Application protocol parsing, the translation of raw packet flows into higher level flows of semantic content, is the foundation and enabler of a wide variety of current and future networking services such as network security, application-aware load balancing, content-aware networking, and vulnerability based signature checking. A key feature of application protocol parsing is the controlled extraction of specific data within such a high level flow for further processing. A fundamentally new framework for application protocol parsing and field extraction, FlowSifter is under development. To achieve practical application protocol parsing and efficient field extraction suitable for high speed networking devices that process millions of concurrent flows, FlowSifter performs automated selective stackless approximate parsing. The new formal language theory models such as counting automata are applied to achieve the research goals. Specifically, FlowSifter allows a user to specify application protocols as well as the desired fields to be extracted using a modified regular grammar. FlowSifter turns the modified regular grammar into a counting automata to perform the approximate, selective, and approximate field extraction with controlled error bounds. Expected results of this project include the new formal language theory models and the comprehensive FlowSifter framework. Research results are broadly disseminated through publications, open source software releases, freely available course modules, and industry interaction. The development of FlowSifter benefits society by enabling the future deployment of potentially transformative security and networking services such as vulnerability based signature checking for detecting polymorphic worms in network intrusion detection/prevention systems (IDSes/IPSes) and content-aware networking.
