Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Chun Jason Xue,Meilin Liu,QingFeng Zhuge,Edwin Hsing-Mean Sha

DOI: https://doi.org/10.1007/s11265-008-0279-2

2008-01-01

Journal of Signal Processing Systems

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Hang Lint,Weiwei Lint,Jing Lint,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iscc58397.2023.10218028

2023-01-01

Abstract:Pattern matching is an important technology applied to many security applications. Most network service providers choose to compress network traffic for better transmission, which brings the challenges of compressed traffic matching. However, existing works focus on improving the performance of uncompressed traffic matching or only realize the compressed traffic matching on end-host that can not keep pace with the dramatic increase in traffic. In this paper, we present P4CTM, a proof-of-concept method to conduct efficient compressed traffic matching on the programmable data plane. P4CTM uses the two-stage scan scheme to skip some bytes of compressed traffic, the 2-stride DFA combines with the compression algorithm to condense the state space, and the wildcard match to downsize the match action tables in the programmable data plane. The experiment indicates that P4CTM skips 83.10% bytes of compressed traffic, condenses the state space by order of magnitude, and reduces most of the table entries.

Zhichun Li,Gao Xia,Hongyu Gao,Yi Tang,Yan Chen,B. Liu

2010-01-01

Abstract:Accuracy and speed are the two most important metrics for Network Intrusion Detection or Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regexbased NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures [8, 29] (a.k.a. data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, when applying vulnerability signatures to high speed NIDS/NIPS with a large ruleset, how to efficiently match them is an untouched but challenging issue. This paper presents the design of NetShield, a vulnerability signature based NIDS/NIPS which achieves multigigabit throughput while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection (CS) algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we propose a automatic lightweight parsing transition state machine achieving fast protocol parsing; (iii) we implement the NetShield prototype. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core CPU for 794 HTTP vulnerability signatures.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Zhichun Li,Gao Xia,Hongyu Gao,Yi Tang,Yan Chen,Bin Liu,Junchen Jiang,Yuezhou Lv

DOI: https://doi.org/10.1145/1851275.1851216

IF: 1.937

2010-01-01

ACM SIGCOMM Computer Communication Review

Abstract:Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures [10, 29] (a.k.a. data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue.This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures. We release our prototype and sample signatures at www.nshield.org.

杨武,方滨兴,云晓春,张宏莉

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.13.038

2004-01-01

Abstract:The performance of a signature-matching-based network intrusion detection system (NIDS) is dominated by pattern matching algorithm. Based on the profile of the popular NIDS-snort, this paper studies how to utilize different efficient pattern matching algorithms to optimize the performance of snort. It mainly presents a multi-pattern matching algorithm based on the idea of BM algorithm-SSPBM algorithm. The result shows SSPBM algorithm can greatly improve the detecting performance of NIDS.

Kai Zheng,Xin Zhang,Zhiping Cai,Zhijun Wang,Baohua Yang

DOI: https://doi.org/10.1109/infcom.2010.5462152

2010-01-01

Abstract:In this paper, we identify the unique challenges in deploying parallelism on TCAM-based pattern matching for Network Intrusion Detection Systems (NIDSes). We resolve two critical issues when designing scalable parallelism specifically for pattern matching modules: 1) how to enable fine-grained parallelism in pursuit of effective load balancing and desirable speedup simultaneously; and 2) how to reconcile the tension between parallel processing speedup and prohibitive TCAM power consumption. To this end, we first propose the novel concept of Negative Pattern Matching to partition flows, by which the number of TCAM lookups can be significantly reduced, and the resulting (fine-grained) flow segments can be inspected in parallel without incurring false negatives. Then we propose the notion of Exclusive Pattern Matching to divide the entire pattern set into multiple subsets which can later be matched against selectively and independently without affecting the correctness. We show that Exclusive Pattern Matching enables the adoption of smaller and faster TCAM blocks and improves both the pattern matching speed and scalability. Finally, our theoretical and experimental results validate that the above two concepts are inherently complementary, enabling our integrated scheme to provide performance gain in any scenario (with either clean or dirty traffic).

