Efficient multi-pattern matching on Compressed HTTP traffic

Signature-based detection is one of the fundamental technique to detect malicious activities in a network environment. Today, the performance of the security tools is dominated by the speed of the string-matching algorithms that detect these signatures.

A significant part of the traffic over the Internet is compressed HTTP. However, current security tools do not deal with such a traffic and require some kind of decompression phase before performing the multi-patterns matching task. Thus, there is a high performance penalty in pattern matching on compressed data.

In this talk, we present efficient algorithms for on-the-fly multi-pattern matching algorithms for common HTTP compression algorithms, such as GZIP and SDCH (Google's compression algorithm). Our results show that surprisingly it is usually faster to do pattern matching on the compressed data, with the penalty of decompression, than to do pattern matching on regular traffic.

The talk is based on three papers: one with A. Bremler-Barr (INFOCOM 2009, later in Transactions on Networking 2012), one with Y. Afek and A. Bremler-Barr (Networking 2011, later in Computer Communication 2012) and one with S. Tzur-David, D. Hay and A. Bremler-Barr (INFOCOM 2012).