Chen Guanlin,Feng Yan,Wang Zebing

DOI: https://doi.org/10.3969/j.issn.1000-0801.2010.10.014

2010-01-01

Abstract:Nowadays wireless intrusion prevention systems have become the research hotspot with the fast development of WLAN.In this paper,we first introduce the common attack methods for WLAN,and then present the framework of the wireless IPS with a distributed pre-decision engine,which can predict the future actions and direct active responses to these actions.We implement an improved model with extended detection rules for conducting intrusion plan and making pre-decision,by gathering wireless device information and importing supporting degree of intrusion plan in plan recognition.Experimental results showed that the distributed pre-decision engine can not only improve wireless intrusion detection and prevention performance,also reduce false negatives and false positives evidently.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Chengcheng Xu,Shuhui Chen,Jinshu Su,S. M. Yiu,Lucas C. K. Hui

DOI: https://doi.org/10.1109/comst.2016.2566669

2016-01-01

Abstract:Deep packet inspection (DPI) is widely used in content-aware network applications such as network intrusion detection systems, traffic billing, load balancing, and government surveillance. Pattern matching is a core and critical step in DPI, which checks the payload of each packet for known signatures (patterns) in order to identify packets with certain characteristics (e.g., malicious packets that carry viruses or worms). Regular expression is the major tool for signature description due to its powerful and flexible expressive ability. However, this flexibility also brings great challenges for efficient implementation in practice. Despite of hundreds to thousands of empirical proposals, wire-speed matching for large scale regular expressions still remains a big challenge. The gap between the matching throughput and the link speed is widening with the ever-increasing network link speed and pattern scale. This survey begins with a full-scale application background of DPI and technical background of regular expression matching in order to provide a global view and essential knowledge for readers. We then analyze the challenges in regular expression matching originated from the state explosion of finite state automaton used for regular expression matching. The nature of state explosion is analyzed in details, and the state-of-the-art solutions are grouped into categories of methods to relieve state expansion and methods to avoid state explosion, suggestions are also provided for building compact and efficient automata in different scenarios. Furthermore, proposals employing parallel platforms, including field-programmable gate array, GPU, general multi-processors, and ternary content addressable memory, to accelerate the matching process are introduced and thoroughly discussed. We also provide guidelines for efficient deployment for each of these platforms.

Wei Zhang,Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1109/CHINACOM.2008.4685118

2008-01-01

Abstract:Regular expressions tire increasingly used in network security applications. Multiple regular expressions matching is one of the most important: performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM's RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1Gbps and 2.8Gbps on Virtex2 and Virtex4 devices respectively.

Jie Wang,Kai Cui,Kuanjiu Zhou,Yanshuo Yu

DOI: https://doi.org/10.1155/2014/654974

2014-01-01

Abstract:Due to the limited resources of wireless sensor network, low efficiency of real-time communication scheduling, poor safety defects, and so forth, a queuing performance evaluation approach based on regular expression match is proposed, which is a method that consists of matching preprocessing phase, validation phase, and queuing model of performance evaluation phase. Firstly, the subset of related sequence is generated in preprocessing phase, guiding the validation phase distributed matching. Secondly, in the validation phase, the subset of features clustering, the compressed matching table is more convenient for distributed parallel matching. Finally, based on the queuing model, the sensor networks of task scheduling dynamic performance are evaluated. Experiments show that our approach ensures accurate matching and computational efficiency of more than 70%; it not only effectively detects data packets and access control, but also uses queuing method to determine the parameters of task scheduling in wireless sensor networks. The method for medium scale or large scale distributed wireless node has a good applicability.

Dong Ma,Yongjun Wang,Zhenlong Fu

DOI: https://doi.org/10.1016/j.proeng.2011.08.657

2011-01-01

Abstract:Research in network security, with the attacks becoming more frequent, increasing complexity means, for the large-scale network intrusion detection, this paper presents a warning by analyzing the behavior of the log, the contents of the relevant association, through the DHT(Distributed Hash Table) distributed architecture, the Collabarative matching, fusion, and ultimately determine the method of attack paths. First, by improving the classical Apriori algorithm, greatly improving the efficiency of the association. At the same time, through the behavior pattern matching algorithms to extract information about the behavior of the alert and the behavior sequence elements to match the template, and through the right path to finally determine the value of the threat of the network path. After the design of a DHT network, the distributed collaborative match the path used to find complex network attacks. Finally, the overall algorithm flow, proposed a complete threat detection system architecture. (C) 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS2011]

