Middlebox services that inspect packet payload have become commonplace. Today, anyone can sign up for cloud-based Web application fifirewall with a single click. These services typically look for known patterns that might appear anywhere in the payload. The key challenge is that existing solutions for pattern matching have become a bottleneck as software packet processing technologies advanced. The popularization of cloud-based services has made the problem even more critical.
This paper presents an efficient multi-pattern string matching algorithm, called DFC. DFC significantly reduces the number of memory accesses and cache misses by using small and cache-friendly data structures and avoids instruction pipeline stalls by minimizing sequential data dependency. Our evaluation shows that DFC improves the performance by 2.0 to 3.6 times compared to the state-of-the-art on real tracffic workload obtained from a commercial network. It also outperforms other algorithms even in the worst case. In addition, the data structure construction time of DFC is much smaller than that of other algorithm. When applied to middlebox applications, such as network intrusion detection, anti-virus, and Web application fifirewall, DFC delivers 57%-160% performance improvement.