标题：Deep packet inspection with delayed signature matching in network auditing
作者：Zeng, Yingpei ;Guo, Shanqing
作者机构：[Zeng, Yingpei ] School of Cyberspace, Hangzhou Dianzi University, HangZhou, China;[Guo, Shanqing ] School of Computer Science and Technology, Shandon 更多
会议名称：20th International Conference on Information and Communications Security, ICICS 2018
会议日期：29 October 2018 through 31 October 2018
来源：Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
关键词：Deep packet inspection; Delayed signature matching; DPI; DSM; Fast path
摘要：Deep Packet Inspection (DPI) is widely used in network systems and the processing speed of DPI is very critical. The core part of existing DPI is signature matching, and many researchers focus on improving the signature matching algorithms. In this paper, we work from a different angle: the scheduling of signature matching. We propose a method called Delayed Signature Matching (DSM), which could greatly reduce the number of matching attempts. In the method we do not always immediately match received packets to the signatures, but instead we predefine some protocol specific rules, and evaluate the packets against these rules first to decide when to start signature matching and which signatures to match, thus eliminate lots of useless matching attempts. The proposed DSM method is very suitable for the network auditing scenario since recognizing a flow at the earliest possible time is not required, and the potential seconds of delay brought in by DSM is acceptable. We also find that in the DSM method the number of matching attempts for a flow is unrelated to the number of supported protocols, which is a good property since the number of supported protocols keeps growing. Finally, we implement a prototype of the DSM method in the open source DPI library nDPI, and find that it can reduce the signature matching time 27%−40%. © Springer Nature Switzerland AG 2018.