A hybrid finite automaton for practical deep packet inspection

9 years 3 months ago
A hybrid finite automaton for practical deep packet inspection
Deterministic finite automata (DFAs) are widely used to perform regular expression matching in linear time. Several techniques have been proposed to compress DFAs in order to reduce memory requirements. Unfortunately, many realworld IDS regular expressions include complex terms that result in an exponential increase in number of DFA states. Since all recent proposals use an initial DFA as a startingpoint, they cannot be used as comprehensive regular expression representations in an IDS. In this work we propose a hybrid automaton which addresses this issue by combining the benefits of deterministic and non-deterministic finite automata. We test our proposal on Snort rule-sets and we validate it on real traffic traces. Finally, we address and analyze the worst case behavior of our scheme and compare it to traditional ones. Categories and Subject Descriptors C.2.0 [Computer Communication Networks]: General
Michela Becchi, Patrick Crowley
Added 14 Aug 2010
Updated 14 Aug 2010
Type Conference
Year 2007
Authors Michela Becchi, Patrick Crowley
Comments (0)