The Scientific World Journal

Volume 2014, Article ID 654974, 9 pages

http://dx.doi.org/10.1155/2014/654974

## Based on Regular Expression Matching of Evaluation of the Task Performance in WSN: A Queue Theory Approach

School of Software Technology, Dalian University of Technology, Dalian 116620, China

Received 4 July 2014; Accepted 16 August 2014; Published 23 October 2014

Academic Editor: Fei Yu

Copyright © 2014 Jie Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Due to the limited resources of wireless sensor network, low efficiency of real-time communication scheduling, poor safety defects, and so forth, a queuing performance evaluation approach based on regular expression match is proposed, which is a method that consists of matching preprocessing phase, validation phase, and queuing model of performance evaluation phase. Firstly, the subset of related sequence is generated in preprocessing phase, guiding the validation phase distributed matching. Secondly, in the validation phase, the subset of features clustering, the compressed matching table is more convenient for distributed parallel matching. Finally, based on the queuing model, the sensor networks of task scheduling dynamic performance are evaluated. Experiments show that our approach ensures accurate matching and computational efficiency of more than 70%; it not only effectively detects data packets and access control, but also uses queuing method to determine the parameters of task scheduling in wireless sensor networks. The method for medium scale or large scale distributed wireless node has a good applicability.

#### 1. Introduction

Most wireless sensor network (WSN) missions are to detect and environmental reporting events. Since wireless sensor networks usually work under severe environments, their performance is often difficult or impossible to assess accurately. Therefore, how to evaluate the performance in the wireless sensor network for task communication is the research emphasis in recent years, which becomes one of the most attractive.

Most current researches have focused on how to provide authentication, confidentiality, integrity, nonrepudiation, and access control ad hoc [1, 2]. Distributed authentication is a very common approach to solve ad hoc security issues [3, 4]. However, highly secure ad hoc approach in certain circumstances the lack of a common approach [5, 6].

Because regular expressions provide excellent communication skills and flexibility, they have been widely used in a variety of network security applications, such as antivirus scanning, network intrusion detection and prevention systems [7], firewalls, and traffic classification and monitoring [8]. Deterministic finite automata (DFA) and nondeterministic finite automata (NFA) are the typical application of regular expressions. But this requires a certain store or time-consuming cycle tolerable for resource-constrained wireless sensor condition is basically meeting the application requirements. Performance evaluation based on the communication task queuing model theory methods [9, 10], in recent years, published several class methods.

However, previous methods suffer from the following disadvantages. In typical queuing model, customer arrival and the service processing are independent. However, they are relative to the sensor communication scheduling tasks. Sensors cannot receive communication and run the state machine at the same time. Usually the sensor is constant communication the occupied and communication task processing footprint. The arrival of the communication task has different priorities. The high-priority tasks can preempt the low-priority tasks, and the low-level tasks continue to run after the high-priority tasks processing is complete. Time constraints: the traditional system analysis often considered the average time while the task’s communication between wireless sensors needs to consider the maximum time after which the time state machine will transmit to another state.

The method of finite automata has researched in the regular expression matching system security for the wireless sensor networks, and matching performance is ignored to further discussion [11]; similarly, the evaluation of the performance based on the queue model in the wireless sensor network (WSN) has been discussed, but the system security matching method not to do more research [12]; therefore, we combined with the previous work, in this paper, the security matching method of finite automata, and the performance of the queuing model was discussed in WSN.

The rest of the paper is organized as follows. Section 2 reviews regular expression two-stage matching strategy. Section 3 explains the regular expression matching approach. In Section 4, model of task scheduling based on queuing theory is proposed. In Section 5, the priority queue with two classes of tasks is proposed. We describe the performance of the wireless sensor communication tasks based on queuing theory in Section 6. In Section 7, simulations are conducted for illustrating the performance of our scheme. Finally, we conclude this paper in Section 8.

