCode Motion and Instruction Merging
Combining Independent Variables
Dataflow AnalysisCompatibility Analysis
Dataflow Analysis
Definition 2. Let Q be the set of states containing a set operation for counter C. Then, C is active at state S if there is at least one sequence of input symbols forming a path of states from a state in Q to S in which no state in the path contains a reset operation for C. Otherwise C is inactive.
Compatibility AnalysisTwo counters can be reduced to one if they are
compatible at all states in the automaton
Combining Independent Variables
Dataflow AnalysisA stream is a sequence of operations that
execute in order. While the stream is executing, the CPU is able
to collect the next batch of packets.
EXPERIMENTAL EVALUATIONData Set:XFAs on FTP, SMTP, and HTTP signatures
from Snort [28] and Cisco Systems.CPU:3.0 GHz Pentium 4