Article

High Speed Pattern Matching for Network IDS/IPS

Authors:

Mansoor Alicherry,

M. Muthuprasanna,

Vijay KumarAuthors Info & Claims

ICNP '06: Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols

Pages 187 - 196

https://doi.org/10.1109/ICNP.2006.320212

Published: 12 November 2006 Publication History

Publisher Site

Abstract

The phenomenal growth of the Internet in the last decade and society s increasing dependence on it has brought along, a floodof security attacks on the networking and computing infrastructure. Intrusion detection/prevention systems provide defensesagainst these attacks by monitoring headers and payload of packets flowing through the network. Multiple string matching thatcan compare hundreds of string patterns simultaneously is a critical component of these systems, and is a well-studied problem.Most of the string matching solutions today are based on the classic Aho-Corasick algorithm, which has an inherent limitation;they can process only one input character in one cycle. As memory speed is not growing at the same pace as network speed,this limitation has become a bottleneck in the current network, having speeds of tens of gigabits per second. In this paper,we propose a novel multiple string matching algorithm that can process multiple characters at a time thus achieving multi-gigabitrate search speeds. We also propose an architecture for an efficient implementation on TCAM-based hardware. We additionallypropose novel optimizations by making use of the properties of TCAMs to significantly reduce the memory requirements of theproposed algorithm. We finally present extensive simulation results of network-based virus/worm detection using real signaturedatabases to illustrate the effectiveness of the proposed scheme.

Cited By

View all

Aldwairi MAlshboul MSeyam A(2018)Characterizing Realistic Signature-based Intrusion Detection BenchmarksProceedings of the 6th International Conference on Information Technology: IoT and Smart City10.1145/3301551.3301591(97-103)Online publication date: 29-Dec-2018
https://dl.acm.org/doi/10.1145/3301551.3301591
Li JPeng HYang EHu CZhong SWang L(2018)Eagle+Future Generation Computer Systems10.1016/j.future.2017.02.00280:C(275-285)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2017.02.002
Tsai HYang KPeng YLin CTsao YChang MChen T(2015)Energy-efficient non-volatile TCAM search engine design using priority-decision in memory technology for DPIProceedings of the 52nd Annual Design Automation Conference10.1145/2744769.2744836(1-6)Online publication date: 7-Jun-2015
https://dl.acm.org/doi/10.1145/2744769.2744836
Show More Cited By

Recommendations

Using Attack Information to Reduce False Positives in Network IDS
ISCC '06: Proceedings of the 11th IEEE Symposium on Computers and Communications

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of ...
IPS: IDS or IPS: what is best?

Intrusion detection systems (IDS) have become one of the most common countermeasures in the network security arsenal. But while other technologies such as firewalls and anti-virus provide proactive protection, most current IDSs are passive; detection of ...
Exploring the Feasibility of Developing a Customized IDS/IPS Security Control for Computer Network Security

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ICNP '06: Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols

November 2006

332 pages

ISBN:1424405939

Publisher

IEEE Computer Society

United States

Publication History

Published: 12 November 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Aldwairi MAlshboul MSeyam A(2018)Characterizing Realistic Signature-based Intrusion Detection BenchmarksProceedings of the 6th International Conference on Information Technology: IoT and Smart City10.1145/3301551.3301591(97-103)Online publication date: 29-Dec-2018
https://dl.acm.org/doi/10.1145/3301551.3301591
Li JPeng HYang EHu CZhong SWang L(2018)Eagle+Future Generation Computer Systems10.1016/j.future.2017.02.00280:C(275-285)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2017.02.002
Tsai HYang KPeng YLin CTsao YChang MChen T(2015)Energy-efficient non-volatile TCAM search engine design using priority-decision in memory technology for DPIProceedings of the 52nd Annual Design Automation Conference10.1145/2744769.2744836(1-6)Online publication date: 7-Jun-2015
https://dl.acm.org/doi/10.1145/2744769.2744836
Huang KDing LXie GZhang DLiu ASalamatian KNajjar WYavatkar RRixner S(2013)Scalable TCAM-based regular expression matching with compressed finite automataProceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systems10.5555/2537857.2537868(83-94)Online publication date: 21-Oct-2013
https://dl.acm.org/doi/10.5555/2537857.2537868
Chen CWang S(2013)An efficient multicharacter transition string-matching engine based on the aho-corasick algorithmACM Transactions on Architecture and Code Optimization10.1145/2541228.254123210:4(1-22)Online publication date: 1-Dec-2013
https://dl.acm.org/doi/10.1145/2541228.2541232
Lin CChang S(2011)Efficient pattern matching algorithm for memory architectureIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2009.202834619:1(33-41)Online publication date: 1-Jan-2011
https://dl.acm.org/doi/10.1109/TVLSI.2009.2028346
Peng KTang SChen MDong Q(2011)Chain-Based DFA Deflation for Fast and Scalable Regular Expression Matching Using TCAMProceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems10.1109/ANCS.2011.13(24-35)Online publication date: 3-Oct-2011
https://dl.acm.org/doi/10.1109/ANCS.2011.13
Kennedy AWang XLiu ZLiu BDe Micheli GAl-Hashimi BMueller WMacii E(2010)Ultra-high throughput string matching for deep packet inspectionProceedings of the Conference on Design, Automation and Test in Europe10.5555/1870926.1871022(399-404)Online publication date: 8-Mar-2010
https://dl.acm.org/doi/10.5555/1870926.1871022
Yang YLe HPrasanna V(2010)High performance dictionary-based string matching for deep packet inspectionProceedings of the 29th conference on Information communications10.5555/1833515.1833533(86-90)Online publication date: 14-Mar-2010
https://dl.acm.org/doi/10.5555/1833515.1833533
Pao DLin WLiu B(2010)A memory-efficient pipelined implementation of the aho-corasick string-matching algorithmACM Transactions on Architecture and Code Optimization10.1145/1839667.18396727:2(1-27)Online publication date: 5-Oct-2010
https://dl.acm.org/doi/10.1145/1839667.1839672
Show More Cited By

Abstract

Cited By

Recommendations

Using Attack Information to Reduce False Positives in Network IDS

IPS: IDS or IPS: what is best?

Exploring the Feasibility of Developing a Customized IDS/IPS Security Control for Computer Network Security

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations