TFA: A tunable finite automaton for pattern matching in network intrusion detection systems

Yang Xu, Junchen Jiang, Rihua Wei, Yang Song, H. Jonathan Chao

Research output: Contribution to journalArticlepeer-review


Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called tunable finite automaton (TFA), to deal with the DFAs' state explosion problem and the NFAs' unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that, with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.

Original languageEnglish (US)
Article number6905778
Pages (from-to)1810-1821
Number of pages12
JournalIEEE Journal on Selected Areas in Communications
Issue number10
StatePublished - Oct 1 2014

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering


Dive into the research topics of 'TFA: A tunable finite automaton for pattern matching in network intrusion detection systems'. Together they form a unique fingerprint.

Cite this