Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection

Network intrusion detection systems (NIDSs), especially signature-based NIDSs, are being widely deployed in a distributed network environment with the purpose of defending against a variety of network attacks. However, signature matching is a key limiting factor to limit and lower the performance of a signature-based NIDS in a large-scale network environment, in which the cost is at least linear to the size of an input string. The overhead network packets can greatly reduce the effectiveness of such detection systems and heavily consume computer resources. To mitigate this issue, a more efficient signature matching algorithm is desirable. In this paper, we therefore develop an adaptive character frequency-based exclusive signature matching scheme (named ACF-EX) that can improve the process of signature matching for a signature-based NIDS. In the experiment, we implemented the ACF-EX scheme in a distributed network environment, evaluated it by comparing with the performance of Snort. In addition, we further apply this scheme to constructing a packet filter that can filter out network packets by conducting exclusive signature matching for a signature-based NIDS, which can avoid implementation issues and improve the flexibility of the scheme. The experimental results demonstrate that, in the distributed network environment, the proposed ACF-EX scheme can positively reduce the time consumption of signature matching and that our scheme is promising in constructing a packet filter to reduce the burden of a signature-based NIDS.

[1]  Anup K. Ghosh,et al.  Detecting anomalous and unknown intrusions against programs , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[2]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[3]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[4]  Stamatis Vassiliadis,et al.  Packet pre-filtering for network intrusion detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[5]  Evangelos P. Markatos,et al.  Exclusion-based Signature Matching for Intrusion Detection , 2002 .

[6]  Hyunjin Kim,et al.  A Pattern Group Partitioning for Parallel String Matching using a Pattern Grouping Metric , 2010, IEEE Communications Letters.

[7]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[8]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[9]  Wenke Lee,et al.  A cooperative intrusion detection system for ad hoc networks , 2003, SASN '03.

[10]  Wenjuan Li,et al.  Single Character Frequency-Based Exclusive Signature Matching Scheme , 2012 .

[11]  Anat Bremler-Barr,et al.  Accelerating Multipattern Matching on Compressed HTTP Traffic , 2012, IEEE/ACM Transactions on Networking.

[12]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[13]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[14]  R. Nigel Horspool,et al.  Practical fast searching in strings , 1980, Softw. Pract. Exp..

[15]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[16]  Ronald L. Rivest On the Worst-Case Behavior of String-Searching Algorithms , 1977, SIAM J. Comput..

[17]  Philip Bille,et al.  String matching with variable length gaps , 2012, Theor. Comput. Sci..

[18]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[19]  Xing Wang,et al.  Multi-Stride String Searching for High-Speed Content Inspection , 2012, Comput. J..

[20]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[21]  Xindong Wu,et al.  Pattern matching with wildcards based on multiple suffix trees , 2012, 2012 IEEE International Conference on Granular Computing.

[22]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[23]  Wenjuan Li,et al.  Adaptive Character Frequency-Based Exclusive Signature Matching Scheme in Distributed Intrusion Detection Environment , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[24]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[25]  Zhen Chen,et al.  AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[26]  Hyunjin Kim,et al.  A Memory-Efficient Bit-Split Parallel String Matching Using Pattern Dividing for Intrusion Detection Systems , 2011, IEEE Transactions on Parallel and Distributed Systems.

[27]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[28]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[29]  Evangelos P. Markatos,et al.  : A DOMAIN-SPECIFIC STRING MATCHING ALGORITHM FOR INTRUSION DETECTION , 2003 .

[30]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[31]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[32]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[33]  Seung-Woo Seo,et al.  A fast pattern matching algorithm with multi-byte search unit for high-speed network security , 2011, Comput. Commun..