Space-Time Tradeoffs in Software-based Deep Packet Inspection

Author: Anat Bremler-Barr, Yotam Harchol, and David HayPublished in Proc. IEEE HPSR 2011

2

Goal

Software based DPI AC based (Exact Matching) Reduced memory size

Fit in CPU cache Worst case throughput

3

Aho-Corasick

Forward Transitions (To Deeper states)Failure Transitions

Given a states s,

Depth(s): Depth(S4) = 2, Depth(S13) = 3

Label(s): Label(S4) = BD, Label(S13) = BCA

Label(S12) = CDBCAB

Failure Transitions to S0 are omitted

4

A B C D E

S2 S0 S2 S5 S4 S3

S4 S0 S2 S7 S0 S1

S5 S0 S2 S7 S6 S1

S13 S14 S2 S7 S0 S1

…

Lookup Table format used in:

(# of Forward transitions) more than 64.

State Structure(1/3)Lookup Table Format

5

State Structure(2/3)Linear Format

A B C D E

S2 S0 S2 S5 S4 S3

S5 S0 S2 S7 S6 S1

S4 (S0)

S5 (S7) D S6

S2 (S0) C S5 D S4 E S3

6

State Structure(3/3)Bitmap Format

A B C D E

S2 S0 S2 S5 S4 S3

S5 S0 S2 S7 S6 S1

S5 (S7) D S6

S2 (S0) C S5 D S4 E S3

00010 S6

00111 S5 S4 S3 S0

S7

7

Path-Compression (1/3)

One-way branch states are compressed.

Problem: Incoming Failure Transition Outgoing Failure Transition

Solution: No incoming failure transition is allowed Multiple outgoing transition Fields

8

Path-Compression (2/3)

Sa Sb Sc SdA B C

Sa SdABC

Sx Sy Sz

A, Sx3, Sd

B, SyC, Sz

A, Sb*, Sx

B, Sc*, Sy

C, Sd*, Sz

9

Path-Compression (3/3)Tuck. (INFOCOM 2004)

Sa Sb Sc SdA B C

Sa SdABCSx Sy Sz

A, Sx3, Sd

B, SyC, Sz

A, Sb*, Sx

B, Sc*, Sy

C, Sd*, Sz

Si Sj SkA

T

TST, Sj*, Sp

A, Sk*, Sq

*, Sb

Si SkTA

T, Sp2, Sk

A, Sq

Before After

???

10

Aho-Corasick

Path Compression: Before and After

Text: CDBCAB

Text: CDBCAA

11

Leaves-Compression Trie leaves consists only failure transit

ion.

Sa SbA

ScB

Sa SbA

Sa

•Adding one bit for each forward transition => indicate an accept state

•The process can be applied recursively

A, Sb B, Sc *, Sx

A, Sb, 0 B, Sx, 1

AB, Sx, 1

Original

1st proces

s

2nd proces

s

12

Use both techniques

Add one bit for every symbol of compressed path.

Sa Sb ScS0

Sp Sq

A B, 0 C, 1

B

ESet the bit of i-th symbol when: (1) when a transition with the first i symbols of the path is t

oan accepting state

(2) if the failure transition of the pre-compressed state reached after the first i symbols of the path, is to a

leaf

SdD, 1

13

Leaves Compression: Before and After

14

Pointer Compression

There are many transitions that go to states whose depth is small.

31% of the failure transitions go to depth 1 states

Additional 35% of the failure transitions go to depth 2 states.

15

Variable-Size Pointers Two lengths: 2 and 2+log2|S| 00: Go to state S0 01: Go to depth 1 states

(S0 occurs current symbols) 10: Go to depth 2 states

(S0 occurs last symbols + current symbols)(Valid pairs are less, thus use hashing)

11: Go to next states as regular pointer

16

Huffman Coding

Huffman coding allocates short code for frequent symbols and long code for infrequent ones.

A lookup table is used to provide symbol-to-Huffman-code conversion.

The idea is not used.

17

Evaluation Environment

Two Environment: Core 2 Duo 2.53 GHz (2 Core),

32KB L1, 3MB L2. Core i7 2.93 GHz (4 Core), 32 KB

L1, 256 KB L2, 8MB L3.

18

Evaluation Traffic

Pattern: Snort ClamAV (Partial)

Traffic: DARPA (Real Life) Exhaustive Traversal Failure path Traversal

Worst Case

19

Space Requirement

20

Throughput

21

Memory Access

22

L1 Cache Miss Ratio

23

Miss ratio of Larger L2 Cache