Research And Implementation Of Network Flow Inspection System Based On The Regular Expression

With the rapid development of network technology, network bandwidth increase significantly, new network protocols Emerge in endlessly, requirements of network security increase evidently. In this environment, the identification and classification of network traffic are Necessary. Identification of network traffic can be used to detect the network operating conditions, detect network intrusion, and analyze network applications.With the widespread use of new protocols and P2P applications, network applications are not strictly follow the rules that a protocol use a certain port. So, the traditional network traffic classification method based on the certain port becomes powerless. In this background, deep packet inspection method is proposed. The method firstly restores the network data flow and then extract the application layer payload. The data payload of the application layer will be used to match various network protocols, in order to determine the protocol type of the network data flow. Regular expressions are replacing explicit string patterns as the pattern matching language of choice in packet scanning applications. Their widespread use is due to their increased expressiveness.Though deep packet inspection technology is accuracy, the recognition speed is low. It can not meet the requirements identified in the high-speed network bandwidth environment. The main reason is that in regular expression recognition engine, the rules using NFA mode to achieve. In fact, when matching, multiple NFA states may be activated concurrently and each character in the input string can lead to multiple state transitions in parallel. Using Deterministic finite automata (DFA) method to implement the rule can greatly improve the speed of matching. DFAs corresponding to large sets of regular expressions can be prohibitively large.In this paper, we propose a novel scheme of deep packet inspection based on non-uniform distribution of network traffic. The new scheme separates a set of regular expressions into several groups with different priorities and compiles the groups attaching different priorities with different methods. Rules in a high-priority group are constructed into a high-speed matching pattern DFA and be scanned according to the priority order. For the protocol rules in a low-priority group, we translate them into a low-speed matching pattern Hybrid-FA and match against them after the DFAs. For heavy rules are matched against firstly, many redundant visits can be removed. The experiment results show that our deep-packet matching implementation can achieve nearly29times speedup compared with the traditional NFA-based implementation.In this paper we construct a network traffic identification system based on the proposed acceleration algorithm. The system mirrors the network data and conveys the data to the core module of the network system-identification module. Identification module will match the network flow and written the result to the databse. The display the interaction module will read identification result from database and show the result to users.