WANG Zhi-wei,PING Ling-di,LU Min-feng

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.01.009

2010-01-01

Abstract:On the basis of the BM algorithm and its derivative versions:BMH,Sunday and other algorithms,a new improved algorithm is presented.The improved algorithm has three important features:(1)using two-character inspired strategy to improve the pattern moving length and its probability.The largest length is n+2;(2)using the method of dynamic segmentation to minimize the matching;(3)building the chain with the location for the same character in the pattern to take full advantage of inspiring characters and reduce the redundancy of matching.Experimental results show that the improved algorithm has higher matching efficiency.

HUANG Yong,PING Ling-di,PAN Xue-zeng,CHEN Jian

DOI: https://doi.org/10.16411/j.cnki.issn1006-7736.2008.01.024

2008-01-01

Abstract:ISKIP and IKMPSKIP algorithms were developed combining quick search(QS) algorithm to improve performance of SKIP and KMPSKIP algorithms using partition window.The shift information of the last character of next window was looked ahead to increase the shift distance,and the times of matching were reduced efficiently.Theoretical analysis shows that two improved algorithms are superior to the original ones in respect of average time complexities.Experimental results also demonstrate its effectiveness.Especially in case of small patterns,ISKIP algorithm takes only 65%～85% of time of BMH algorithm.

Yong Huang,Lingdi Ping,Xuezeng Pan,Li Jiang,Xiaoning Jiang

DOI: https://doi.org/10.1109/iscid.2008.117

2008-01-01

Abstract:With the remarkable increase in the number of nucleotide and acid sequences, it is necessary to study pattern matching in querying sequence patterns in the biological sequence database. To further raise the performance of the pattern matching algorithm, an improved BM algorithm (called BMBR) is presented. It bases on the method of BM algorithm and combines with the shift function of BR algorithm, thus reaches the best shift distance and improves the performance. The best and worst cases in time complexities of the proposed algorithm are also discussed. The experimental results show that the algorithm is faster than other compared algorithms for small alphabets and long patterns, and thus the proposed algorithm is quite suitable for pattern matching in biological sequences.

Stephen Fulwider,Amar Mukherjee

2008-01-01

Abstract:On the basis of analyzing and studying existing Wu_Manber algorithm in intrusion detection system, an improved Wu_Manber algorithm is designed. This algorithm combines the notion of QS algorithm and expands its shift distance to maximum in searching stage. At the same time, some experiments were made to compare the performances of the traditional and improved Wu_Manber algorithms. The experimental results shown that the improved Wu_Manber algorithm performs better in both English and Chinese text, and can detect intrusion faster and more accurately.

Baojun Zhang,Xiaoping Chen,Xuezeng Pan,Zhaohui Wu

2009-01-01

Abstract:Short patterns affect the performance of Wu-Manber algorithm greatly. In order to solve this problem, an improved Wu-Manber algorithm is proposed. It divides all the patterns into, different sets according to their length. For each set, independent data structures are established and different process methods are used. Because there are few resources shared among these sets, high concurrence is obtained when doing pattern matching. Experimental results demonstrate that the improved algorithm represents a high performance than the original one.

宋华,戴一奇

DOI: https://doi.org/10.3321/j.issn:1000-0054.2003.07.032

2003-01-01

Abstract:Many problems in intrusion detection can be solved by error-tolerant multi-pattern matching algorithms. Three algorithms were designed for intrusion detection. The first algorithm was a single pattern matching algorithm while the other two were multi-pattern matching algorithms. All three algorithms implemented as dynamic programming algorithms detected the occurrences of any pattern from a given pattern set in a text, allowing a limited number of errors in the attack event sequences. The algorithms exploited the ability to arrange the pattern set in a searching tree and detected multi intrusion patterns simultaneously. Analytical and experimental results showed that all three error-tolerant multi-pattern matching algorithms were fast when searching large sets of patterns.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Yong Huang,Lingdi Ping,Xuezeng Pan,Guoyong Cai

DOI: https://doi.org/10.1109/BMEI.2008.154

2008-01-01

Abstract:Pattern matching is a powerful tool for querying sequence patterns in the biological sequence databases. The remarkable increase in the number of DNA and proteins sequences has also stimulated the study of many pattern matching algorithms. To further raise the performance of the pattern matching algorithm, a fast exact algorithm (called BRFS) is presented. It bases on the method of FS algorithm and absorbs the idea of BR algorithm during the pattern matching, thus reaches the best shift distance and improves the performance. The best, worst and average cases in time complexities of the new algorithm are also discussed. The experimental results show that the new algorithm is faster than other compared algorithms for small alphabets and long patterns, so the proposed algorithm is quite applicable for pattern matching in biological sequences.

