Multi-byte Pattern Matching Using Stride-K DFA for High Speed Deep Packet Inspection

Deep packet inspection (DPI) is one of the crucial tasks in modern intrusion detection and intrusion prevention systems. It allows the inspection of packet payload using patterns. Modern DPI based systems use regular expressions to define these patterns. Deterministic finite automata (DFA) is considered to be an ideal choice for performing regular expression matching due to its O(1) processing complexity. However, DFAs consume large memory to store its state transition table, but this problem gets worsened when stride level of the DFA is increased. Though, increasing stride level brings significant increase in the overall speedup of the matching engine but as a trade off it consumes large memory. In this paper, we present stride-k speculative parallel pattern matching (SPPM), a technique in which a packet is first split up into two chunks and then multiple bytes per chunk are inspected at a time using stride-k DFA. Furthermore, we present a stride-k DFA compression technique using alphabet compression table (ACT) to reduce the memory requirements of stride-k DFA. We have implemented the single threaded algorithm for stride-2 SPPM. Results show that the use of stride-2 SPPM can overall increase the pattern matching speed by up to 30% as compared to traditional DFA matching, and a significant reduction of over 70% in the number iterations required for packet processing. Secondly, over 65% reduction in the number of transitions has been achieved using ACT for stride-2 DFA implementation.