Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection

This paper, presented at IEEE INFOCOM 2015, explores the use of traffic repetitions for efficient deep packet inspection. Authors Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, and David Hay investigate strategies to improve high-speed packet analysis in network security. The study, conducted at the Department of Computer Science and Information Engineering, National Cheng Kung University, Taiwan, provides valuable insights into enhancing the effectiveness of deep packet inspection in handling network traffic.

• Traffic Analysis
• Deep Packet Inspection (DPI)
• Network Security
• IEEE INFOCOM
• Data Processing

ken_qua Follow

Uploaded on Mar 09, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher: IEEE INFOCOM 2015 Presenter: Sih-An Pan Date: 2015/1/7 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

2. INTRODUCTION Our mechanism is based solely on modifications to the signature matching algorithm. Our modification enhances the algorithm so that it will be able to skip previously-scanned bytes, which are saved in a dictionary along with some auxiliary information. National Cheng Kung University CSIE Computer & Internet Architecture Lab 2

3. INTRODUCTION Conceptually, it is divided to two parts: slow path that samples the traffic and creates a dictionary with the fixed length popular strings (which we call grams). data path that scans the traffic byte by byte and checks the dictionary for matches; if a gram is found in the dictionary, the data path skips the gram and adjusts its state according to an information saved along this gram. National Cheng Kung University CSIE Computer & Internet Architecture Lab 3

4. The Slow Path The slow path is responsible of creating a dictionary of repeated fixed-length strings (namely, k-grams, where k is the length of the strings). For example, assume the string abcdefgh is very popular in the traffic, and k = 4. We split each popular string of length m to ?/? consequential k-grams. The resulting dictionary is stored as an open hash table, where colliding keys are chained. The dictionary holds the following 2-grams: abcd and efgh. Most of the time, the data path uses the 2-grams abcd and efgh in order to skip over the long popular string. National Cheng Kung University CSIE Computer & Internet Architecture Lab 4

5. The Slow Path We initiate an Aho-Corasick scan from the initial state s0 and save the DFA state in the end of this scan. This information is sufficient for the data path to adjust its state after skipping that gram. National Cheng Kung University CSIE Computer & Internet Architecture Lab 5

6. The Data Path For each k-gram, the algorithm searches the dictionary and retrieves the corresponded entry. We query a Bloom filter to ensure that the gram is in the dictionary. During AC traversal, for each input byte, the algorithm checks whether it can skip subsequent bytes using one of the strings in the dictionary. National Cheng Kung University CSIE Computer & Internet Architecture Lab 6

7. The Data Path National Cheng Kung University CSIE Computer & Internet Architecture Lab 7

8. The Data Path National Cheng Kung University CSIE Computer & Internet Architecture Lab 8

9. The Data Path National Cheng Kung University CSIE Computer & Internet Architecture Lab 9

10. The Data Path National Cheng Kung University CSIE Computer & Internet Architecture Lab 10

11. The Data Path National Cheng Kung University CSIE Computer & Internet Architecture Lab 11

12. The Data Path National Cheng Kung University CSIE Computer & Internet Architecture Lab 12

13. EXPERIMENTAL RESULTS For HTTP traffic, we use Snort s pattern-set (~4K patterns). For performance evaluation we use a system with Intel Sandybridge Core i7 2600 CPU with 32 KB L1 data cache (per core), 256 KB L2 cache (per core), and 8 MB L3 cache (shared among cores). The system runs Linux Ubuntu 11.10. National Cheng Kung University CSIE Computer & Internet Architecture Lab 13

14. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 14

15. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 15

16. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 16

17. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 17

18. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 18

19. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 19

20. EXPERIMENTAL RESULTS National Cheng Kung University CSIE Computer & Internet Architecture Lab 20