Deflating the big bang
作者: Randy Smith , Cristian Estan , Somesh Jha , Shijin Kong
关键词:
摘要: Deep packet inspection is playing an increasingly important role in the design of novel network services. Regular expressions are language choice for writing signatures, but standard DFA or NFA representations unsuitable high-speed environments, requiring too much memory, time, per-flow state. DFAs fast and can be readily combined, doing so often leads to state-space explosion. NFAs, while small, require large state slow.We propose a solution that simultaneously addresses all these problems. We start with first-principles characterization explosion give conditions eliminate it when satisfied. show how auxiliary variables used transform automata they satisfy conditions, which we codify formal model augments simple instructions manipulating them. Building on this model, present techniques, inspired by principles compiler optimization, systematically reduce runtime In our experiments, signature sets from Snort Cisco Systems achieve reductions over four orders magnitude, up factor six, runtimes approach DFAs.
acm.org
sigcomm.org 参考文章(35)
Timothy N. Newsham, Thomas H. Ptacek, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection ,(1998)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
John L. Hennessy, David A. Patterson, Computer architecture (2nd ed.): a quantitative approach Morgan Kaufmann Publishers Inc.. ,(1996)
Vern Paxson, Christian Kreibich, Mark Handley, Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics usenix security symposium. pp. 9- 9 ,(2001)
Scott A. Crosby, Dan S. Wallach, Denial of service via algorithmic complexity attacks usenix security symposium. pp. 3- 3 ,(2003)
Stephen William Hawking, A Brief History of Time: From the Big Bang to Black Holes ,(1988)
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Ioannis Sourdis, Dionisios Pnevmatikatos, Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System field-programmable logic and applications. pp. 880- 889 ,(2003) , 10.1007/978-3-540-45234-8_85
C.R. Clark, D.E. Schimmel, Scalable pattern matching for high speed networks field-programmable custom computing machines. pp. 249- 257 ,(2004) , 10.1109/FCCM.2004.50
Rajeev Motwani, John E. Hopcroft, Jeffrey D. Ullman, Rotwani, Introduction to Automata Theory, Languages, and Computation ,(1979)