深度报文检测中基于GPU的正则表达式匹配引擎*

提出了一种基于GPU的正则表达式匹配引擎来加速深度报文检测中的模式匹配过程。该引擎基于DFA模型,在匹配时每一个GPU线程处理一个报文,通过大量的并行线程来提高引擎的吞吐量。基于NVIDIA GeForce 9800GT GPU的实验表明,该引擎处理实际网络报文时的吞吐量达到了7.91 Gbps。     

基于正则表达式的DFA拆分算法研究

深度包检测采用简单的字符串匹配技术将报文内容与一组固定字符串进行匹配,基于正则表达式匹配算法能提供更强的表达能力和灵活性,而复杂的正则表达式结构可能引起DFA的状态数膨胀,导致存储代价巨大;DFA拆分算法将DFA转换表拆分为三个表：间接索引表,转换输出表,直接转换表,实验结果表明DFA所占空间大大减小,实现了DFA的压缩存储。     

基于多维布隆过滤器的模式匹配引擎

针对传统的模式匹配引擎不具备完整报文检测功能的问题和出现的速度瓶颈,提出了基于FPGA实现的多维布隆过滤器解决方案,设计了能够同时检测报头和有效负载的多模式匹配引擎。引擎使用多维布隆过滤器过滤出可疑报文,由位拆分状态机进行精确匹配。分析和试验结果表明：与传统方法相比,基于多维布隆过滤器的模式匹配引擎可以并行检测报头和报文内容,在降低过滤器误判率的同时,有效提高了引擎的吞吐量。     

正则表达式匹配引擎性能分析

正则表达式具有强大的描述能力,在计算机领域,正则表达式匹配技术应用十分广泛。目前,已经有多个正则表达式匹配引擎,在实际应用中,对于不同的匹配规则集和正则语法,不同的匹配引擎会有不同的性能表现。本文通过对PCRE、Greta、Boost、RE2四种常用正则表达式匹配引擎的性能测试,给出在不用的正则语法情况下的匹配速度,并深入分析不同坏境下适用的正则表达式匹配引擎。对实际系统设计中正则表达式库的选择有指导意义。     

一种用于深度报文检测的DFA状态表压缩方法

基于正则表达式进行深度报文检测在IDS/IPS、应用层协议识别等网络应用中具有重要作用。然而,采用DFA实现正则表达式需要大量的存储空间,限制了它的实际应用。将DFA状态转换表拆分成3个表,使用run-length编码进行压缩,并对压缩方法进行了优化。采用l7-filter中几个常用应用程序的正则表达式进行测试,结果表明该方法压缩效果一般在90%以上。     

高性能正则表达式匹配算法综述

深度检测在维护网络安全、保证服务质量等方面扮演着重要的角色。正则表达式匹配算法作为高性能深度检测的核心技术,具有重要的研究价值和实践意义。随着网络流量不断增长、规则数目持续增多以及网络结构日趋灵活和动态,现有的正则表达式匹配算法面临着匹配速度、内存占用和更新能力等多方面的挑战。介绍了正则表达式匹配算法的研究背景,从空间压缩、匹配加速、新型自动机设计以及规则拆分和分组四个角度入手,分类总结了学术界具有影响力的研究成果。通过基于真实网络流量的评测,比较了几种经典匹配算法在不同规则集上的匹配速度、内存占用和预处理时间等性能指标,并给出了不同需求场景下高效正则表达式匹配算法的选择建议,归纳了高性能正则表达式匹配算法的下一步发展方向。     

基于NP模式的报文检测方法

针对现有网络入侵检测方法中存在的不足,引入否定模式（NP）匹配的策略,提出了基于NP模式的报文检测方法。该方法先从待测报文内容模式集合中找出NP模式,根据NP模式将待测数据流分段;然后通过模式匹配引擎对分段内容进行模式匹配。实验结果表明,该方法能降低误报率,减少报文匹配次数,提高检测效率。     

基于OpenFlow的报文分类算法研究与实现

随着软件定义网络、OpenFlow等技术的兴起,传统的基于5元组的报文分类技术已不能满足OpenFlow基于多元组的细粒度流量控制需求。因此,以分析已有的报文分类算法为基础,采用分而治之的思想,针对OpenFlow报文分类的精确匹配需求,设计实现了一种基于Hash的计数型链表Bloom Filter算法--OF_CBF算法。针对OpenFlow报文分类的通配匹配需求,借鉴正则表达式匹配算法思想,设计实现了基于有限自动机的报文匹配算法--OF_FSMP算法。对两种算法进行分析验证,并初步对两种算法进行了性能分析。     

正则表达式在Web数据验证中的优化机制研究

正则表达式是数据验证技术中功能最为强大的输入控制技术。传统的基于NFA的正则表达式引擎的匹配速度低。通过正则表达式与自动机等价的原理,研究了通过最小化的确定的有限自动机（DFA）来等价实现.NET中正则表达式的数据验证的机制,以期提高正则表达式的匹配速度。     

