Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language

Overapproximation

Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach

Publisher: IEEE INFOCOM 2014

Presenter: Yen-Chun Tseng

Date: 2014/09/24

Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

Introduction

Use DFA-tree to improve the speed of matching in NFA and the state-space explosion problem in DFA.

Use the concept of Compact Overapproximate DFA (CODFA) as the building block for the DFA-tree construction.

National Cheng Kung University CSIE Computer & Internet Architecture Lab

2

DFA-tree


3

DFA combination


4

CODFA(Compact Overapproximate DFA) only keeps the most frequent or “hot” states

of DFA and the transitions between them, and collapses the remaining states into a single state.

call this “shrink”


5

CODFA


6

DFA-tree


7

Encounter problem

If input strings are dirty. Approximation errors. How to choose the “hot” state.


8

If input strings are dirty

Such attacks or poor performance are easy to detect and, if persistent, the ISP can temporary switch to DFA-set matching


9

switch to DFA-set matching


10

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



11

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



12

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



13

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



14

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



15

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



16

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



17

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



18

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



19

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



20

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6



21

D12

D9 D10 D11

D1 D2 D3 D4 D5 D8D7D6

It need to check 12 states in the worst case



22

D1 D2 D3 D4 D5 D8D7D6

This is 1.5X (50%) faster than if DFA-trees was used

Only needs 8 states

Approximation Errors


23

D3

D1 D2

VIRUS VIRAL

VIR*

Input : VIRUL



24

D3

D1 D2

VIRUS VIRAL

VIR*

Input : VIRUL



25

D3

D1 D2

VIRUS VIRAL

VIR*

Input : VIRUL



26

D3

D1 D2

VIRUS VIRAL

VIR*

Input : VIRUL


Select more hot states.


27

choose the “hot” state

a solution may exist, but we may fail to find it. However, we have not encountered this in practice.


28

choose the “hot” state

If Q is ordered as {q0, q1, ..., q|Q|−1}, we restrict our search for H to the |Q| sets of valid candidates of the form Hk={q0, q1, ..., qk}

{q0}=H0 H⊂ 1 ...H⊂ k... H⊂ |Q|−1=Q. We aim F+I (DHk ,D) ≤ ɛ.


29

Experimental Evaluation

The average space overhead was 15%. Worst-case attacks can only achieve a 26% slow- down on average.

Shrinking is effective:

an approximation error rate of 0.2%

the average compression is 97%.


30

Experimental Evaluation


31

Documents

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher: