AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets

Authors:
Xinming Chen;Kailin Ge;Zhen Chen;Jun Li
Affiliations:
-;-;-;-
Venue:
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Year:
2011

Citing 9
Cited 1

Packet reordering is not pathological network behavior

IEEE/ACM Transactions on Networking (TON)
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Introduction to Algorithms

Introduction to Algorithms
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Detecting evasion attacks at high speeds without reassembly

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Algorithms on Strings

Algorithms on Strings
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Robust TCP stream reassembly in the presence of adversaries

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Efficient and Robust TCP Stream Normalization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy

Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.02

Visualization

Abstract

TCP and IP fragmentation can be used to evade signature detection at Intrusion Detection/Prevention System (IDS / IPS). Such fragments may arrive out-of-sequence to escape from being detected by the string matching algorithm of IDS / IPS. The common defense is buffering and reassembling packets. However, buffering of out-of-sequence packets can become impractical on high speed links due to limited fast memory capacity, especially when the concurrent flows are in large quantity, or extremely disordered in circumstances such as attacks. So such buffering strategy is vulnerable to memory exhausting denial of service (DoS). In this paper, AC-Suffix-Tree, a buffer free scheme for string matching is proposed, which detects patterns across out-of-sequence packets without buffering and reassembly. This novel algorithm associates the classical Aho-Corasick (AC) algorithm with a pattern suffix tree to search patterns with only the state numbers of AC automaton and suffix tree stored. It demands significantly less memory than buffering the packets themselves. Therefore the IDS can resist memory exhausting DoS attack. AC-Suffix-Tree consumes 1-2 orders of magnitude less memory than buffering the entire packet, and it has the same temporal complexity as AC algorithm when there are no out-of-sequence packets.