Accelerating Multi-Patterns Matching On Compressed HTTP Traffic

Anat Bremler-Barr, Yaron Koral
ACM/IEEE Transactions on Networking,
2011
Journal
Deep Packet Inspection (DPI)

Abstract

Current security tools, using ‘signature-based’ detection, do not handle compressed traffic, whose market-share is constantly increasing. This paper focus on compressed HTTP traffic. HTTP uses GZIP compression and requires some kind of decompression phase before performing a string-matching.
We present a novel algorithm, Aho-Corasick-based algorithm for Compressed HTTP (ACCH), that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho-Corasick pattern matching algorithm. By analyzing real HTTP traffic and real web application firewall signatures, we show that up to 84% of the data can be skipped in its scan. Surprisingly, we show that it is faster to perform pattern matching on the compressed data, with the penalty of decompression, than on regular traffic. As far as we know, we are the first paper that analyzes the problem of ‘on-the-fly’ multi-pattern matching on compressed HTTP traffic and suggest a solution

@article{bremler2011accelerating,
  title={Accelerating multipattern matching on compressed http traffic},
  author={Bremler-Barr, Anat and Koral, Yaron},
  journal={IEEE/ACM Transactions on Networking},
  volume={20},
  number={3},
  pages={970--983},
  year={2011},
  publisher={IEEE}
}