XU Ning,LAI Hai-guang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.02.019

2006-01-01

Abstract:An improved algorithm based on the ideas of Boyer-Moore method to search for multiple patterns is presented.The application of this algorithm in a network intrusion detection system is also discussed.The experiments demonstrate good improvement in matching time.

WU Xi-hong

2012-01-01

Abstract:The network which is developed rapidly puts many people to convenience,at the same time the network safe problem is accompanied.The way to solve the problem is to enhance the intrusion detection technology.The pattern matching algorithms directly influence the high efficiency and accuracy performance of the system.It analyses in detail the characteristic of three single pattern matching algorithms based on suffix searching,then some experiments are done from three aspects which are matched time,trial times and characters' numbers through the number of different pattern strings.The experimental results show that QS algorithm and RF algorithm can shorten scanning time widely because they can skip longer string chars.So improve the speed of the pattern matching and better use in detection system.

Yang Tong,Wang Si-si,Qiao Xiang-dong,Chen Qi

DOI: https://doi.org/10.1109/WICOM.2009.5302544

2009-01-01

Abstract:when network is overload, snort spends a lot of time to matching rules. The algorithm determines the performance of intrusion detection system to a large extent. Snort adopts BM algorithm in default, in order to enhance the efficiency of network intrusion detection system which is based on snort, this paper analyzes BM algorithm firstly, and proposes an improved algorithm. Secondly, this thesis compares the two algorithms (BM algorithm and the improved BM algorithm) theoretically, and does a quantitative description of the extent of the improved BM algorithm according to the experimental results. Finally, the improve BM algorithm is applied to the network intrusion detection system, and have achieved good results.

Hongbin Lu,Kai Zheng,Bin Liu,Changhua Sun

DOI: https://doi.org/10.1109/ICNS.2007.16

2007-01-01

Abstract:As one of the key methods as well as a bottleneck for Network Intrusion Detection Systems (NIDSes) to detect and eliminate malicious traffic, pattern matching is increasingly gaining popularity while also faces threats from hackers' overloading attempts. The support of mixed case-sensitive and case-insensitive patterns, which is essential for NIDSes to detect possible attacks targeting different applications and operating systems, is currently a potential vulnerability since the widely used Convert-Search-Verify (CSV) approach encounters severe performance degradation in the worst-case scenarios. This paper firstly gives a thorough analysis on the reasons causing jams in the worst case, and then boosts up the performance by leveraging a novel mechanism named Convert-Search-incrementally-Verify (CSiV). CSiV differs from CSV in that it first merges possible case-sensitive matches to suspicious segments in the "Search" phase, and then leverages an Aho-Corasick like algorithm to verify them. The infeasibility of the simple Double Search (DS) approach is also explained by analyzing its low average-case throughput. Extensive experiments based on real pattern sets along with both collected and artificial traffic traces show that, the performance of the proposed approach outperforms the DS approach by a factor of 2 in the ordinary cases, and is better than the CSV approach up to 5 times under the worst-case scenario, indicating both its feasibility and robustness for a worst-case safe NIDS. © 2007 IEEE.

Quanmin Wang,Xuan Wei

DOI: https://doi.org/10.1145/3377644.3377660

2020-01-10

Abstract:Network intrusion detection is a detection technology which is based on the characteristics of network behavior. In recent years, network intrusion detection, as a research focus in the field of information security, had a rapid development. Redundant and irrelevant features in data have caused a long-term problem in network traffic classification. These features not only slow down the process of classification but also prevent a classifier from making accurate decisions, especially when coping with big data. In this paper, an improved binary particle swarm optimization (BPSO) was proposed to remove redundant features. This method can compress data volumes and reduce the detection time. On this basis, weight adjustment strategies of Adaboost algorithm are improved to alleviate the phenomenon of over-fitting. The performance of the improved Adaboost classifier is evaluated using two intrusion detection evaluation datasets, namely KDD Cup 99 and NSL-KDD dataset. The evaluation results show that our approach has lower false alarm rate, higher accuracy rate and F-Score.