#### 2. Regular Expression Two-Stage Matching Strategy [11]

Recent research has paid much attention to reduction of the huge memory usage for DFA-based regular expression matching, as DFA is the preferred representation of regular expression matching. As a matter of fact, they can only achieve memory reduction for specific regular expression or signature sets of simple. High-speed regular expression matching for real-world signature sets that contain thousands of complex regular expressions can be hardly achieved. In modern networking devices, TCAMs (off-the-shelf chips) have been widely deployed. However, even if techniques such as D2FA [13, 14] are employed, tables of DFA and NFA are too big to be stored in TCAMs. In 2012, the RegexFilter (a high-speed and memory efficient technique) was presented by Liu et al. [15]. Regular expression matching was been sped up by quickly searching these regular expressions that may match each arriving item as little as possible. However, this method only cares about the profiteering stage and left the verifying stage without any optimization.

##### 2.1. Profiteering Stage

For instance, there is a regular expression set called ; another set is constructed so that any unmatched item of is also an unmatched item of . An item that does not match any regular expression in the set [15] is unmatched item of a regular expression set. Given an item , it will match against to get set firstly. If is empty, it does not obviously match any member in and therefore this item can be skipped safely; otherwise, matching it against will continue, where . Figure 1 shows the relationship between match items and print . Because most items are unmatched and the match cost of is much less than that of , the overall throughput of this approach can be much higher than directly matching against .

##### 2.2. Verifying Stage

In the verifying stage, how to build correlation from profiteering print and reduce the memory cost of DFA tables is the main point that needs to be handled. A DFA is presented by a 5-tuple where is a set of states, is an alphabet, is the transition function, is the start state, and is a set of accepting states. The major part we should deal with is the DFA-based algorithms with the large amount of memory requirement to store the transition table. Software-based [16–18] and FPGA-based [19, 20] regular expression matching algorithms are traditional approaches with many shortcomings. TCAM-based solutions have the advantages of easy encoding and high parallelism [13]. Three novel techniques, transition sharing, table consolidation, and variable striding, were proposed by Liu et al. to reduce TCAM space and improve matching speed.

#### 3. Regular Expression Matching Approach

The selecting process of regular expression “” with five atoms is shown in Figure 2. The parameter is the boundary we define and the expression size of every print should be less than . The selecting stage begins from the first atom. The curr pointer keeps moving to the next atom if value of the regular expression print between the begin pointer and end pointer until the curr pointer arrives at the fourth atom “”, . Condition does not hold, and print is selected. Then a directed line from to to mark the correlation relationship is constructed. Then, in step 2, it is included in the already selected print “”, although satisfies the condition. According to section A, has higher matching probability (MP) than ; thus, is not selected. The same criteria are processed in steps 3, 4, and 5 to select print.

After selecting the print, a relationship of this graph called correlation sequence is generated as a directed graph from to .

Every package will be transmitted across certain nodes according to ad hoc wireless protocol. These nodes will be grouped into two groups: one group for profiteering stage and the other group for verifying stage. Extra package fields are adopted to make each node work collaboratively and communicate with the other.

The package matching process is demonstrated in Figure 3. Taking the limited computing power of each wireless node into consideration, the calculation of is simplified to be addition only. At first, the feature vector needs to be stored so that the sum of can be calculated to get . The profiteered correlation sequence will be generated in node 2 after profiteering stage in node 1. Then, if is not empty, the is calculated in node 2 by adding the feature vector . Verifying process will continue in node 2 using the group in its memory when is larger than . Otherwise, the package will be transmitted to the next hop and will be matched continually.

#### 4. Queue Model Description [12]

The pattern of communication between wireless sensors can be divided into two modes: the synchronous and the asynchronous modes. In synchronous mode, when a plurality of communication tasks are triggered, the tasks scheduling will be suspended. At this moment, the levels of query priority and processes priority are executed in sequence. This mode has a higher efficiency when the transmissions are not frequent. However, this will lead to an unacceptable high loss rate of the communication tasks when the transmissions are frequently triggered. In asynchronous mode, when the task to transmit, the scheduling will not immediately to process; however, the priority communication tasks are added to the queue in sequence, then the wireless sensor through state machine to fetch the head of the communication task in the queue, and executes the task scheduling function. This model greatly reduces the tasks’ loss, thus determining the wireless sensor network (WSN) which is formed in one of the biggest communication task captains that are of great help to guide sensor network design. Figure 4 shows -task communication scheduling based on the queuing theory model in the wireless sensor network.

