Research And Realization Of Efficient Deep Packet Inspection

With the extensive use of Internet, network security situation is severe. Deep packet inspection is an important method to ensure content security, and also it can audit and analyze the behavior of users, such as application layer protocol identification. As the regular expression is flexible and powerful, regular expression pattern matching becomes widely used in deep packet inspection.At present, most of the research and realization of regular expression matching are based on software methods, such as Snort and L7-Filter. However, software system built up on a general architecture usually has a low performance of pipelining and parallelism which can't satisfy the packet processing in ISP Backbone. The realization of acceleration of regular expression matching by hardware implementation of the parallel structure is discussed in this paper. With the combination of the structure and network flow management, an efficient protocol identification based on flow state is implemented. The main work and contribution of the thesis include as follows.(1)At first, the model of regular expression matching which works under the cooperation between software and hardware is presented. The system software compiles regular expression to the MPDFA and configures the state transition tables through hardware and software interfaces which offer a greater flexibility. And the non-backtracting linear matching algorithm is simple and efficient which is easy to realize by hardware. We design multi-engines structure which parallely match regular expression.This method reaches wire-speed content inspection to IP packets. Queue scheduling of input and output in multi-engines structure is researched in-depth. By proving in theory, we acquire the smallest buffer size of each engine's input and output queue without loss of packet, as well as delay's upper limit of packets'input and output process.(2)A model of protocol identification based on network flow state is proposed in this thesis. PI control and PI engine by hardware realization combine to implement high-performance protocol identification on the basis of flow state of regular expression matching. In order to support stateful process based on network flow, a mehod of flow lifetime management is put forward. Analysis and calculation show that the method can support line-rate flow lifetime management at the network interface of 10Gbps.(3)At last, the implementation on CIA of high-performance protocol identification based on network flow state is presented and testified by regular expressions of application layer protocol. The result shows the structure of parallel 4-PIME can reach wire-speed regular expression matching to the packets of Gigabit Ethernet network. The simulation in ModelSim proves the method of efficient protocol identification based on network flow is correct. This paper researches packet's regular expression matching and protocol identification based on flow and realizes them in hardware system. It has high application value under high-speed network.