Single-Keyword Pattern Matching Algorithms for Network Intrusion Detection System

The Network Intrusion Detection System (NIDS) is an important part of any modern network. One of the important processes in NIDS is inspecting of individuals' packets in network traffic, deciding if these packets are infected with any malicious activities. This process, which is called content matching, is done via string matching algorithms. The content matching is considered the heart of NIDS. The content matching phase consumes most of the processing time inside the NIDS and slowed down around 70% of NIDS performance. In this case, it is difficult for NIDS to distinguish between normal network packets and abnormal network packets and consequently drop numbers of network packets. New algorithms are needed to enhance the matching since enormous packets are passing through the network every second. In this paper we presented a survey of single keyword pattern matching algorithms for NIDS.

[1]  R. Nigel Horspool,et al.  Practical fast searching in strings , 1980, Softw. Pract. Exp..

[2]  Qingzhang Chen,et al.  Improved BM Pattern Matching Algorithm for Intrusion Detection , 2010, 2010 Third International Joint Conference on Computational Science and Optimization.

[3]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[4]  Liu Gang,et al.  A Practical Distributed String Matching Algorithm Architecture and Implementation , 2007 .

[5]  Bruce W. Watson,et al.  The performance of single-keyword and multiple-keyword pattern matching algorithms , 1994 .

[6]  G. Nilsen,et al.  A variable word-width content addressable memory for fast string matching , 2004, Proceedings Norchip Conference, 2004..

[7]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[8]  Gaston H. Gonnet,et al.  An Analysis of the Karp-Rabin String Matching Algorithm , 1990, Inf. Process. Lett..

[9]  Daniel Sunday,et al.  A very fast substring search algorithm , 1990, CACM.

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Ajith Abraham,et al.  Evolution of Intrusion Detection Systems , 2005 .

[12]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[13]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.