Single packet regular matching device and method thereof

Abstract

The invention provides a single packet regular matching device and a method thereof. The matching device comprises a single packet regular matching unit and a cache unit which is connected with the single packet regular matching unit. The single packet regular matching unit comprises a regular expression matching module and a protocol variable matching module which is connected with the regular expression matching module. The matching method is characterized by comprising: through grouping a plurality of regular expressions according to a protocol variable, respectively compiling each regular expression group, obtaining a plurality of DFAs (deterministic finiter automata), carrying out message matching by utilizing the protocol variable, and utilizing a matching result to load the DFAs so as to carry out regular expression matching. According to the device and the method of the invention, data needing to be loaded in a matching process is reduced, a loading process is shortened, regular expression matching time is reduced, and matching performance is raised.

Description

technical field [0001] The invention relates to a network security system, in particular to a single-packet regular matching device and method. Background technique [0002] A regular expression describes a pattern of string matching, which is used for text matching to find the part that matches a given regular expression in a given string. Regular expressions in the prior art have a wide range of applications, and are mainly used in the communication industry and network security fields to perform pattern matching checks on data traffic, such as protocol analysis, virus detection, and service classification. [0003] In the prior art, the regular expression matching check needs to be converted into a DFA (Deterministic Finiter Automata, finite automata) in advance, and then the logic chip executes the DFA according to the compiled DFA and the characters in the input data stream . However, when using it, generally there are not only one rule to be checked, but thousands of...

AI Technical Summary

Problems solved by technology

[0004] Since the size of a large DFA is several hundred megabytes, and the general logic chip cannot integrate such a large-capacity internal memory, it can only be stored in an external SRAM (Static Random Access Memory, static random access memory) or SDRAM (Synchronous Dynamic Random Access Memory, Synchronous Dynamic Random Access Memory (DRAM), when matching, a part of the DFA segment is read out according to the current state and input characters and cached inside the logic chip. During the matching process, the data table items associated with the current state need to be continuously loaded, and often Jump and repeatedly load the data table items associated with the state, the more complex the DFA, the more data table items to load, the matching method in the prior art takes a long time, and the matching performance is low

Images