Input process: communication tasks are divided into levels. The first level has the highest priority, the second priority has secondary priority, and so forth. The level has the lowest priority. Assume that each communication task interval is the Poisson distribution or negative exponential distribution. The average time of the interval of the th level communication task is .

Queuing rules: the task responses as soon as the communication task arrival by the background task execution call service, when the task is not scheduling executed in the system. The high-priority communication tasks priority is executed in sequence until the end of all high-priority tasks in the queue. When the low-priority tasks are executing, the high-priority task takes over the low-priority task and the low-priority task will return to the queue, the same priority communication task followed by FCFS rues.

Service process: wireless sensor network uses the state machine to drive communication task process, assuming that each time of the communication task is exponential distribution, and the average service of level communication task rate is .

The WSN communication tasks queue performance parameters [21]: (a) absolute throughput is the average time of task service in the unit time; (b) relative throughput is the ratio of all the severed tasks and all request tasks in the unit time; (c) the queue length of the average value is all communication tasks in the WSN; (d) the queue of average length is the average number of the waiting tasks in the queue; (e) the average sojourn times are the average of the task waiting for service time and the average service time (then ); (f) busy period is the random parameter; (g) system loss rates are the overflow probability.

#### 5. Priority Queue with Two Classes of Tasks

Assume the queuing system is the preemptive priority. The th task arrival is Poisson distribution with parameter ; the service time is exponentially distributed with parameter . Level 1th priority communication task is more priority than level 2th priority task. The system state is , represents the level of the communication tasks. The system state space distribution . The system transition process is depicted in Figure 5.

#### 6. Tasks Performance Indicators in Sensor Network

The priority tasks processing is as follows: when the 1st level task with parameters and the 2nd level task with parameters arrive, service times of two level tasks are the and , the task’s priority is reduced in sequence, and they share the waiting queue. The recursive calculation of probability matrix needs a large amount of calculation; therefore, Matlab software is the necessary software. The M/M/1 preemptive priority queue model is used in the experiments. The arrival of the th level task process as a Poisson distribution with the parameter and service time as a negative exponential distribution with the parameter . The 1st level tasks are more priority than the 2nd level communication tasks. Assume the parameters are , , , and .

*(**1) Steady-State Queue Length*. Figure 6 shows the probability and the queue length as the increasing. The vertical axis is the probability, and the horizontal axis is the queue length. In the probability matrix, ; the maximum queue length can be obtained in the system and assures that task’s buffer is enough to calculate the task’s loss.

In the simulation, , which is the maximum queue length; when , the arrivals of the task’s probability are 0; this means the possibility of task arrival does not exist, and the length does not grow. Then, when , the length can be regarded as the largest queue length.

*(**2) Average Sojourn Time*. Assume that every level of task arrival is Poisson distribution. The th level tasks are with the parameter , the service time is the negative exponential distribution, and the average service time is . The average sojourn times and are calculated in the following formulas:

*(**3)* *Average Waiting Time* [22]. The same way, the queue of the average waiting times and is calculated as formula (1).

*(**4) Wireless Sensor Usage Rate* [23]. is the probability of the wireless sensor being idle; then , where is the occupancy probability of communication task [24, 25]. The greater is, the greater the occupancy probability is. is the service capacity or the load capacity. To consider the practicality of the model, the queue length is not unlimited. To determine the performance indicators, we take the queuing model of M/M/1/N and set the buffer capacity which is .

*(**5) Task’s Throughput.* The communication task’s time is divide into three parts: they are the task’s processing time , the state machine processing time , and the wireless sensor idle time . The task’s processing is more priority than the state machine processing. Assume the tasks service strength is ; then the tasks processing time is , and the state machine processing time is .