基于Verilog 的正则表达式编译器的实现

随着网络带宽的快速增长,正则表达式匹配逐渐成为网络数据处理系统的性能瓶颈。为了获得更高的匹配效率,基于FPGA的正则表达式匹配引擎成为近年来的研究热点之一,而将正则表达式高效的转换成硬件描述语言是其中的关键技术。首先分析了正则表达式转换为硬件电路的算法,然后在此算法基础上实现了一个编译器。最后在Modelsim平台上进行了仿真,仿真结果证明了编译器的正确性。     

正则表达式方程组的最小解

网络安全检测中,正则表达式匹配是深度包检测的主要手段,匹配算法则是其关键技术。目前,正则表达式匹配算法可以大体分为转换压缩、状态压缩和字母表压缩三类。文章讨论正则表达式方程组最小解及其求解算法,证明了正则表达式方程组的最小解的存在性和基于Gauss消元法的求解算法的正确性,给出了最小解的构造,分析了求解算法的时间复杂度...     

基于数据包内容的网络异常行为分析方法研究

文章通过模拟网络异常访问行为,对数据包内容进行解剖分析,提取数据内容所反映的异常行为特征,结合数据包包头特征信息,构成基于数据包内容的网络异常行为特征。通过大量模拟实验,以提取的网络异常行为特征为记录,形成异常行为数据库。在网络异常行为检测过程中,将异常行为数据库中的特征翻译成正则表达式,与检测到的数据包内容特征进行匹配,以此较为准确地判断数据包是否臭奄舟靠行为。     

A regular expression matching engine with hybrid memories

A key technique of network security inspection is by using the regular expression matching to locate the specific fingerprints of networking applications or attacks in the packet flows, and accordingly identify the underlying applications or attacks. However, due to the surge of various networking applications and attacks in recent years, even more fingerprints need to be investigated in this process, which leads to a high demand on a large memory space for regular expression matching. In addition, with the frequent upgrading of the network links nowadays, the network flow rate also increases dramatically. As a result, it demands the fast operation of regular expression matching accordingly with the enhanced throughput for network inspection. However, due to the limited space of the fast memory, the requirements on fast operations and large memory space are conflicting. On addressing this challenge, in this paper, we propose to use hybrid memory for regular expression matching. In specific, by investigating on the transition table state access probability through the Markov theory, it can be observed that there exist a number of states which are much more frequently accessed than others. Therefore, we devise a matching engine which is suitable for FPGA implementation with two-level memories, where the first-level memory uses the on-chip memory of FPGA to cache the frequently accessed state transitions, and the second-level memory, composed of slow and cheap DRAM, stores the whole state transitions. Furthermore, the L7-filter's regular expression patterns have been applied to obtain the state access probability, and different quantities of memory assignment approaches have also been investigated to evaluate the throughput.     

Using String Matching for Deep Packet Inspection

String matching has sparked renewed research interest due to its usefulness for deep packet inspection in applications such as intrusion detection, virus scanning, and Internet content filtering. Matching expressive pattern specifications with a scalable and efficient design, accelerating the entire packet flow, and string matching with high-level semantics are promising topics for further study.     

Managing DFA History with Queue for Deflation DFA

There is an increasing demand for network devices to perform deep packet inspection (DPI) in order to enhance network security. In DPI, the packet payload is compared against a set of predefined patterns that can be specified using regular expressions (regexes). It is well-known that mapping regexes to deterministic finite automaton (DFA) may suffer from the state explosion problem. Through observation, we attribute DFA explosion to the necessity of remembering matching history. In this paper, we investigate how to manage matching history efficiently and propose an extended DFA approach for regex matching called fcq-FA, which can make a memory size reduction of about 1,000 times with a fully automated approach. In fcq-FA, we use pipeline queues and counters to help record the matching history. Hence, state explosion caused by Kleene closure and length restriction can be completely avoided. Furthermore, it achieves a fully automated signature compilation with polynomial running time and space. The equivalence between fcq-FA and the traditional DFA is guaranteed by a strict theoretical proof, which means fcq-FA can process all the regexes supported by the traditional DFA.     

Hierarchical multi-pattern matching algorithm for network content inspection

Inspection engines that can inspect network content for application-layer information are urgently required. In-depth packet inspection engines, which search the whole packet payload, can identify the interested packets that contain certain patterns. Network equipment then utilizes the searching results from the inspection engines for application-oriented management. The most important technology for fast packet inspection is an efficient multi-pattern matching algorithm to perform exact string matching between packets and a large set of patterns. This paper proposes a novel hierarchical multi-pattern matching algorithm (HMA) for packet inspection. HMA builds hierarchical index tables from the most frequent common-codes, and efficiently reduces the amount of external memory accesses and memory space by two-tier and cluster-wise matching. Analysis and simulation results reveal that HMA performs much better than state-of-the-art matching algorithms. In particular, HMA can update patterns incrementally, thus creating a reliable network system.     

基于深度包检测的防火墙系统设计

随着互联网的飞速发展,防火墙作为网络安全防护的重要手段已经成为了人们研究的重点。为了能够高效地过滤无关数据报文、抵御恶意攻击、保障网络的安全稳定运行,在研究深度包检测技术的基础上,提出了一种基于现场可编程门阵列、三态内容可寻址寄存器架构而实现的硬件防火墙系统。测试表明,该系统能够满足实际要求。