Fast Content-Based Packet Handling for Intrusion Detection

It is becoming increasingly common for network devices to handle packets based on the contents of packet payloads. Example applications include intrusion detection, firewalls, web proxies, and layer seven switches. This paper analyzes the problem of intrusion detection and its reliance on fast string matching in packets. We show that the problem can be restructured to allow the use of more efficient string matching algorithms that operate on sets of patterns in parallel. We then introduce and analyze a new string matching algorithm that has average-case performance that is better than the best theoretical algorithm (Aho-Corasick) and much better than the currently deployed algorithm (multiple iterations of Boyer-Moore). Finally, we implement these algorithms in the popular intrusion detection platform Snort and analyze their relative performance on actual packet traces. Our results provide lessons on the structuring of content-based handlers, string matching algorithms in general, and the importance of performance to security.

[1]  Dan Gusfield,et al.  Algorithms on Strings, Trees, and Sequences - Computer Science and Computational Biology , 1997 .

[2]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[3]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[4]  Zvi Galil,et al.  On improving the worst case running time of the Boyer-Moore string matching algorithm , 1978, CACM.

[5]  R. Nigel Horspool,et al.  Practical fast searching in strings , 1980, Softw. Pract. Exp..

[6]  Bruce W. Watson,et al.  The performance of single-keyword and multiple-keyword pattern matching algorithms , 1994 .

[7]  Neil C. Rowe,et al.  DISTRIBUTED INTRUSION DETECTION FOR COM-PUTER SYSTEMS USING COMMUNICATING AGENTS , 2000 .

[8]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[9]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[10]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[11]  Graham A. Stephen String Searching Algorithms , 1994, Lecture Notes Series on Computing.

[12]  Maxime Crochemore,et al.  A unifying look at the Apostolico-Giancarlo string-matching algorithm , 2003, J. Discrete Algorithms.

[13]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[14]  Susan L. Graham,et al.  Gprof: A call graph execution profiler , 1982, SIGPLAN '82.

[15]  Ronald L. Rivest On the Worst-Case Behavior of String-Searching Algorithms , 1977, SIAM J. Comput..

[16]  Raffaele Giancarlo,et al.  The Boyer-Moore-Galil String Searching Strategies Revisited , 1986, SIAM J. Comput..

[17]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[18]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[19]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[20]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[21]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[22]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[23]  Beate Commentz-Walter,et al.  A String Matching Algorithm Fast on the Average , 1979, ICALP.

[24]  Yanggon Kim,et al.  A Fast Multiple String-Pattern Matching Algorithm , 1999 .

[25]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[26]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[27]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .