Skip to Main Content
Regular expression (Reg Ex) matching plays an important role in many modern intrusion detection systems (IDS). DFA is an effective way to perform regular expression matching. However, the prohibitive memory requirement makes DFAs impractical for many real world rule sets. In this paper we propose a method to dramatically reduce the DFA memory usage and still provide guaranteed matching speed. A small table for each state is employed to help translate the input character into the offset of the modified transition table for the same state. The proposed representation for DFAs is called character substitution DFA (CSDFA). We present experimental results using rule sets from both L7-filter and Snort.