Deep packet inspection an algorithmic view

1
Deep packet inspection an algorithmic view

• Cristian Estan (U of Wisconsin-Madison)
• at IEEE CCW 2008

2
Algorithms matter

• Even non-software solutions using FPGAs and
  ASICs run algorithms
• Ideal solution not clear if/when we can get
  there
• Memory increases linearly with of sigs (unlike
  DFAs)
• Complex sigs can contribute more than simple ones
• Processing constant as of sigs increases
  (unlike NFAs)
• No slowdown (except that larger memories may be
  slower)
• No increase in power usage (except for the bigger
  memories)
• Processing n bytes at a time costs the following
• Up to n-fold increase in memory bandwidth and
  processing
• No increase in memory size (exponential for naïve
  algorithm)
• No increase in latency (should be same as for 1
  byte)

3
Some general algorithmic ideas for regex matching
in DPI

• Exploiting hardware parallelism
• Slow path/fast path solutions
• Compressing transition tables
• Using auxiliary variables with DFAs

4
1. Can hardware parallelism lead to ideal
solution?

• Match input against multiple sigs independently
• NFA-based solutions for matching a single sig
  with breadth-first traversal of states can also
  exploit parallelism
• Advantages
• Area increases linearly with of sigs
• No slowdown as of sigs increases
• Challenges when of sigs gets large
• Power consumption goes up
• On-chip communication becomes more costly

5
2. Can slow path/fast path lead to ideal solution?

• A simpler version of sigs (e.g. string matching)
  is processed in the fast path and if needed, a
  more complex version in the slow path
• Advantages
• Can use algorithms that scale well in memory and
  processing in the fast path
• Can use different technology algorithm for
  slow path
• Challenges
• Algorithmic complexity attacks may trigger the
  slow path so often that the system cannot keep up
• Measuring performance on traces not enough, must
  quantify worst-case performance an adversary can
  trigger

6
3. Can transition table compression lead to ideal
solution?

• Exploit the fact that transition tables for
  different states are similar (D2FAs) or that many
  characters are treated similarly (alphabet
  compression tables)
• Advantages
• Easy to achieve savings up to a point
• Works even better for multi-byte matching
• Challenges
• Slowdown in matching too big if compression too
  complex
• Memory still increases when doing multi-byte
  matching
• Does not help to reduce number of states

7
4. Can DFAs auxiliary variables lead to ideal
solution?

• Associate with some DFA states programs
  manipulating auxiliary variables
• DFAs become simpler, no state space explosion
• Advantages
• Memory ( of states) increases linearly with
  sigs
• Processing increases only slightly with of sigs
• Disadvantages
• Average program length increases (slowly) with
  of sigs
• Algorithmic complexity attacks can cause (small)
  slowdown
• Does not solve multi-byte matching