Regular expression matching system and regular expression matching method

Abstract

The invention discloses a regular expression matching system and a regular expression matching method, which relate to the technical field of network security. The method comprises a preprocessing unit, a matching unit and a forwarding unit, wherein the preprocessing unit is used for splitting the rules in a regular expression rule set, constructing a regular expression matching engine according to the splitting result and sending the regular expression matching engine to the matching unit; the matching unit is used for performing regular expression matching treatment to an input network packet by the regular expression matching engine and outputting a matching result to the forwarding unit; and the forwarding unit implements storage and forwarding of the network packet. The regular expression matching method has high matching speed, is as good as DFA, takes up small internal memory, is as good as NFA, forms linear relation with the scale of the regular expression rule set, has high expandability, is fast in construction, can finish the preprocessing in a time nearly equal to or even shorter than the time for NFA construction under a non-splitting rule, and can satisfy the requirement on rule renewing time during actual processing.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a regular expression matching system and a matching method. Background technique [0002] Regular expression-based pattern matching, referred to as regular expression matching, is a key component of security gateway systems such as Deep Inspection Firewall, Network Intrusion Detection / Prevention System (NIDS / NIPS), and Unified Threat Management (UTM). and core technology. The regular expression matching monitors or filters the network packets by checking and processing the network packet payload (Payload) above the L4 layer of the OSI network protocol. [0003] Regular expression matching is mainly realized through two data structures of deterministic finite automata (DFA) and non-deterministic finite automata (NFA). DFA matching speed is fast, but the memory usage is too high. For many complex regular expression rules or large-scale regular expression rule sets, DFA w...

AI Technical Summary

Problems solved by technology

DFA matching speed is fast, but the memory usage is too high. For many complex regular expression rules or large-scale regular expression rule sets, DFA will explode in state and cannot be constructed at all; NFA has a small memory usage, but the matching speed is extremely slow. , it cannot meet the actual network processing requirements on a multi-core or general-purpose processor platform

[0004] At present, the industry generally does not have a good solution for regular expression matching. The methods and bottlenecks are mainly: 1) Use the rule grouping idea proposed by the academic circle to divide the regular expression rules in a set into multiple groups, each A set of regular expression rules constructs a corresponding DFA that meets a certain memory footprint, and uses multiple DFAs for regular expression matching, but this cannot solve the problem that many single rules will cause the DFA state to explode, and it canno

Images