LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.10.009

2006-01-01

Abstract:A pre-decision detection engine to mitigate false positives generated by signature-based network intrusion detection system and improve the performance of processing packets was proposed.By utilizing hosts'software information on monitored network,predecision detection engine makes a decision before pattern match to filter out unnecessary rules,which minimizes average pattern-match times for each packet,and reduces false positives and improves performance as a result.Experimental results showed that pre-decision detection engine can decrease false positives and improve the performance of processing packets,without increasing the false negative rate.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Chao Kong,Bo Yang,Zhiping Jia,Zhenxiang Chen

DOI: https://doi.org/10.1109/MINES.2009.66

2009-01-01

Abstract:An Intrusion Detection System (IDS) implements pattern matching approach on the network traffic to find the malicious packets carrying attack signatures. In this paper, a common Field Programmable Gate Array (FPGA) based on-board hardware architecture which is compatible with both ordinary string and Perl Compatible Regular Expression (PCRE) pattern matching is proposed to accelerate IDS. Furthermore, a flexible storage structure which is suitable for many general hardware matching algorithms and an optimized combinational logic circuit structure for PCRE matching are designed. With the synchronization of a connection decoder, ordinary string matching module coordinates with PCRE matching module to implement string-PCRE mixed rule.

杨武,方滨兴,云晓春,张宏莉

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.13.038

2004-01-01

Abstract:The performance of a signature-matching-based network intrusion detection system (NIDS) is dominated by pattern matching algorithm. Based on the profile of the popular NIDS-snort, this paper studies how to utilize different efficient pattern matching algorithms to optimize the performance of snort. It mainly presents a multi-pattern matching algorithm based on the idea of BM algorithm-SSPBM algorithm. The result shows SSPBM algorithm can greatly improve the detecting performance of NIDS.

Xiaofei Wang,Junchen Jiang,Wei Lin,Yi Tang,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/iccomta.2009.5349207

2009-01-01

Abstract:Deep packet inspection at high speed has become extremely important due to its application in a wide range of network applications, such as network security and network monitoring. Network intrusion detection system (NIDS) uses a collection of signatures of known security threats and viruses to scan the payload of each packet. Signatures are often specified in the form of regular expressions (regex), called patterns, which are traditionally implemented as finite automata. Deterministic finite automata (DFA) is fast, but requires prohibitive amounts of memory which limits their practical use. Instead of matching an incoming packet with each individual regex in a ruleset, we match the packet with a fixed substring, called fingerprint, of a regex first. Fixed string matching is faster and consumes less energy than regex matching. The fact is that if a packet does not match with the fingerprint of a regex, it will not match the regex itself. So fingerprints can be used in a prefilter engine to filter out those packets and do not match any of the fingerprints of the regex in a rule set, which represents normal non-malicious traffic. This actually reduces the number of regex rules being matched, which results in increased throughput of the NIDS. We present a weight scheme to extract a good fingerprint from a regex. A good fingerprint is the one that not only indicates the regex uniquely, but also occurs as less as possible in the matching procedure. We demonstrate how to use fingerprints for efficient prefiltering by means of Bloom filters in practice.

张邈,徐辉,潘爱民

DOI: https://doi.org/10.3969/j.issn.1000-3428.2003.19.041

2003-01-01

Abstract:The efficiency of content-based intrusion detection systems, the structure of the signature library, the string matching algorithms and the analysis of application level protocols, has been regarded as the most crucial topic for extensive research. This paper introduces SpeedlDS, an efficient experimental content-based IDS. After an overview on several important aspects of design and implementation in which SpeedlDS distinguishes itself from other IDSs are particularly discussed. Experiments are also presented to test the effectiveness and results are proved promising by excelling Snort, a famous and widely used IDS.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Chun Jason Xue,Meilin Liu,QingFeng Zhuge,Edwin Hsing-Mean Sha

DOI: https://doi.org/10.1007/s11265-008-0279-2

2008-01-01

Journal of Signal Processing Systems

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

吕锡香,杨波,裴昌幸,苏晓龙

DOI: https://doi.org/10.3969/j.issn.1001-2400.2004.04.020

2004-01-01

Journal of Xidian University

Abstract:We discuss our research in developing the detection engine of the intrusion detection system. The key ideas are to combine the slide window into the data mining technique to design the base detection engine which is the essential share of the meta detection engine. In addition, Apriori, a kind of data mining algorithm, is improved to mine network data. The improved algorithm does not scan all items in database and only links the items in the same list, so the detection efficiency is improved greatly. Also, other key details in IDS are put forward.

