Graph-Based Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers
The Compilation of Regular Expressions into Integrated Circuits
Journal of the ACM (JACM)
Efficient string matching: an aid to bibliographic search
Communications of the ACM
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Programming Techniques: Regular expression search algorithm
Communications of the ACM
ACM Transactions on Information and System Security (TISSEC)
A Reconfigurable Approach to Packet Filtering
FPL '01 Proceedings of the 11th International Conference on Field-Programmable Logic and Applications
Assisting Network Intrusion Detection with Reconfigurable Hardware
FCCM '02 Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Optimal code generation for expression trees
STOC '75 Proceedings of seventh annual ACM symposium on Theory of computing
Active Mapping: Resisting NIDS Evasion without Altering Traffic
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A fast string-matching algorithm for network processor-based intrusion detection system
ACM Transactions on Embedded Computing Systems (TECS)
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Scalable Pattern Matching for High Speed Networks
FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Fast Regular Expression Matching Using FPGAs
FCCM '01 Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Language-Based Generation and Evaluation of NIDS Signatures
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A High Throughput String Matching Architecture for Intrusion Detection and Prevention
Proceedings of the 32nd annual international symposium on Computer Architecture
Towards Automatic Generation of Vulnerability-Based Signatures
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching
Proceedings of the 33rd annual international symposium on Computer Architecture
Algorithms to accelerate multiple regular expressions matching for deep packet inspection
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Fast and memory-efficient regular expression matching for deep packet inspection
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Backtracking Algorithmic Complexity Attacks against a NIDS
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Compiling PCRE to FPGA for accelerating SNORT IDS
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
An improved algorithm to accelerate regular expression evaluation
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
A hybrid finite automaton for practical deep packet inspection
CoNEXT '07 Proceedings of the 2007 ACM CoNEXT conference
XFA: Faster Signature Matching with Extended Automata
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Deflating the big bang: fast and scalable deep packet inspection with extended finite automata
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Gnort: High Performance Network Intrusion Detection Using Graphics Processors
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
High-Speed Matching of Vulnerability Signatures
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Introduction to Automata Theory, Languages, and Computation
Introduction to Automata Theory, Languages, and Computation
Efficient signature matching with multiple alphabet compression tables
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Efficient regular expression evaluation: theory to practice
Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Improving NFA-based signature matching using ordered binary decision diagrams
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Fast and Scalable Pattern Matching for Network Intrusion Detection Systems
IEEE Journal on Selected Areas in Communications
Fast submatch extraction using OBDDs
Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems
| Hi-index | 0.00 |
Modern network intrusion detection systems (NIDS) employ regular expressions as attack signatures. Internally, NIDS represent and operate these regular expressions as finite automata. However, finite automata present a well-known time/space tradeoff. Deterministic automata (DFAs) provide fast matching, but DFAs for large signature sets often consume gigabytes of memory because DFA combination results in a multiplicative increase in the number of states. Non-deterministic automata (NFAs) address this problem and are space-efficient, but are several orders of magnitude slower than DFAs. This time/space tradeoff has motivated much recent research, primarily with a focus on improving the space-efficiency of DFAs, often at the cost of reducing their performance. We consider an alternative approach that focuses instead on improving the time-efficiency of NFA-based signature matching. NFAs are inefficient because they maintain a frontier of multiple states at any instant during their operation, each of which must be processed for every input symbol. We introduce NFA-OBDDs, which use ordered binary decision diagrams (OBDDs) to efficiently process sets of NFA frontier states. Experiments using HTTP and FTP signature sets from Snort show that NFA-OBDDs can outperform traditional NFAs by up to three orders of magnitude, thereby making them competitive with a variant of DFAs, while still retaining the space-efficiency of NFAs.