String matching in Lempel-Ziv compressed strings
STOC '95 Proceedings of the twenty-seventh annual ACM symposium on Theory of computing
A text compression scheme that allows fast searching directly in the compressed file
ACM Transactions on Information Systems (TOIS)
Let sleeping files lie: pattern matching in Z-compressed files
SODA '94 Proceedings of the fifth annual ACM-SIAM symposium on Discrete algorithms
A fast string searching algorithm
Communications of the ACM
Efficient string matching: an aid to bibliographic search
Communications of the ACM
Introduction to algorithms
Efficient Algorithms for Lempel-Zip Encoding (Extended Abstract)
SWAT '96 Proceedings of the 5th Scandinavian Workshop on Algorithm Theory
Boyer-Moore String Matching over Ziv-Lempel Compressed Text
COM '00 Proceedings of the 11th Annual Symposium on Combinatorial Pattern Matching
Shift-And Approach to Pattern Matching in LZW Compressed Text
CPM '99 Proceedings of the 10th Annual Symposium on Combinatorial Pattern Matching
A General Practical Approach to Pattern Matching over Ziv-Lempel Compressed Text
CPM '99 Proceedings of the 10th Annual Symposium on Combinatorial Pattern Matching
A New Compression Method for Compressed Matching
DCC '00 Proceedings of the Conference on Data Compression
Fast Content-Based Packet Handling for Intrusion Detection
Fast Content-Based Packet Handling for Intrusion Detection
A High Throughput String Matching Architecture for Intrusion Detection and Prevention
Proceedings of the 32nd annual international symposium on Computer Architecture
High Speed Pattern Matching for Network IDS/IPS
ICNP '06 Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols
An improved algorithm to accelerate regular expression evaluation
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Efficient processing of multi-connection compressed web traffic
NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
A universal algorithm for sequential data compression
IEEE Transactions on Information Theory
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Current security tools, using "signature-based" detection, do not handle compressed traffic, whose market-share is constantly increasing. This paper focuses on compressed HTTP traffic. HTTP uses GZIP compression and requires some kind of decompression phase before performing a string matching. We present a novel algorithm, Aho-Corasick-based algorithm for Compressed HTTP (ACCH), that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho-Corasick pattern-matching algorithm. By analyzing real HTTP traffic and real Web application firewall signatures, we show that up to 84% of the data can be skipped in its scan. Surprisingly, we show that it is faster to perform pattern matching on the compressed data, with the penalty of decompression, than on regular traffic. As far as we know, we are the first paper that analyzes the problem of "on-the-fly" multipattern matching on compressed HTTP traffic and suggest a solution.