Liang Hu,Kuo Tang,Yu Ku,Kuo Zhao

DOI: https://doi.org/10.4156/jcit.vol5.issue3.13

2010-01-01

Abstract:With the development of high-speed network technique and increasing volume of network traffic, traditional pattern matching method can’t adapt to the new challenges to intrusion detection. To solve this, protocol analysis is introduced into the procedure of intrusion detection, and it has advantages such as the capability of detailed command parsing, attack detection and protocol acknowledgement against fragment attacks, the lower false positives and high performance. By the integration with pattern matching, intrusion detection technology based on protocol analysis may significantly reduce the amount of computation and improve the efficiency of packet analysis as well as the detection rates.

Yu -tong Guo,Yang Gao,Yan Wang,Meng-yuan Qin,Yu-jie Pu,Zeng Wang,Dan-dan Liu,Xiang-jun Chen,Tian-fng Gao,Ting-ting Lv,Zhong-chuan Fu

DOI: https://doi.org/10.1016/j.proeng.2017.01.276

2017-01-01

Procedia Engineering

Abstract:A malicious behavior detection approach which combines both the DPI (Deep Packet Inspection) and DFI (Deep Flow Inspection) is proposed, namely DPI & DFI. For the DPI & DFI method an outlier data mining method is employed. The fine-grained DPI is suitable for plaintext traffic, while DFI is a complementary for encrypted or emerging traffic. The collaborative detection approach includes three phases: DPI detection, DFI detection & comparison, and feedback. In present work, the C4.5 data-mining decision tree is adopted as classifier. The KDD Cup’99 benchmark is used and representative attack categories such as Probing, DOS, R2L (Remote to User) and U2R (User to Root) are evaluated. In-depth analysis demonstrates that the U2R and R2L attack categories lead to lower detection rate, and in particular the attack types contribute most are put forward. In future work, some other types of classifiers suitable to R2L and U2R attack categories should be investigated.

FEI Hong-xiao,DAI Hong-wei,LIU Bin

DOI: https://doi.org/10.3969/j.issn.1009-2552.2007.03.001

2007-01-01

Abstract:The paper designs a network IDS framework.It deeply probes into the packet capture module,packet filter module and protocol analysis module of a IDS.It implements a routine to analyze the important protocols in the TCP/IP protocol stack,such as Ethernet,IP,TCP,UDP and HTTP,on the basis of the Winpcap library and its BPF mechanism to capture and filter data on the network interface card.

Chun Jason Xue,Zili Shao,Meilin Liu,Qingfeng Zhuge,Edwin H. -M. Sha

DOI: https://doi.org/10.1007/978-3-540-77092-3_8

2007-01-01

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stepping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matchings are completed in O(log M) time where M is the longest pattern length. Implementation is done on a standard off-the-shelf FPGA. Comparison with the other techniques shows promising results.

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

Xu Kefu,Qi Deyu,Qian Zhengping,Zheng Weiping

DOI: https://doi.org/10.1109/icnsc.2008.4525325

2008-01-01

Abstract:High-speed packet content inspection and filtering devices rely on a fast multi-pattern matching algorithm which is used to detect predefined keywords or signatures in the packets. These signature sets are large (e.g., thousands) and complex. Multi-pattern matching is known to require intensive memory accesses and is often a performance bottleneck. Another problem is how to update the inconstant rule set from new attacks without halting the inspection. Hence, specialized fast dynamic pattern matching algorithms scalable for long rules are required for on-line speed deep packet inspection. We proposed a fast dynamic deep packet inspection algorithm using two pipelines which was flexible loosely coupled framework. In the fast pipeline, multiple parallel Counting Bloom filter engines which can perform fast dynamic query were adopted to achieve high throughput. Based on the principle of locality of programs, we set a threshold length for the scalability for long rules. In the relatively slow pipeline, we adopted dynamic pattern matching algorithm to distinguish the suspicious packet came from the fast pipeline. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed dynamic inspection requirement when the low resource consumption further improves the scalability.

Monther Aldwairi,Yahya Flaifel,Khaldoon Mhaidat

DOI: https://doi.org/10.48550/arXiv.2003.00405

2020-03-01

Cryptography and Security

Abstract:Network intrusion detection systems and antivirus software are essential in detecting malicious network traffic and attacks such as denial-of-service and malwares. Each attack, worm or virus has its own distinctive signature. Signature-based intrusion detection and antivirus systems depend on pattern matching to look for possible attack signatures. Pattern matching is a very complex task, which requires a lot of time, memory and computing resources. Software-based intrusion detection is not fast enough to match high network speeds and the increasing number of attacks. In this paper, we propose special purpose hardware for Wu-Manber pattern matching algorithm. FPGAs form an excellent choice because of their massively parallel structure, reprogrammable logic and memory resources. The hardware is designed in Verilog and implemented using Xilinx ISE. For evaluation, we dope network traffic traces collected using Wireshark with 2500 signatures from the ClamAV virus definitions database. Experimental results show high speed that reaches up to 216 Mbps. In addition, we evaluate time, device usage, and power consumption.

Dong Ma,Yongjun Wang,Zhenlong Fu

DOI: https://doi.org/10.1016/j.proeng.2011.08.657

2011-01-01

Abstract:Research in network security, with the attacks becoming more frequent, increasing complexity means, for the large-scale network intrusion detection, this paper presents a warning by analyzing the behavior of the log, the contents of the relevant association, through the DHT(Distributed Hash Table) distributed architecture, the Collabarative matching, fusion, and ultimately determine the method of attack paths. First, by improving the classical Apriori algorithm, greatly improving the efficiency of the association. At the same time, through the behavior pattern matching algorithms to extract information about the behavior of the alert and the behavior sequence elements to match the template, and through the right path to finally determine the value of the threat of the network path. After the design of a DHT network, the distributed collaborative match the path used to find complex network attacks. Finally, the overall algorithm flow, proposed a complete threat detection system architecture. (C) 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS2011]

Rongmao Chen,Linbo Qiao,Bofeng Zhang,Zhenghu Gong

DOI: https://doi.org/10.2991/iccnce.2013.138

2013-01-01

Abstract:As the network threats nowadays turn to be more intricate and diversiform, traditional intrusion detection methods are facing with the challenges of lacking flexibility because that they are just code-actual. This paper summarizes the common correlating features exhibited by the network events from the perspective of the detector, and proposes a detection framework which can be used to detect various network threats.After having a static scanning of the threats pattern library, it loads and initials the data structure of threat behaviors, and then utilizes the scheme of event driven to deal with the network event streams. Finally, it logs and calls the related function to query the threat behavior states. The formalization analysis shows that this framework has high flexibility and expansibility to adapt to the evolvement of network threat behaviors.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

LIU Bo-yan,QUAN Cheng-bin,ZHAO You-jian

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.07.003

2012-01-01

Abstract:Traditional Deep Packet Inspection algorithm suffers from throughput bottleneck,fuzzy matching or unfeasible requirement of hardware memory.This paper proposes a novel exact string matching scheme called Bloom Filter Classifier,which uses hash and multiple bloom filters to classify the input string and locates the only probable signature on each length,and then conducts verification.Evaluation with Snort and ClamAV string sets shows that BFC costs only 1.22 Byte/Character memory and provides exact matching result without throughput bottleneck.