Mohammad Hashem Haghighat,Zhe Fu,Jun Li

DOI: https://doi.org/10.1145/3234664.3234669

2018-01-01

Abstract:Several security devices use signature based detection engine to detect malicious activities through the internet. The main challenge of this scenario is to keep up with the increase of line speed. On one hand, regular expression (regex) patterns allow security analysts to express more complicated attacks. On the other hand, they make pattern matching procedure much more costly. Several finite automata based techniques have been proposed to speed up the matching procedure. However, they are still impractical in the real world, due to their high spatial or temporal complexity.In this paper, a novel technique, called HES, is proposed to handle tens of thousands regex patterns, with minimum space limitation. The experimental results over several rule sets including Snort and Bro, as two leading open source intrusion detection systems, as well as random regex patterns, reveals us HES matched patterns significantly faster than DFA, as one of the fastest state-of-the-art techniques. In addition, the HES storage requirement is close to NFA, which leads as one of the most compact method. These results proved that HES can be used in the real world, as a signature based matching engine, and gives us the power to use more regex patterns.

Chengcheng Xu,Baokang Zhao,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1007/978-981-10-7850-7_15

2016-01-01

Abstract:Mobile devices play an important role in our everyday lives, but they also bring great security threats. Deep packet inspection (DPI) is one of the most efficient methods to detect the malicious information hidden in the mobile traffic, and regular expression matching is widely used in DPI for its powerful expressive ability. However, with the increasing complexity of regular expressions, traditional solutions cannot meet the requirements of both storage and high performance. In this paper, we propose a novel hybrid matching architecture and two-stage memory architecture for the state of the art hybrid FA to solve this problem. Experiment results confirm that our architecture is scalable to complex rule sets, and the matching performance outperforms state of the art memory centric solution by up to 15x.

Su-Zhe Wang,Yong Li,Wei Cheng

DOI: https://doi.org/10.1155/2016/8672305

IF: 2.336

2016-01-01

Journal of Sensors

Abstract:Secure localization under different forms of attack has become an essential task in wireless sensor networks. Despite the significant research efforts in detecting the malicious nodes, the problem of localization attack type recognition has not yet been well addressed. Motivated by this concern, we propose a novel exchange-based attack classification algorithm. This is achieved by a distributed expectation maximization extractor integrated with the PECPR-MKSVM classifier. First, the mixed distribution features based on the probabilistic modeling are extracted using a distributed expectation maximization algorithm. After feature extraction, by introducing the theory from support vector machine, an extensive contractive Peaceman-Rachford splitting method is derived to build the distributed classifier that diffuses the iteration calculation among neighbor sensors. To verify the efficiency of the distributed recognition scheme, four groups of experiments were carried out under various conditions. The average success rate of the proposed classification algorithm obtained in the presented experiments for external attacks is excellent and has achieved about 93.9% in some cases. These testing results demonstrate that the proposed algorithm can produce much greater recognition rate, and it can be also more robust and efficient even in the presence of excessive malicious scenario.

Chun Jason Xue,Meilin Liu,QingFeng Zhuge,Edwin Hsing-Mean Sha

DOI: https://doi.org/10.1007/s11265-008-0279-2

2008-01-01

Journal of Signal Processing Systems

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

Wei-dong CHEN,Zu-quan HUANG,Chuan-bo CHEN,Wei-ping ZHANG,Tao WU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2016.07.019

2016-01-01

Abstract:Cloud computing network and next-generation network is now widely used,which brings more security threats. Based on the process and the network tuples communication to construct defense system,the key technologies of defense under IPv4/IPv6 dual stack network are researched. It presents the NRLS Sunday based on improvement of the longest norepeat substring and Sunday algorithm,to a-void excessive repetitive character comparison and improve the matching efficiency of a single pattern string. Compared with BM,Sunday algorithm,the experiment shows the improved algorithm optimizes its time complexity. Under high-speed network,packet data contents is carried on rapid detection and analysis. Based on intelligent traffic restrictions for process and network,the intrusion detection and defense is conducted for network. In this paper,parallel packet detection method is studied under the high speed. Application web collaboration, and the unified arrangements and issued policies is applied in a complex network environment,proposing and realizing the effective meth-od of defense in the complex network environment.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Dawei Song,Xun Zhu,Fengjuan Ma