The processing of the finite automata is the queuing model of ; the input processing with the parameter and the service time with the parameter are the negative exponential distribution; length of the buffer is . The processing speed of the communication task is faster than the processing speed of the state machine. Thus, the actual processing capability of the state machine is , and the buffer length is ; then the loss rate is

In particular, .

As to formula (1), the calculation which the state machine throughput computes is the following formula:

When the sensor network is severely overloading, the , and the . As to formula (2), formula (5) is calculated, due to formula (5), and the speed of the parameter affects the performance of the task processing; the greater is, the lower the performance of the task processing is. When the communication tasks processing rate and the state machine processing rate remain unchanged, the performance curve is a straight line in which the slope is . Consider

*(6) Wireless Sensor Processing Capacity.* Assume the processing capacity is of mips; the quantity of the tasks which need to be executed in the task’s processing is and the quantity of the tasks which need to be executed in the state machine is ; then the task’s processing capacity computes as formula (3); formula (6) is as follows:

Take formula (6) into formula (3); the loss rate is

Formula (7) is the relationship between the loss rate and the processing capacity. It helps to determine the requirements of the task’s processing.

#### 7. Experiment

##### 7.1. Experiment Set

We evaluated our matching approach by regular expression sets extracted from two real-world systems named L7-Filter and Snort. L7-Filter is famous open source application layer traffic classier for Linux. The payload content of a flow and identified its application level protocol are reassembled through regular expression matching. Snort is a well-known open-source intrusion detection system, which can be configured to perform protocol analysis, probes, and content inspecting over online traffic by detecting a variety of worms. Two sets are chosen as to perform the experiments. The experiment parameters, ES, MP, are set, as shown in Table 1. Then, the local optimal value can be obtained during our experiments.

Print size denotes the memory occupation of prints after the profiteering stage. Group number is the group number of correlative regular expression according to the parameter . Average similarity is the average value of similarity in each group (see (2)). Package size is the testing packages length. Our simulation environment is based on NS-2 (Network Simulator, version 2). We set the number of nodes from 20 to 100. Number of suspicious package is the number of package that needs to be verified after the profiteering stage. Lastly, we calculate our experiment efficiency by their average executing cost: Efficiency = (Num of suspicious package/Total package Number) × (/Group Number).

Table 2 demonstrates that we can get a good efficiency promotion from 73.17% to 89.73%. A regular matching comparison was performed with our strategy and normal approach. The average hop and average variation tendency and the number of nodes are shown in Figure 7. L7-Filter and Snort were tested separately. -axis is hops and -axis indicates the nodes number. From the results figure, a significant difference can be observed: when nodes are more than 30, the hops number of using decreases sharply.

Figure 7 demonstrates that the matching approach can test and verify the packages efficiently when the number of wireless nodes is more than 30, which indicates that our approach can be well adapted to medium or large scale distributed wireless sensor network. On the other hand, there is no major difference in average hops when the system is handling a small group of wireless nodes. Comparing with other end-to-end strategies [9], our approach provides a well scalable way to construct intrusion detection system by integrating distributed wireless sensor nodes. Based on appropriate parameters, network attacks can be monitored by our system in an effective way.

##### 7.2. Experiment of Queue Model

The experiment compares two groups of the performance results, which computed by the queuing theory and got the results from the software NS2. The NS2 platform simulated the STM32W108 sensor networking; we found that it is affected with the following parameters: the average length of stay for communication tasks, the average queue waiting time of tasks, the occupancy rate, and the task throughput.

Simulation software configuration communication tasks take the high-priority traffic and low-priority communications task two categories. Design the task’s scheduling function and assure is approximately 400 operations and is about 4000 operations. The program triggers communication according to the different experimental parameters and to test the influence on wireless sensor performance. The experiment of the results compares with calculation results of the method based on queuing theory to verify the creditability of the method. The statistics are shown in Table 3.

