Research And Realization Of Deep Packet Inspection Method In The High-speed Network Traffic Recognition System

With its powerful ability to recognize deep packet, the technology has been widely applied in all kinds of network security equipments. However, how to realize high speed and accurate recognition with the explosive growth of network bandwidth in large traffic network, which has aroused the attention of many scholars. Regular expression has become the main way to describe characteristics depending on its powerful expression. Through to the regular expression match achieved the identification of the packet. At present, the implementation of regular expression mainly depends on non-deterministic and deterministic Finite Automata. The NFA takes up little space but match slowly. The DFA has high matching speed, but may cause state explosion, result in computer physical memory can't meet. So both of them can't meet the demand of practical application at the same time. In comparison, the DFA is more suitable for high speed network traffic recognition, so the research focus have focused on how to reduce the number of DFA state in recent years.About these problems, this paper use high-performance regular expression match engine as the main study object, and analyzes the reason of the DFA state explosion deeply. Then it put forward that group regular expression set first, to reduce the state number caused by the conflict between the regular expression, and then compress the DFA states which each group generated after compiling. On this basis, it introduced the realization of a deep packet inspection in detail based on one actual project during the author of intership period.This paper mainly completed the following content:First, further study of the different types of regular expressions DFA structure characteristics and analyzes the individual DFA and combination of DFA state explosion causes;Second, in view of the combination of DFA state explosion problem. On the basis of predecessors work, this paper improved an approximation ratio is 1/(1- 1/6)) of a regular expression grouping algorithm. Simulation tests show that the improved grouping algorithm is better than before on efficiency of grouping, so it has applicability;Third, according to the degree of similarity between the DFA state, the public state in the state transition table can be extracted, then store that and the rest of information in original state transition table separately, so as to realize the compression of the state. Public state extraction belongs to the clustering problems. However, traditional methods usually take long time to cluster. This paper designs a hierarchical clustering algorithm based on maximum spanning tree to solve it.Fourth, implement the improved regular expression grouping algorithm and public state extraction on the basis of the maximum spanning tree algorithm. Through the experiment proved states compression after regular expression set grouping based on the above algorithm that has superiority in dealing with the large-scale pattern matching.Fifth, combined with the author's work content in real project, expounded how to implement deep packet inspection on the network traffic recognition system in detail. Through the real test, given the performance of system.