SHAO Zong-you,LIU Xing-kui,LIU Xin-chun,SUN Ning-hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.03.014

2013-01-01

Computer Science

Abstract:As the network bandwidth continuously increases,the network security has been seriously threatened by malicious behaviors and risks.Network intrusion detection system(NIDS) is one of the efficient measures to cope with intrusion threats and protect information security,which employs pattern matching techniques to analyze incoming packe-ts and detect potential threats.However,pattern matching is such a compute-intensive task that most current techniques can't meet the demand of NIDS for backbone networks over 10Gbps speed.We proposed a novel Bloom filter based approach for pattern matching,called PBPM(Parallel-Bloom-filter-based multi-Pattern Matching).PBPM employs multiple copies of the same Bloom filter to carry out parallel matching on different positions of the input text at the same time.The fine-grained parallel approach is able to skip multiple characters per clock when implemented on FPGAs,dramatically improving pattern matching performance.Experimental results on the rule set from Snort 2.9 show that the throughput of PBPM exceeds more than 20Gbps.

Yu Jianming,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(07)70137-2

2007-01-01

Tsinghua Science & Technology

Abstract:As the core algorithm and the most time consuming part of almost every modern network intrusion management system (NIMS), string matching is essential for the inspection of network flows at the line speed. This paper presents a memory and time efficient string matching algorithm specifically designed for NIMS on commodity processors. Modifications of the Aho-Corasick (AC) algorithm based on the distribution characteristics of NIMS patterns drastically reduce the memory usage without sacrificing speed in software implementations. In tests on the Snort pattern set and traces that represent typical NIMS workloads, the Snort performance was enhanced 1.48%-20% compared to other well-known alternatives with an automaton size reduction of 4.86-6.11 compared to the standard AC implementation. The results show that special characteristics of the NIMS can be used into a very effective method to optimize the algorithm design.

Monther Aldwairi,Yahya Flaifel,Khaldoon Mhaidat

DOI: https://doi.org/10.48550/arXiv.2003.00405

2020-03-01

Cryptography and Security

Abstract:Network intrusion detection systems and antivirus software are essential in detecting malicious network traffic and attacks such as denial-of-service and malwares. Each attack, worm or virus has its own distinctive signature. Signature-based intrusion detection and antivirus systems depend on pattern matching to look for possible attack signatures. Pattern matching is a very complex task, which requires a lot of time, memory and computing resources. Software-based intrusion detection is not fast enough to match high network speeds and the increasing number of attacks. In this paper, we propose special purpose hardware for Wu-Manber pattern matching algorithm. FPGAs form an excellent choice because of their massively parallel structure, reprogrammable logic and memory resources. The hardware is designed in Verilog and implemented using Xilinx ISE. For evaluation, we dope network traffic traces collected using Wireshark with 2500 signatures from the ClamAV virus definitions database. Experimental results show high speed that reaches up to 216 Mbps. In addition, we evaluate time, device usage, and power consumption.

Likun Liu,Hongli Zhang,Xiangzhan Yu,Yi Xin,Muhammad Shafiq,Mengmeng Ge

DOI: https://doi.org/10.1155/2018/9809345

2018-01-01

Wireless Communications and Mobile Computing

Abstract:During the last decade, rapid development of mobile devices and applications has produced a large number of mobile data which hide numerous cyber-attacks. To monitor the mobile data and detect the attacks, NIDS/NIPS plays important role for ISP and enterprise, but now it still faces two challenges, high performance for super large patterns and detection of the latest attacks. High performance is dominated by Deep Packet Inspection (DPI) mechanism, which is the core of security devices. A new TTL attack is just put forward to escape detecting, such that the adversary inserts packet with short TTL to escape from NIDS/NIPS. To address the above-mentioned problems, in this paper, we design a security system to handle the two aspects. For efficient DPI, a new two-step partition of pattern set is demonstrated and discussed, which includes first set-partition and second set-partition. For resisting TTL attacks, we set reasonable TTL threshold and patch TCP protocol stack to detect the attack. Compared with recent produced algorithm, our experiments show better performance and the throughput increased 27% when the number of patterns is 106. Moreover, the success rate of detection is 100%, and while attack intensity increased, the throughput decreased.

