Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hyperflex: A SIMD-based DFA Model for Deep Packet Inspection

Yang Liu, Wenjun Zhu, Harry Chang, Yang Hong, Geoff Langdale, Kun Qiu, Jin Zhao

TL;DR

Hyperflex tackles the DPI regex-matching bottleneck by introducing a SIMD-based DFA model that identifies a 64-state hyper region within the full DFA. It combines region-aware compilation with a hybrid transition engine and a gutter table to ensure correctness across region boundaries, achieving high throughput on commodity CPUs with AVX-512. The approach yields up to 2.27x speedups over Hyperscan's Mcclellan baseline and integrates into Hyperscan, demonstrating practical impact for real-time network inspection. The work also provides a principled region-detection method (SCCs, stickiness, and leakiness) and an efficient earliest-escaping-state algorithm to maximize SIMD utility while preserving correctness across region boundaries.

Abstract

Deep Packet Inspection (DPI) has been extensively employed for network security. It examines traffic payloads by searching for regular expressions (regex) with the Deterministic Finite Automaton (DFA) model. However, as the network bandwidth and ruleset size are increasing rapidly, the conventional DFA model has emerged as a significant performance bottleneck of DPI. Leveraging the Single-Instruction-Multiple-Data (SIMD) instruction to perform state transitions can substantially boost the efficiency of the DFA model. In this paper, we propose Hyperflex, a novel SIMD-based DFA model designed for high-performance regex matching. Hyperflex incorporates a region detection algorithm to identify regions suitable for acceleration by SIMD instructions across the whole DFA graph. Also, we design a hybrid state transition algorithm that enables state transition in both SIMD-accelerated and normal regions, and ensures seamless state transition across the two types of regions. We have implemented Hyperflex on the commodity CPU and evaluated it with real network traffic and DPI regexes. Our evaluation results indicate that Hyperflex reaches a throughput of 8.89Gbit/s, representing an improvement of up to 2.27 times over Mcclellan, the default DFA model of the prominent multi-pattern regex matching engine Hyperscan. As a result, Hyperflex has been successfully deployed in Hyperscan, significantly enhancing its performance.

Hyperflex: A SIMD-based DFA Model for Deep Packet Inspection

TL;DR

Hyperflex tackles the DPI regex-matching bottleneck by introducing a SIMD-based DFA model that identifies a 64-state hyper region within the full DFA. It combines region-aware compilation with a hybrid transition engine and a gutter table to ensure correctness across region boundaries, achieving high throughput on commodity CPUs with AVX-512. The approach yields up to 2.27x speedups over Hyperscan's Mcclellan baseline and integrates into Hyperscan, demonstrating practical impact for real-time network inspection. The work also provides a principled region-detection method (SCCs, stickiness, and leakiness) and an efficient earliest-escaping-state algorithm to maximize SIMD utility while preserving correctness across region boundaries.

Abstract

Deep Packet Inspection (DPI) has been extensively employed for network security. It examines traffic payloads by searching for regular expressions (regex) with the Deterministic Finite Automaton (DFA) model. However, as the network bandwidth and ruleset size are increasing rapidly, the conventional DFA model has emerged as a significant performance bottleneck of DPI. Leveraging the Single-Instruction-Multiple-Data (SIMD) instruction to perform state transitions can substantially boost the efficiency of the DFA model. In this paper, we propose Hyperflex, a novel SIMD-based DFA model designed for high-performance regex matching. Hyperflex incorporates a region detection algorithm to identify regions suitable for acceleration by SIMD instructions across the whole DFA graph. Also, we design a hybrid state transition algorithm that enables state transition in both SIMD-accelerated and normal regions, and ensures seamless state transition across the two types of regions. We have implemented Hyperflex on the commodity CPU and evaluated it with real network traffic and DPI regexes. Our evaluation results indicate that Hyperflex reaches a throughput of 8.89Gbit/s, representing an improvement of up to 2.27 times over Mcclellan, the default DFA model of the prominent multi-pattern regex matching engine Hyperscan. As a result, Hyperflex has been successfully deployed in Hyperscan, significantly enhancing its performance.

Paper Structure

This paper contains 38 sections, 4 equations, 17 figures, 5 tables.

Table of Contents

  1. Introduction
  2. related work
  3. Deterministic Finite Automaton
  4. Hardware Acceleration Methods
  5. DFA Space Compression Algorithms
  6. The Traditional DFA State Transition Algorithm
  7. The SIMD-based DFA State Transition Algorithm
  8. HYPERFLEX ARCHITECTURE
  9. Design Overview
  10. The Region Detection Algorithm
  11. The Hybrid Transition Algorithm
  12. The Hyper Region Design
  13. Problem Analysis
  14. Good Hyper Region Properties
  15. Property 1
  16. ...and 23 more sections

Figures (17)

  • Figure 1: DFA representation for regex "mode+l"
  • Figure 2: Traditional state transition algorithm working progress
  • Figure 3: Shuffle operation for state transition
  • Figure 4: SIMD-based state transition algorithm working progress
  • Figure 5: Design overview for the Hyperflex DFA model
  • ...and 12 more figures