When the sensor overloaded, the sensor network handles the task for a long time, and the state machine processing has no support to the sensor network. The actual speed of sensor processing is far less than . When the wireless sensor network needed specific requirements of the loss rate and the sensor throughput, it can take the speed of the scheduling to the requirements.

For formula (7), it can understand the relationship between the loss rate and the capacity of scheduling. It can easily choose the right sensor in the network which will greatly improve the quality of service.

##### 7.3. The Methods of Analysis

The previous method of finite automata has discussed the regular expression matching system security in WSN, and the evaluation of the performance is ignored to research. The matching method in some extent can maintain the precision and accuracy in some systems; it can be used in a specific environment; the performance of the evaluation in the wireless sensor network (WSN) that we had researched is in the universal environment; it is necessary to consider the problem of the restrictions, such as the capacity of the buffer, the length of the queue in the processing time, the performance of the calculation that needs enough buffer for the task processing, and the work conditions. In our research, the approach which took the matching method and the evaluating performance together is a new topic. The method ensures maintaining the system security, reducing the loss rate of the communication task, and improving the accuracy of the schedule. The universal approach can be used in lots of environments; in the wireless sensor network, the approach has a good, excellent performance.

#### 8. Conclusions

This paper presented a regular expression matching approach for the wireless sensor network security systems, which is proposed to take the advantage of sensor nodes collaboratively, which divides the matching into matching preprocessing phase, validation phase, and performance evaluation phase. This method is based on queuing model to evaluate the performance of scheduling for the wireless sensor network. The experimental results show that our approach can speed up the efficiency of regular expression by at least 71% for the regular expression set by Snort and L7-Filter systems. And the queue model helps to obtain the communication tasks probability distribution and the relation between the task’s processing capability and the task’s response time, sensor throughput, and so forth.

The future work will focus on the following two aspects: the work will also extend the proposed approach and explore its feasibility for other network areas and continue to improve the queuing model to make it closer to the real wireless sensor which will raise the accuracy of the model.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This research is supported by the National Natural Science Funds of China (no. 61472100 and no. 61402078) and the Fundamental Research Funds for the Central Universities (no. DUT14QY32 and no. DUT14RC(3)090).