DOI: https://doi.org/10.1088/1742-6596/2066/1/012029

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract with the rise and rapid development of mobile communication, intelligent terminal and data system, we are entering the era of mobile Internet. In recent years, more and more data need to be processed and transmitted in daily life, and structured data is becoming more and more important. Among them, multi-mode matching technology can search data in a wider range. Matching for multiple patterns at a time avoids unnecessary matching, accelerates the matching process, and helps to find longer matching information and obtain higher accuracy. This paper mainly introduces the high camouflage intrusion detection method of structured database based on multi-mode matching. This paper uses the high disguised intrusion detection method of structured database based on multi-mode matching, collects sensitive information of wireless access points and stations through the communication of WLAN in multimodal matching, then intercepts and forges data packets to initiate replay attack. Replay attack is characterized by abnormal traffic in the network, which can be detected by statistical analysis. The experimental results show that the high camouflage intrusion detection method based on multi-mode matching makes the camouflage intrusion detection rate increase by 23%. The limitations of the design and research of camouflage intrusion detection are analyzed, discussed and summarized, so as to enrich the academic research results.

Xiaofei Wang,Junchen Jiang,Wei Lin,Yi Tang,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/iccomta.2009.5349207

2009-01-01

Abstract:Deep packet inspection at high speed has become extremely important due to its application in a wide range of network applications, such as network security and network monitoring. Network intrusion detection system (NIDS) uses a collection of signatures of known security threats and viruses to scan the payload of each packet. Signatures are often specified in the form of regular expressions (regex), called patterns, which are traditionally implemented as finite automata. Deterministic finite automata (DFA) is fast, but requires prohibitive amounts of memory which limits their practical use. Instead of matching an incoming packet with each individual regex in a ruleset, we match the packet with a fixed substring, called fingerprint, of a regex first. Fixed string matching is faster and consumes less energy than regex matching. The fact is that if a packet does not match with the fingerprint of a regex, it will not match the regex itself. So fingerprints can be used in a prefilter engine to filter out those packets and do not match any of the fingerprints of the regex in a rule set, which represents normal non-malicious traffic. This actually reduces the number of regex rules being matched, which results in increased throughput of the NIDS. We present a weight scheme to extract a good fingerprint from a regex. A good fingerprint is the one that not only indicates the regex uniquely, but also occurs as less as possible in the matching procedure. We demonstrate how to use fingerprints for efficient prefiltering by means of Bloom filters in practice.

Xu Dongliang,Zhang Hongli,Zhang Lei,Yao Chongchong

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015068

2015-01-01

Abstract:Pattern matching is the core module in network security system,it's the highest occupancy rate of system resources is more than 70%.According to problem and challenges of pattern matching in the network security system,taking 2000 as the boundary,the pattern matching was divided into the traditional pattern matching method and the new pattern matching method.Through the analysis of the principle and the computational complexity of different pattern matching method and the development and evolution of the new pattern matching method,applicable environment of different methods was concluded.A comprehensive review and evaluation of pattern matching in network security system was presented.Finally,a conclusion and some suggestions for future research were summarized and prospected.

Xiuwen Sun,Hao Li,Xingxing Lu,Dan Zhao,Zheng Peng,Chengchen Hu

DOI: https://doi.org/10.1016/j.comnet.2019.106996

IF: 5.493

2020-01-01

Computer Networks

Abstract:Nowadays, regular expression matching becomes a critical component of the network traffic detection applications, which describes the fine-grained signature of traffic. Web services tend to compress their traffic for less data transmission, which is a great challenge for regular expression matching to achieve wire-speed processing. In this paper, we propose Twins, an efficient regular expression matching method over compressed traffic, which leverages the returned states encoding in the compression to skip repeated scanning. We also present an evaluation model to elaborate the factors that influence the performance of compressed traffic matching methods. Our evaluations demonstrate that Twins could skip ~ 90% compression data and can achieve 1.2 Gbps throughput with a single CPU core. It gains 2.2–3.0 times performance boost than the state-of-the-art works. With a parallel implementation using multiple CPU cores, the throughput could be up to 10 Gbps.

