Rule Indexing for Efficient Intrusion Detection Systems

As the use of the Internet has increased tremendously, the network traffic involved in malicious activities has also grown significantly. To detect and classify such malicious activities, Snort, the open-sourced network intrusion detection system, is widely used. Snort examines incoming packets with all Snort rules to detect potential malicious packets. Because the portion of malicious packets is usually small, it is not efficient to examine incoming packets with all Snort rules. In this paper, we apply two indexing methods to Snort rules, Prefix Indexing and Random Indexing, to reduce the number of rules to be examined. We also present experimental results with the indexing methods.

[1]  Stamatis Vassiliadis,et al.  Regular expression matching for reconfigurable packet inspection , 2006, 2006 IEEE International Conference on Field Programmable Technology.

[2]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[3]  Wei Zhang,et al.  A Memory Efficient Multiple Pattern Matching Architecture for Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[4]  Jeffrey Posluns,et al.  Snort 2.0 Intrusion Detection , 2003 .

[5]  Stamatis Vassiliadis,et al.  Packet pre-filtering for network intrusion detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[6]  John W. Lockwood,et al.  Fast and scalable pattern matching for content filtering , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[7]  Hu Chen,et al.  The GPU-based String Matching System in Advanced AC Algorithm , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[8]  James C. Foster,et al.  Chapter 1 – Intrusion Detection Systems , 2003 .

[9]  Timothy Sherwood,et al.  A High Throughput String Matching Architecture for Intrusion Detection and Prevention , 2005, ISCA 2005.

[10]  Mateo Valero,et al.  Multiple-banked register file architectures , 2000, Proceedings of 27th International Symposium on Computer Architecture (IEEE Cat. No.RS00201).

[11]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[12]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[13]  Hao Chen,et al.  Two-stage decomposition of SNORT rules towards efficient hardware implementation , 2009, 2009 7th International Workshop on Design of Reliable Communication Networks.

[14]  Jan Korenek,et al.  Methodology for Fast Pattern Matching by Deterministic Finite Automaton with Perfect Hashing , 2009, 2009 12th Euromicro Conference on Digital System Design, Architectures, Methods and Tools.