Content-Split Based Effective String-Matching for Multi-Core Based Intrusion Detection Systems

We present a Content Split Approach (CSA), tailored specifically for signature-based network intrusion detection. This algorithm logically partition the content of IP Packets into three parts and internally uses boyer-moorehorspool algorithm to carry out string-matching simultaneously on these parts. Traditionally, skip based pattern matching algorithms use a single sliding window moving from left to right to detect a pattern to be matched, whereas CSA uses two sliding windows of the pattern simultaneously—one moving towards the right from the start position, towards the middle of the string, and the second starting from the middle and moving towards the end of the string. If both these moving patterns never find a match then CSA evaluates the middle of the string. In this paper, firstly we present our approach and experiments, secondly, we present an extension for Jumbo frames and finally, we present the application of our algorithm for multicore based Intrusion Detection System.

[1]  Yuebin Bai,et al.  New string matching technology for network security , 2003, 17th International Conference on Advanced Information Networking and Applications, 2003. AINA 2003..

[2]  Nen-Fu Huang,et al.  A fast pattern-match engine for network processor-based network intrusion detection system , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[3]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[4]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[5]  Graham A. Stephen String Searching Algorithms , 1994, Lecture Notes Series on Computing.

[6]  Jun-Feng Tian,et al.  Research of pattern matching in intrusion detection , 2003, Proceedings of the 2003 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.03EX693).

[7]  Yang Wang,et al.  High Performance Pattern Matching Algorithm for Network Security , 2006 .

[8]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[9]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[10]  Yibo Xue,et al.  Robust Quick String Matching Algorithm for Network Security , 2006 .

[11]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[12]  M. Norton Optimizing Pattern Matching for Intrusion Detection , 2004 .

[13]  Evangelos P. Markatos,et al.  Performance analysis of content matching intrusion detection systems , 2004, 2004 International Symposium on Applications and the Internet. Proceedings..

[14]  A. Mahanti Internet Traffic Measurement , 2005 .

[15]  Dipl.-Inf. Torsten Hoefler,et al.  A Meta Analysis of Gigabit Ethernet over Copper Solutions for Cluster-Networking , 2004 .