Mei-Ling Shyu,Thiago Quirino,Zongxing Xie,Shu-Ching Chen,Liwu Chang

DOI: https://doi.org/10.1145/1278460.1278463

2007-09-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Recently, network security has become an extremely vital issue that beckons the development of accurate and efficient solutions capable of effectively defending our network systems and the valuable information journeying through them. In this article, a distributed multiagent intrusion detection system (IDS) architecture is proposed, which attempts to provide an accurate and lightweight solution to network intrusion detection by tackling issues associated with the design of a distributed multiagent system, such as poor system scalability and the requirements of excessive processing power and memory storage. The proposed IDS architecture consists of (i) the Host layer with lightweight host agents that perform anomaly detection in network connections to their respective hosts, and (ii) the Classification layer whose main functions are to perform misuse detection for the host agents, detect distributed attacks, and disseminate network security status information to the whole network. The intrusion detection task is achieved through the employment of the lightweight Adaptive Sub-Eigenspace Modeling (ASEM)-based anomaly and misuse detection schemes. Promising experimental results indicate that ASEM-based schemes outperform the KNN and LOF algorithms, with high detection rates and low false alarm rates in the anomaly detection task, and outperform several well-known supervised classification methods such as C4.5 Decision Tree, SVM, NN, KNN, Logistic, and Decision Table (DT) in the misuse detection task. To assess the performance in a real-world scenario, the Relative Assumption Model, feature extraction techniques, and common network attack generation tools are employed to generate normal and anomalous traffic in a private LAN testbed. Furthermore, the scalability performance of the proposed IDS architecture is investigated through the simulation of the proposed agent communication scheme, and satisfactory linear relationships for both degradation of system response time and agent communication generated network traffic overhead are achieved.

computer science, information systems, artificial intelligence, theory & methods

Yu Wang,Yang Xiang,Wanlei Zhou,Shunzheng Yu

DOI: https://doi.org/10.1016/j.jnca.2011.03.017

IF: 7.574

2012-01-01

Journal of Network and Computer Applications

Abstract:Network traffic classification is a critical foundation for trusted network management and security systems. Matching application signatures in traffic payload is widely considered to be the most reliable classifying method. However, deriving accurate and efficient signatures for various applications is not a trivial task, for which current practice is mostly manual thus error-prone and of low efficiency. In this paper, we tackle the problem of automatic signature generation. In particular, we focus on generating regular expression signatures with a certain subset of standard syntax rules, which are of sufficient expressive power and compatible with most practical systems. We propose a novel approach that takes as input a labeled training data set and produces a set of signatures for matching the application classes presented in the data. The approach involves four procedures: pre-processing to extract application session payload, tokenization to find common substrings and incorporate position constraints, multiple sequence alignment to find common subsequences, and signature construction to transform the results into regular expressions. A real life full payload traffic trace is used to evaluate the proposed system, and signatures for a range of applications are automatically derived. The results indicate that the signatures are of high quality, and exhibit low false negatives and false positives.

Huan Wang,Xin Li

DOI: https://doi.org/10.13052/jcsm2245-1439.1336

2024-01-01

Abstract:In order to effectively avoid network information leakage and computer network paralysis, and improve the ability of computer network security early warning, it is necessary to design a computer network security intelligent early warning system based on network behavior. Security warning is considered as the second defense mechanism behind the firewall. It can monitor and warn the network without affecting the network performance, so as to provide real-time protection for external attacks, internal attacks and misoperations, and improve the network security. This paper designs an intelligent early warning system for network security based on partial differential equation image matching technology. The system adopts B/S development mode, and the server and browser are located in the campus network. Data fusion technology is used to assess network security, predict potential threats, and add new intrusion features to the feature database for subsequent use. In this paper, a target matching algorithm based on partial differential equation is proposed by using partial differential equation. The algorithm calculates the phase difference through the algebraic combination of orthogonal filter outputs. For scenes with continuous disparity changes, the error matching rate of this algorithm is lower than that of Michael Bleyer algorithm and vertical constraint algorithm. In general, the disparity map generated by this algorithm has high matching accuracy. The results show that the distribution of alarm information is reasonable and in line with the actual situation.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.