Upload
jordyn-leyland
View
221
Download
0
Embed Size (px)
Citation preview
Deep Packet Inspection with DFA-trees and Parametrized Language
Overapproximation
Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach
Publisher: IEEE INFOCOM 2014
Presenter: Yen-Chun Tseng
Date: 2014/09/24
Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
Introduction
Use DFA-tree to improve the speed of matching in NFA and the state-space explosion problem in DFA.
Use the concept of Compact Overapproximate DFA (CODFA) as the building block for the DFA-tree construction.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
2
CODFA(Compact Overapproximate DFA) only keeps the most frequent or “hot” states
of DFA and the transitions between them, and collapses the remaining states into a single state.
call this “shrink”
National Cheng Kung University CSIE Computer & Internet Architecture Lab
5
Encounter problem
If input strings are dirty. Approximation errors. How to choose the “hot” state.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
8
If input strings are dirty
Such attacks or poor performance are easy to detect and, if persistent, the ISP can temporary switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
9
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
10
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
11
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
12
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
13
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
14
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
15
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
16
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
17
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
18
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
19
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
20
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
21
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
It need to check 12 states in the worst case
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
22
D1 D2 D3 D4 D5 D8D7D6
This is 1.5X (50%) faster than if DFA-trees was used
Only needs 8 states
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
23
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
24
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
25
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
26
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
Select more hot states.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
27
choose the “hot” state
a solution may exist, but we may fail to find it. However, we have not encountered this in practice.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
28
choose the “hot” state
If Q is ordered as {q0, q1, ..., q|Q|−1}, we restrict our search for H to the |Q| sets of valid candidates of the form Hk={q0, q1, ..., qk}
{q0}=H0 H⊂ 1 ...H⊂ k... H⊂ |Q|−1=Q. We aim F+I (DHk ,D) ≤ ɛ.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
29
Experimental Evaluation
The average space overhead was 15%. Worst-case attacks can only achieve a 26% slow- down on average.
Shrinking is effective:
an approximation error rate of 0.2%
the average compression is 97%.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
30