#### References

- R. Matam and S. Tripathy, “Provably secure routing protocol for wireless mesh networks,”
*International Journal of Network Security*, vol. 16, no. 3, pp. 182–192, 2014. View at Google Scholar - H. Deng, W. Li, and D. P. Agrawal, “Routing security in wireless ad hoc networks,”
*IEEE Communications Magazine*, vol. 40, no. 10, pp. 70–75, 2002. View at Publisher · View at Google Scholar · View at Scopus - L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in
*Proceedings of the 9th ACM Conference on Computer and Communications Security*, pp. 41–47, Dalian, China, November 2002. View at Scopus - Y.-C. Hu, D. B. Johnson, and A. Perrig, “SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks,”
*Ad Hoc Networks*, vol. 1, no. 1, pp. 175–192, 2003. View at Publisher · View at Google Scholar · View at Scopus - S. S. Ahmeda, “ID-based and threshold security scheme for ad hoc network,” in
*Proceedings of the IEEE 3rd International Conference on Communication Software and Networks (ICCSN '11)*, pp. 16–21, Xi'an, China, May 2011. View at Publisher · View at Google Scholar · View at Scopus - M. Roesch and Stanford Telecommunications, “Snort: lightweight intrusion detection for networks,” in
*Proceedings of the 13th USENIX Conference on System Administration (LISA '99)*, vol. 99, pp. 229–238, 1999. - A. Prathapani, L. Santhanam, and D. P. Agrawal, “Detection of blackhole attack in a wireless mesh network using intelligent honeypot agents,”
*Journal of Supercomputing*, vol. 64, no. 3, pp. 777–804, 2011. View at Publisher · View at Google Scholar · View at Scopus - J. Levandoski, E. Sommer, M. Strait et al., “Application layer packet classifier for linux,” 2008.
- X. Li, M. Chen, and W. Liu, “Application of STBC—encoded cooperative transmissions in wireless sensor networks,”
*IEEE Signal Processing Letters*, vol. 12, no. 2, pp. 134–137, 2005. View at Publisher · View at Google Scholar · View at Scopus - K. Kim, “(N,n)-preemptive priority queues,”
*Performance Evaluation*, vol. 68, no. 7, pp. 575–585, 2011. View at Publisher · View at Google Scholar · View at Scopus - J. Wang, Y. Yanshuo, and K. Zhou, “A regular expression matching approach to distributed wireless network security system,”
*International Journal of Network Security*, vol. 16, no. 5, pp. 382–388, 2014. View at Google Scholar - W. Jie, K. Zhou, K. Cui et al., “Evaluation of the task communication performance in wireless sensor networks: a queue theory approach,” in
*Green Computing and Communications, IEEE and Internet of Things, IEEE International Conference on and IEEE Cyber, Physical and Social Computing*, pp. 939–944, IEEE, 2013. - J. P. A. X. Liu and E. Torng, “Bypassing space explosion in regular expression matching for networkintrusion detection and prevention systems,” 2012.
- S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, “Algorithms to accelerate multipleregular expressions matching for deep packet inspection,”
*ACM SIGCOMM Computer Communication Review*, vol. 36, no. 4, pp. 339–350, 2006. View at Publisher · View at Google Scholar - T. Liu, Y. Sun, A. X. Liu, L. Guo, and B. Fang, “A preltering approach to regular expression matching for network security systems,” in
*Applied Cryptography and Network Security*, pp. 363–380, Springer, Berlin, Germany, 2012. View at Google Scholar - M. Becchi and P. Crowley, “Efficient regular expression evaluation: Theory to practice,” in
*Proceeding of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS '08)*, pp. 50–59, New York, NY, USA, November 2008. View at Publisher · View at Google Scholar · View at Scopus - S. Kumar, J. Turner, and J. Williams, “Advanced algorithms for fast and scalable deep packet inspection,” in
*Proceedings of the 2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS '06)*, pp. 81–92, ACM, New York, NY, USA, December 2006. View at Publisher · View at Google Scholar · View at Scopus - B. C. Brodle, R. K. Cytron, and D. E. Taylor, “A scalable architecture for high-throughput regular-expression pattern matching,” in
*Proceedings of the 33rd International Symposium on Computer Architecture (ISCA '06)*, pp. 191–202, Boston, Mass, USA, June 2006. View at Publisher · View at Google Scholar · View at Scopus - A. Mitra, W. Najjar, and L. Bhuyan, “Compiling PCRE to FPGA for accelerating SNORT IDS,” in
*Proceedings of the 3rd ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS '07)*, pp. 127–135, ACM, New York, NY, USA, December 2007. View at Publisher · View at Google Scholar · View at Scopus - R. Sidhu and V. K. Prasanna, “Fast regular expression matching using fpgas,” in
*Proceedings of the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM '01)*, pp. 227–238, IEEE, 2001. - L. Chuan-Lai,
*The Queuing Theory*, Beijing University of Posts and Telecommunications Press, Beijing, China, 2000. - S. S. Mishra and D. K. Yadav, “Cost and profit analysis of Markovian queuing system with two priority classes: a computational approach,”
*International Journal of Applied Mathematics and Computer Sciences*, vol. 5, no. 3, pp. 150–156, 2009. View at Google Scholar - V. Srinivas, S. S. Rao, and B. K. Kale, “Estimation of measures in M/M/1 queue,”
*Communications in Statistics—Theory and Methods*, vol. 40, no. 18, pp. 3327–3336, 2011. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - W. F. Nasrallah, “How pre-emptive priority affects completion rate in an M/M/1 queue with Poisson reneging,”
*European Journal of Operational Research*, vol. 193, no. 1, pp. 317–320, 2009. View at Publisher · View at Google Scholar · View at Scopus - A. Al Hanbali and O. Boxma, “Busy period analysis of the state dependent $M/M/1/K$ queue,”
*Operations Research Letters*, vol. 38, no. 1, pp. 1–6, 2010. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus