Use a two‑stage filter: first a quick Bloom filter to screen out obvious clean packets, then a deterministic finite automaton built with Aho‑Corasick for the known malicious signatures. Keep the signature database lean, rotate it often, and only trigger deep inspection when the DFA reports a match. Add a lightweight anomaly detector that watches packet size, timing, and header patterns—if something deviates from the baseline, flag it for a full DPI pass. That way you preserve legitimate traffic while still catching the bad packets before they hit the core.