Deep Packet Inspection System's Structure And Realization Of AC Algorithm Engine

With the rapid development of the Internet, it brings great convenience to life, but it brings Safety problems at the same time, just like a Double-edged sword. Two Network Security Report of 2013 put out, the number of computer poisoning is between 2 million to 5 million every day. We can see that Network security situation is grim.Firewall technology is a core element in a security network. Usually, firewall technologies include packet filtering technology, state filtering technology, content filtering technology, application layer gateway and network address translation. By analyzing the firewall technologies above, this paper gives a detailed implementation of the application layer packets identification technology, including implementation of the state filtering and content filtering of the application layer packet. During the development of firewall and router features, more and more businesses need to focus on the characteristics of the application layer protocol and application protocol interaction itself. Content Inspect is signatures illegal content identification technology which is based on the packet and it is the more effective firewall technology by far.This paper describes the design of L4-7 layer Deep Packet Inspection system (DPI System), using the Content Inspect technology to achieve Application Recognize, Intrusion Prevention, User Behavior Control identification and Anti Virus function.Content management is responsible for matching the rules of the application layer payload string, and the results is used to identify the contents. Content management decides whether to make the depth of the message content identification based on the mark set on the session table. If the content identify needs to be done, the algorithm matches string rules and inference rules, and then save the results to the result set is used by content identification section.The core of DPI System is a search algorithm. The most fundamental reason coming up with L4-17 layer DPI framework is search algorithm of fixed string. Firstly, the algorithm processes feature string profiled by user,compiled AC engine. Then matches the string of the parsed packets, the efficiency is unrelated to characteristical entries (only related to the length of the string). It is may be based on flow (cross) packets without buffering packets, but needs huge memory footprint.The implementation of the AC algorithm consuming memory very much. It will cost 1 K memory to save one StateTable. The IPS' state will be more than 1M,so it will need 1G memory. But not all devices can meet this. In the paper we proposed a optimization program,use both Sparse Matrix and Full Matrix to save the StateTable. In the AC tree thr pattern's matching process matches upper state first, onle when the upper state match successfully, it matches lower status. In the Optimization Algorithm, we use Full Matrix to save the upper states' StateTable, to keep the matches speed. Use Sparse Matrix to save the lower status'StateTable, to save memory. In this way, we can reduce memory consumption, but does not affect the matches speed.The implementation of the technology can effectively prevent attack packets, especially to those known attack packets. To those unknown attack packets, the technology still need further research and analysis in order to protect the security of private networks.