A fast string-matching algorithm for network processor-based intrusion detection system

Authors:
Rong-Tai Liu;Nen-Fu Huang;Chih-Hao Chen;Chia-Nan Kao
Affiliations:
National Tsing-Hua University, Taiwan;BroadWeb Corporation, HsinChu, Taiwan;National Tsing-Hua University, Taiwan;National Tsing-Hua University, Taiwan
Venue:
ACM Transactions on Embedded Computing Systems (TECS)
Year:
2004

Citing 6
Cited 21

A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Network processors: a perspective on market requirements, processor architectures and embedded S/W tools

Proceedings of the conference on Design, automation and test in Europe
A String Matching Algorithm Fast on the Average

Proceedings of the 6th Colloquium, on Automata, Languages and Programming
Fast Content-Based Packet Handling for Intrusion Detection

Fast Content-Based Packet Handling for Intrusion Detection
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration

A methodology for evaluating runtime support in network processors

Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
A system architecture for high-speed deep packet inspection in signature-based network intrusion prevention

Journal of Systems Architecture: the EUROMICRO Journal
Resource allocation in network processors for network intrusion prevention systems

Journal of Systems and Software
DPICO: a high speed deep packet inspection engine using compact finite automata

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Implementing high-speed string matching hardware for network intrusion detection systems

Proceedings of the 16th international ACM/SIGDA symposium on Field programmable gate arrays
Hierarchical multi-pattern matching algorithm for network content inspection

Information Sciences: an International Journal
Deflating the big bang: fast and scalable deep packet inspection with extended finite automata

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Fast Signature Matching Using Extended Finite Automaton (XFA)

ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
High-speed string matching for network intrusion detection

International Journal of Communication Networks and Distributed Systems
Optimized memory based accelerator for scalable pattern matching

Microprocessors & Microsystems
Multi-byte Regular Expression Matching with Speculation

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Variable Length Pattern Matching for Hardware Network Intrusion Detection System

Journal of Signal Processing Systems
Parallel network intrusion detection on reconfigurable platforms

EUC'07 Proceedings of the 2007 international conference on Embedded and ubiquitous computing
Improving NFA-based signature matching using ordered binary decision diagrams

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
A fast pattern matching algorithm with multi-byte search unit for high-speed network security

Computer Communications
Fast, memory-efficient regular expression matching with NFA-OBDDs

Computer Networks: The International Journal of Computer and Telecommunications Networking
MIDeA: a multi-parallel intrusion detection architecture

Proceedings of the 18th ACM conference on Computer and communications security
A high-throughput system architecture for deep packet filtering in network intrusion prevention

ARCS'06 Proceedings of the 19th international conference on Architecture of Computing Systems
Parallel optimization technology for backbone network intrusion detection system

CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Pattern matching acceleration for network intrusion detection systems

SAMOS'05 Proceedings of the 5th international conference on Embedded Computer Systems: architectures, Modeling, and Simulation
A scalable high-performance virus detection processor against a large pattern set for embedded network security

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network intrusion detection systems (NIDSs) are one of the latest developments in security. The matching of packet strings against collected signatures dominates signature-based NIDS performance. Network processors are also one of the fastest growing segments of the semiconductor market, because they are designed to provide scalable and flexible solutions that can accommodate change quickly and economically. This work presents a fast string-matching algorithm (called FNP) over the network processor platform that conducts matching sets of patterns in parallel. This design also supports numerous practical features such as case-sensitive string matching, signature prioritization, and multiple-content signatures. This efficient multiple-pattern matching algorithm utilizes the hardware facilities provided by typical network processors instead of employing the external lookup co-processors. To verify the efficiency and practicability of the proposed algorithm, it was implemented on the Vitesse IQ2000 network processor platform. The searching patterns used in the present experiments are derived from the well-known Snort ruleset cited by most open-source and commercial NIDSs. This work shows that combining our string-matching methodology, hashing engine supported by most network processors, and characteristics of current Snort signatures frequently improves performance and reduces number of memory accesses compared to conventional string-matching algorithms. Another contribution of this work is to highlight that, besides total number of searching patterns, shortest pattern length is also a major influence on NIDS multipattern matching algorithm performance.