Research On Regular Expression Based Deep Packet Inspection

Traditional stateful firewall can't provide enough protection against application-level attacks. The function of firewall moved from the network layer to the application layer and DPI (Deep Packet Inspection) technology was developed. DPI technology examines not only the header but also the contents of packets from the application level.Traditional string set based DPI technology is being replaced by regular expression set based technology. For example, in Linux Application Protocol Classifier (L7-filter), all protocol identifiers are expressed as regular expressions. Similarly, Snort and Bro intrusion detection systems also use regular expressions as pattern language.Although regular expression is effective and flexible, in current network application, a typical set of regular expressions contains hundreds of regular expressions and tens of thousands of DFA (Deterministic Finite Automaton) states which result in a storage requirement of hundreds of megabytes, even more than gigabytes. Thus the response time of regular expression based DPI algorithm increases and its performance degrades dramatically. Nowadays, how to improve the efficiency of regular expression based DPI technology is still under development all over the world.Based on the analysis of traditional firewall, the author introduced DPI technology base firewall. The operating principle of DPI was described from the viewpoints of packet filtering and intrusion detection. By analyzing the merits and demerits of the classical pattern matching algorithms, a new pattern matching algorithm based regular expression which was proposed in this paper. Based on the analysis of the impact of number of DFA states to the algorithm performance, further improvement to the algorithm was made by introducing a DFA state number optimization algorithm. The propose algorithm has been implemented in Linux environment and lots of experiments have been done. Experimental results show that the performance of the proposed algorithm is much better than others.