Deep packet inspection is required in an increasing number of network devices, in order to improve network security and provide application-specific services. Instead of standard strings to represent the data set to be matched, state-of-the-art systems adopt regular expressions, due to their high expressive power and flexibility. Typically regular expressions are matched through deterministic finite automata (DFAs), but large rule sets need a memory amount which turns out to be too large for practical implementation. Many recent works have proposed improvements to address this issue, but they increase the number of transitions (and then of memory accesses) per character. In a previous work, we have presented a smart representation for DFA which, while preserving fast matching (i.e., a transition per character only), considerably reduces states and transitions. In this paper we introduce a novel optimized automaton, which exploits second order relationships within the DFA and is based on the key concept of "temporary transitions". Results for real data sets show that it allows for a further memory saving.
Second-Order Differential Encoding of Deterministic Finite Automata
ANTICHI, GIANNI;GIORDANO, STEFANO;PROCISSI, GREGORIO;VITUCCI, FABIO
2009-01-01
Abstract
Deep packet inspection is required in an increasing number of network devices, in order to improve network security and provide application-specific services. Instead of standard strings to represent the data set to be matched, state-of-the-art systems adopt regular expressions, due to their high expressive power and flexibility. Typically regular expressions are matched through deterministic finite automata (DFAs), but large rule sets need a memory amount which turns out to be too large for practical implementation. Many recent works have proposed improvements to address this issue, but they increase the number of transitions (and then of memory accesses) per character. In a previous work, we have presented a smart representation for DFA which, while preserving fast matching (i.e., a transition per character only), considerably reduces states and transitions. In this paper we introduce a novel optimized automaton, which exploits second order relationships within the DFA and is based on the key concept of "temporary transitions". Results for real data sets show that it allows for a further memory saving.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
