A fast pattern matching algorithm with multi-byte search unit for high-speed network security
作者: Yoon-Ho Choi , Moon-Young Jung , Seung-Woo Seo
DOI: 10.1016/J.COMCOM.2011.03.014
关键词:
摘要: A signature-based intrusion detection system identifies intrusions by comparing the data traffic with known signature patterns. In this process, matching of packet strings against patterns is most time-consuming step and dominates overall performance. Many network systems (NIDS), e.g., Snort, employ one or multiple pattern algorithms to detect attack types. So far, many have been proposed. Most them use single-byte standard unit for search, while a few such as Modified Wu-Manber (MWM) algorithm typically two-byte unit, which guarantees better performance than others even number different signatures increases. Among those algorithms, MWM has fastest when in rule set rarely appear packets. However, time increases length shortest group decreases. paper, extending pattern, we minimize uses multi-byte unit. We propose new called L^+^1-MWM multi-pattern matching. The proposed minimizes degradation that originated from dependency on pattern. show improves much 20% average under various lengths normal conditions. Moreover, less 5, shows 38.87% enhancement average. also conduct experiments real campus 12.48% obtained addition, it shown provides 25% numbers conditions, 20.12% on-line traffic.
acm.org
elsevier.com
sci-hub.se 参考文章(20)
Udi Manber, Sun Wu, A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING ,(1999)
Mike Fisk, George Varghese, Fast Content-Based Packet Handling for Intrusion Detection University of California at San Diego. ,(2001) , 10.21236/ADA406413
Giorgos Vasiliadis, Michalis Polychronakis, Spiros Antonatos, Evangelos P. Markatos, Sotiris Ioannidis, Regular Expression Matching on Graphics Hardware for Intrusion Detection recent advances in intrusion detection. pp. 265- 283 ,(2009) , 10.1007/978-3-642-04342-0_14
Beate Commentz-Walter, A String Matching Algorithm Fast on the Average international colloquium on automata, languages and programming. pp. 118- 132 ,(1979) , 10.1007/3-540-09510-1_10
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Daniele Paolo Scarpazza, Oreste Villa, Fabrizio Petrini, Exact multi-pattern string matching on the cell/b.e. processor Proceedings of the 2008 conference on Computing frontiers - CF '08. pp. 33- 42 ,(2008) , 10.1145/1366230.1366237
Donald E Knuth, James H Morris, Jr, Vaughan R Pratt, Fast Pattern Matching in Strings SIAM Journal on Computing. ,vol. 6, pp. 323- 350 ,(1977) , 10.1137/0206024
Rong-Tai Liu, Nen-Fu Huang, Chih-Hao Chen, Chia-Nan Kao, A fast string-matching algorithm for network processor-based intrusion detection system ACM Transactions in Embedded Computing Systems. ,vol. 3, pp. 614- 633 ,(2004) , 10.1145/1015047.1015055
Alberto Apostolico, Raffaele Giancarlo, The Boyer Moore Galil string searching strategies revisited SIAM Journal on Computing. ,vol. 15, pp. 98- 105 ,(1986) , 10.1137/0215007
C.J. Coit, S. Staniford, J. McAlerney, Towards faster string matching for intrusion detection or exceeding the speed of Snort darpa information survivability conference and exposition. ,vol. 1, pp. 367- 373 ,(2001) , 10.1109/DISCEX.2001.932231