Shift-Based Pattern Matching For Compressed Web Traffic

Anat Bremler-Barr, Yaron Koral, Victor Zigdon
IEEE HPSR,
2011
Conferences & Workshops
Deep Packet Inspection (DPI)

Abstract

Compressing web traffic using standard GZIP is becoming both popular and challenging due to the huge increase in wireless web devices, where bandwidth is limited. Security and other content based networking devices are required to decompress the traffic of tens of thousands concurrent connections in order to inspect the content for different signatures. The overhead imposed by the decompression inhibits most devices from handling compressed traffic, which in turn either limits traffic compression or introduces security holes and other disfunctionalities.
The ACCH algorithm was the first to present a unified approach to pattern matching and decompression, by taking advantage of information gathered in the decompression phase to accelerate the pattern matching. ACCH accelerated the DFA-based Aho-Corasick multi-pattern matching algorithm. In this paper, we present a novel algorithm, SPC (Shift-based Pattern matching for Compressed traffic) that accelerates the commonly used Wu-Manber pattern matching algorithm. SPC is simpler and has higher throughput and lower storage overhead than ACCH. Analysis of real web traffic and real security devices signatures shows that we can skip scanning up to 87 . 5% of the data and gain performance boost of more than 51% as compared to ACCH. Moreover, the additional storage requirement of the technique requires only 4 KB additional information per connection as compared to 8 KB of ACCH.

@INPROCEEDINGS{5986030,
  author={Bremler-Barr, Anat and Koral, Yaron and Zigdon, Victor},
  booktitle={2011 IEEE 12th International Conference on High Performance Switching and Routing}, 
  title={Shift-based pattern matching for compressed web traffic}, 
  year={2011},
  volume={},
  number={},
  pages={222-229},
  doi={10.1109/HPSR.2011.5986030}}