As the title progresses, we would like to get some recommendations on the fastest algorithm available for matching patterns with the following restrictions:
Long Dictionary: 256
Short but not fixed length rules (1 to 3 or 4 bytes depth)
A small (150) number of rules (if 3 bytes) or moderate (~ 1K) if 4
Better performance than the current AC-DFA used in Snort, or AC-DFA-Split used again by Snort
Software (recent COTS systems such as E3 E5) Ideally, I would like to use some SIMD / SSE materials due to the fact that they currently have a width of 128 bits, and in the near future they will be 256 against CPU 64
We started this project by pre-processing Snort AC with the algorithm shown on Sigmatch paper, but, unfortunately, the results were not so impressive (~ 12% improvement when compiling with GCC, but not with ICC)
Subsequently, we tried to use the new pattern matching features introduced in SSE 4.2 through the IPP libraries, but no performance gain at all (guessing that doing this directly in machine code would be better, but certainly more complicated)
So, back to the original idea. Right now we are working on the segmentation segment of the brain, but we know that if we do not replace the proposed AC-DFA for the main side, it will be very difficult to get improved performance, but at least it will be able to support much more rules without a significant decrease in performance
, parallelism , 3 4 ,
Nedtries , , , ,
C .
IMHO, , -, 1 , , , parallelism, SIMD/SSE,
, -
: D
, . , , , , CPU COTS, (SIMD, SSE,...)
, , ( ), , , ,
, , NFAs , DFA - , ..