Towards A Fast Packet Inspection Over Compressed Http Traffic

Matching multiple patterns is the key technology in firewall, Intrusion Detection Systems, etc. However, most of the web services nowadays tend to compress their traffic for less transferring data and better user experience, which has challenged the multi-pattern matching original working only on raw content. Naive and straightforward solutions towards this challenge either decompress the compressed data first and apply legacy multi-pattern matching methods, or have to scan redundant data during the matching., which are not fast and memory efficient. In this paper, we propose COmpression INspection (COIN) method for multi-pattern matching on compressed HTTP traffic. COIN does not decompress the data before matching and only scans once each bit of the traffic under inspection. We have collected real traffic data from Alexa.com top 500 and Alexa.cn top 20000 web sites and have performed the experiments under 1430 SNORT patterns. The evaluation results show that COIN is 10-31% faster than state-of-the-art approach.