Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher: IEEE INFOCOM 2014 Presenter: Yen-Chun Tseng Date: 2014/09/24 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
31
Embed
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Deep Packet Inspection with DFA-trees and Parametrized Language
Overapproximation
Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach
Publisher: IEEE INFOCOM 2014
Presenter: Yen-Chun Tseng
Date: 2014/09/24
Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
Introduction
Use DFA-tree to improve the speed of matching in NFA and the state-space explosion problem in DFA.
Use the concept of Compact Overapproximate DFA (CODFA) as the building block for the DFA-tree construction.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
2
DFA-tree
National Cheng Kung University CSIE Computer & Internet Architecture Lab
3
DFA combination
National Cheng Kung University CSIE Computer & Internet Architecture Lab
4
CODFA(Compact Overapproximate DFA) only keeps the most frequent or “hot” states
of DFA and the transitions between them, and collapses the remaining states into a single state.
call this “shrink”
National Cheng Kung University CSIE Computer & Internet Architecture Lab
5
CODFA
National Cheng Kung University CSIE Computer & Internet Architecture Lab
6
DFA-tree
National Cheng Kung University CSIE Computer & Internet Architecture Lab
7
Encounter problem
If input strings are dirty. Approximation errors. How to choose the “hot” state.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
8
If input strings are dirty
Such attacks or poor performance are easy to detect and, if persistent, the ISP can temporary switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
9
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
10
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
11
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
12
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
13
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
14
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
15
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
16
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
17
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
18
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
19
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
20
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
21
D12
D9 D10 D11
D1 D2 D3 D4 D5 D8D7D6
It need to check 12 states in the worst case
switch to DFA-set matching
National Cheng Kung University CSIE Computer & Internet Architecture Lab
22
D1 D2 D3 D4 D5 D8D7D6
This is 1.5X (50%) faster than if DFA-trees was used
Only needs 8 states
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
23
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
24
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
25
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
National Cheng Kung University CSIE Computer & Internet Architecture Lab
26
D3
D1 D2
VIRUS VIRAL
VIR*
Input : VIRUL
Approximation Errors
Select more hot states.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
27
choose the “hot” state
a solution may exist, but we may fail to find it. However, we have not encountered this in practice.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
28
choose the “hot” state
If Q is ordered as {q0, q1, ..., q|Q|−1}, we restrict our search for H to the |Q| sets of valid candidates of the form Hk={q0, q1, ..., qk}