| Deep Packet Inspection is the core component of the Network IntrusionDetection System and Network Intrusion Prevention System, which inspect not onlythe packet header information but also the packet payload. Deep Packet Inspectiondetect and prevent harmful network packets by matching the packet payload with a setof predefined rules. Deep Packet Inspection is compute-intensive operation, and ismainly used in critical data path of high-speed routers. In a core router, Deep PacketInspection operation needs to inspect high-speed mass data packets with tens ofthousands of rules. With the rapid growth of network bandwidth and traffic flow, andthe increasing of feature set of rules, the existing deep packet inspection technologiesface the challenge of high performance. To address this challenge, this paper focuseson the research of fast and effective Deep Packet Inspection algorithm, the maincontribution is addressed as following:First, The traditional methods for hardware/software-based Deep PacketInspection have intrinsic limitations in practical implementation. To address theshortcomings, this paper presented a Deep Packet Inspection algorithm implementedon the multi-core platform based on the parallel Bloom filters. Firstly, the algorith mgrouped the rule sets according to their lengths and constructed a set of conutingBloom filters to represent the grouped rule sets. Each Bloom filter stood for a rule setwith a specific length. Secondly, efficient hash functions were introduced to redu cethe collision probability and the computing complixity. Lastly, the algorithm wasimplemented using the parallel programming method based on the parallel processingability of the multi-core platform. The theoretic analysis and experimental resultsshow that the proposed algorithm is time and space efficient.Second,This paper presented a fast multi-step Deep Packet Inspection algorithmfor wire-speed processing requirements of the packet in the high-speed network and itcombines with the advantages of CPU with a large quantity of nuclears and ParallelBloom Filters. In the scheme, multiple identical Parallel Bloom Filters operate thedata stream window together so that it is able to move multiple steps at a time toimprove the throughput of the data stream window. At the same time in order to makethe processing speed of the analyzer can match with it, the matching algorithm isapplied to do parallel processing. Then the parallel programming based on multi-core platform is used to implement the algorithm. The theoretical analysis and theexperimental results show that the matching speed of the scheme is effective in alarge-scale rule set.Third, Combining the above studies, A Snort-prototype-based Deep PacketInspection system have been designed and implemented using VC++and OpenMP onthe multi-core platform. The system first grabs the packets in a local area network(LAN) and then analyzes the payload after several processing steps. The proposedalgorithm is applied in the analysis process and it is able to meet the functional andspeed requirements of the system and the feasibility of the proposed algorithm istherefore verified. |
