Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Generating realistic workloads for network intrusion detection systems
WOSP '04 Proceedings of the 4th international workshop on Software and performance
A keyword match processor architecture using content addressable memory
Proceedings of the 14th ACM Great Lakes symposium on VLSI
A fast string-matching algorithm for network processor-based intrusion detection system
ACM Transactions on Embedded Computing Systems (TECS)
A High Throughput String Matching Architecture for Intrusion Detection and Prevention
Proceedings of the 32nd annual international symposium on Computer Architecture
Bit-split string-matching engines for intrusion detection and prevention
ACM Transactions on Architecture and Code Optimization (TACO)
Protomatching network traffic for high throughputnetwork intrusion detection
Proceedings of the 13th ACM conference on Computer and communications security
Packet pre-filtering for network intrusion detection
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Multipattern string matching with q-grams
Journal of Experimental Algorithmics (JEA)
A taxonomy of parallel techniques for intrusion detection
ACM-SE 45 Proceedings of the 45th annual southeast regional conference
Resource allocation in network processors for network intrusion prevention systems
Journal of Systems and Software
Deterministic high-speed root-hashing automaton matching coprocessor for embedded network processor
ACM SIGARCH Computer Architecture News - Special issue on the 2006 reconfigurable and adaptive architecture workshop
Regular Expression Matching in Reconfigurable Hardware
Journal of Signal Processing Systems
Hierarchical multi-pattern matching algorithm for network content inspection
Information Sciences: an International Journal
Efficient signature based malware detection on mobile devices
Mobile Information Systems
Scalable multigigabit pattern matching for packet inspection
IEEE Transactions on Very Large Scale Integration (VLSI) Systems
FPGA based string matching for network processing applications
Microprocessors & Microsystems
Multilevel Pattern Matching Architecture for Network Intrusion Detection and Prevention System
ICESS '07 Proceedings of the 3rd international conference on Embedded Software and Systems
Reducing Payload Scans for Attack Signature Matching Using Rule Classification
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Fast Signature Matching Using Extended Finite Automaton (XFA)
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
A fast scalable automaton-matching accelerator for embedded content processors
ACM Transactions on Embedded Computing Systems (TECS)
Trust based traffic monitoring approach for preventing denial of service attacks
Proceedings of the 2nd international conference on Security of information and networks
A modular NFA architecture for regular expression matching
Proceedings of the 18th annual ACM/SIGDA international symposium on Field programmable gate arrays
Variable Length Pattern Matching for Hardware Network Intrusion Detection System
Journal of Signal Processing Systems
Tuning string matching for huge pattern sets
CPM'03 Proceedings of the 14th annual conference on Combinatorial pattern matching
Design and evaluation of parallel string matching algorithms for network intrusion detection systems
NPC'07 Proceedings of the 2007 IFIP international conference on Network and parallel computing
Small subset queries and bloom filters using ternary associative memories, with applications
Proceedings of the ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Data structures with unpredictable timing
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Fast packet detection by using high speed time delay neural networks
MUSP'10 Proceedings of the 10th WSEAS international conference on Multimedia systems & signal processing
Ultra-high throughput string matching for deep packet inspection
Proceedings of the Conference on Design, Automation and Test in Europe
Efficient decision tree for protocol analysis in intrusion detection
International Journal of Security and Networks
A fast pattern matching algorithm with multi-byte search unit for high-speed network security
Computer Communications
Hardware-software hybrid packet processing for intrusion detection systems
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
A fast pattern-matching algorithm for network intrusion detection system
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Improving the performance of signature-based network intrusion detection sensors by multi-threading
WISA'04 Proceedings of the 5th international conference on Information Security Applications
A prevention model for algorithmic complexity attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A new efficient fast routing protocol for MANET
AIC'10/BEBI'10 Proceedings of the 10th WSEAS international conference on applied informatics and communications, and 3rd WSEAS international conference on Biomedical electronics and biomedical informatics
Accelerating multipattern matching on compressed HTTP traffic
IEEE/ACM Transactions on Networking (TON)
MCA2: multi-core architecture for mitigating complexity attacks
Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
Journal of Network and Computer Applications
| Hi-index | 0.00 |
It is becoming increasingly common for network devices to handle packets based on the contents of packet payloads. Example applications include intrusion detection, firewalls, web proxies, and layer seven switches. This paper analyzes the problem of intrusion detection and its reliance on fast string matching in packets. We show that the problem can be restructured to allow the use of more efficient string matching algorithms that operate on sets of patterns in parallel. We then introduce and analyze a new string matching algorithm that has average-case performance that is better than the best theoretical algorithm (Aho-Corasick) and much better than the currently deployed algorithm (multiple iterations of Boyer-Moore). Finally, we implement these algorithms in the popular intrusion detection platform Snort and analyze their relative performance on actual packet traces. Our results provide lessons on the structuring of content-based handlers, string matching algorithms in general, and the importance of performance to security.