Exhaust: Optimizing Wu-Manber pattern matching for intrusion detection using Bloom filters

Intrusion detection systems are widely accepted as one of the main tools for monitoring and analyzing host and network traffic to protect data from illegal access or modification. Almost all types of signature-based intrusion detection systems must employ a pattern matching algorithm to inspect packets for malicious signatures. Unfortunately, pattern matching algorithms dominate the execution time and have become the bottleneck. To remedy that, we introduce a new software-based pattern matching algorithm that modifies Wu-Manber pattern matching algorithm using Bloom filters. The Bloom filter acts as an exclusion filter to reduce the number of searches to the large HASH table. The HASH table is accessed if there is a probable match represented by a shift value of zero. On average the HASH table search is skipped 10.6% of the time with a worst case average running time speedup over Wu-Manber of 33%. The maximum overhead incurred on preprocessing time is 1.1% and the worst case increase in memory usage was limited to 0.33%.

[1]  Marti A. Hearst Chapter 2 of the second edition of Modern Information Retrieval Renamed Modern Information Retrieval : The Concepts and Technology behind Search , 2011 .

[2]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[3]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[4]  Sungryoul Lee,et al.  Kargus: a highly-scalable software-based intrusion detection system , 2012, CCS.

[5]  Paul D. Franzon,et al.  Hardware-efficient pattern matching algorithms and architectures for fast intrusion detection , 2006 .

[6]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[7]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[8]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[9]  Cui Yong,et al.  An improved Wu-Manber multiple patterns matching algorithm , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[10]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[11]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[12]  Daniel Sunday,et al.  A very fast substring search algorithm , 1990, CACM.

[13]  George Varghese,et al.  Carousel: Scalable Logging for Intrusion Prevention Systems , 2010, NSDI.

[14]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[15]  Khalil Al-Salem Hardware-efficient pattern matching algorithms and architectures for fast intrusion detection , 2006 .

[16]  Ricardo Baeza-Yates,et al.  Modern Information Retrieval - the concepts and technology behind search, Second edition , 2011 .