Xu Kefu,Qi Deyu,Qian Zhengping,Zheng Weiping

DOI: https://doi.org/10.1109/icnsc.2008.4525325

2008-01-01

Abstract:High-speed packet content inspection and filtering devices rely on a fast multi-pattern matching algorithm which is used to detect predefined keywords or signatures in the packets. These signature sets are large (e.g., thousands) and complex. Multi-pattern matching is known to require intensive memory accesses and is often a performance bottleneck. Another problem is how to update the inconstant rule set from new attacks without halting the inspection. Hence, specialized fast dynamic pattern matching algorithms scalable for long rules are required for on-line speed deep packet inspection. We proposed a fast dynamic deep packet inspection algorithm using two pipelines which was flexible loosely coupled framework. In the fast pipeline, multiple parallel Counting Bloom filter engines which can perform fast dynamic query were adopted to achieve high throughput. Based on the principle of locality of programs, we set a threshold length for the scalability for long rules. In the relatively slow pipeline, we adopted dynamic pattern matching algorithm to distinguish the suspicious packet came from the fast pipeline. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed dynamic inspection requirement when the low resource consumption further improves the scalability.

Wei Zhang,Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1109/CHINACOM.2008.4685118

2008-01-01

Abstract:Regular expressions tire increasingly used in network security applications. Multiple regular expressions matching is one of the most important: performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM's RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1Gbps and 2.8Gbps on Virtex2 and Virtex4 devices respectively.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Hongbin Lu,Kai Zheng,Bin Liu,Changhua Sun

DOI: https://doi.org/10.1109/ICNS.2007.16

2007-01-01

Abstract:As one of the key methods as well as a bottleneck for Network Intrusion Detection Systems (NIDSes) to detect and eliminate malicious traffic, pattern matching is increasingly gaining popularity while also faces threats from hackers' overloading attempts. The support of mixed case-sensitive and case-insensitive patterns, which is essential for NIDSes to detect possible attacks targeting different applications and operating systems, is currently a potential vulnerability since the widely used Convert-Search-Verify (CSV) approach encounters severe performance degradation in the worst-case scenarios. This paper firstly gives a thorough analysis on the reasons causing jams in the worst case, and then boosts up the performance by leveraging a novel mechanism named Convert-Search-incrementally-Verify (CSiV). CSiV differs from CSV in that it first merges possible case-sensitive matches to suspicious segments in the "Search" phase, and then leverages an Aho-Corasick like algorithm to verify them. The infeasibility of the simple Double Search (DS) approach is also explained by analyzing its low average-case throughput. Extensive experiments based on real pattern sets along with both collected and artificial traffic traces show that, the performance of the proposed approach outperforms the DS approach by a factor of 2 in the ordinary cases, and is better than the CSV approach up to 5 times under the worst-case scenario, indicating both its feasibility and robustness for a worst-case safe NIDS. © 2007 IEEE.

Jia Ni,Chuang Lin,Zhen Chen,Peter Ungsunan

DOI: https://doi.org/10.1109/ICPP.2007.7

2007-01-01

Abstract:Deep Packet Inspection (DPI) is a critical function in network security applications such as Firewalls and Intrusion Detection Systems (IDS). Signature based scanners used in DPI apply multi-pattern matching algorithms to check whether the packet payload or flow content contains a specified signature in a signature set. Existing multi-pattern matching algorithms sacrifice memory space to achieve better performance. In this paper a novel fast multi-pattern matching algorithm, the Hash Boyer-Moore (HBM) Algorithm, is presented, which reduces the memory footprint of the heuristic table using a hash function and adds another heuristic table to reduce the false-positive ratio. Analyses and simulations show HBM offers higher speed and lower memory cost than some existing algorithms. The HBM algorithm was implemented on the Intel IXP 2400 Network Processor (NP) platform and experiments show suitable performance results in a Gigabit Ethernet LAN environment.

Ziqian Wan,Gang Liang,Tao Li

DOI: https://doi.org/10.4304/jnw.7.9.1327-1333

2012-01-01

Journal of Networks

Abstract:It is becoming increasingly hard to build an intrusion detection system (IDS), because of the higher traffic throughput and the rising sophistication of attacking. Scale will be an important issue to address in the intrusion detection area. For hardware, tomorrow’s performance gains will come from multi-core architectures in which a number of CPU executes concurrently. We take the advantage of multi-core processors’ full power for intrusion detection in this work. We present an intrusion detection system based on the Snort open-source IDS that exploits the computational power of MIPS multi-core architecture to offload the costly pattern matching operations from the CPU, and thus increase the system’s processing throughput. A preliminary experiment demonstrates the potential of this system. The experiment results indicate that this method can be used effectively to speed up intrusion detection systems.