Wei Zhang,Yibo Xue,Zongwei Zhou,Dongsheng Wang

DOI: https://doi.org/10.3772/j.issn.1002-0470.2009.06.001

2009-01-01

Abstract:In view of the problem that the performance of the classical pattern matching (one of the key technologies for network and information security systems) algorithms degrades seriously when the patterns become large, especially over 50000, this paper proposes a new architectural large-scale pattern matching algorithm (ALPM) for large-scale pattern sets. Based on the shift concept of the classical Wu-Manber (WM) algorithm and combined with its features of hardware architecture, the ALPM adopts several pre-processing and matching strategies, such as utilizing two different Hash functions to access the Shift and hash tables, optimizing pre-processing to choose the best entry signs from patterns for the two tables and adjusting the Hash confliction dynamically with the Cache size and the pattern quantity, to improve the matching performance. The experimental results show that for the large-scale pattern set, the matching performance of the ALPM is 5-10 times higher than that of the classical WM.

Yu Jianming,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(07)70137-2

2007-01-01

Tsinghua Science & Technology

Abstract:As the core algorithm and the most time consuming part of almost every modern network intrusion management system (NIMS), string matching is essential for the inspection of network flows at the line speed. This paper presents a memory and time efficient string matching algorithm specifically designed for NIMS on commodity processors. Modifications of the Aho-Corasick (AC) algorithm based on the distribution characteristics of NIMS patterns drastically reduce the memory usage without sacrificing speed in software implementations. In tests on the Snort pattern set and traces that represent typical NIMS workloads, the Snort performance was enhanced 1.48%-20% compared to other well-known alternatives with an automaton size reduction of 4.86-6.11 compared to the standard AC implementation. The results show that special characteristics of the NIMS can be used into a very effective method to optimize the algorithm design.

Alberto Apostolico,Zvi Galil

DOI: https://doi.org/10.3969/j.issn.2095-0063.2007.02.015

2007-01-01

Abstract:This paper in detailes analyzes some pattern matching algorithms,such as KMP,BM,RK and SO.After making a test about the patterned time of these algorithms,we reach the conclusion that among these algorithms BM algorithm is the quickest and most efficient one.

Guang-Ming Tan,Ping Liu,Dong-Bo Bu,Yan-Bing Liu

DOI: https://doi.org/10.1007/s11390-011-0185-0

IF: 1.871

2011-01-01

Journal of Computer Science and Technology

Abstract:Due to the huge size of patterns to be searched, multiple pattern searching remains a challenge to several newly-arising applications like network intrusion detection. In this paper, we present an attempt to design efficient multiple pattern searching algorithms on multi-core architectures. We observe an important feature which indicates that the multiple pattern matching time mainly depends on the number and minimal length of patterns. The multi-core algorithm proposed in this paper leverages this feature to decompose pattern set so that the parallel execution time is minimized. We formulate the problem as an optimal decomposition and scheduling of a pattern set, then propose a heuristic algorithm, which takes advantage of dynamic programming and greedy algorithmic techniques, to solve the optimization problem. Experimental results suggest that our decomposition approach can increase the searching speed by more than 200% on a 4-core AMD Barcelona system.

Yaxuan Qi,Zongwei Zhou,Yiyao Wu,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5684120

2010-01-01

Abstract:With the continual growth of network speed and the increasing sophistication of network applications, keeping network operations efficient and secure becomes more challenging. Pattern matching is one of the key technologies for content-ware network processing, such as traffic classification, application identification and intrusion prevention. In this paper, we propose a hybrid pattern matching algorithm optimized for multi-core network processing platforms. As a system-level solution, our scheme focuses on both performance stability and hardware/software co-design. To verify the effectiveness of our design, the proposed algorithm is implemented on a state-of-art 16-MIPS-core network processing platform and evaluated with real-life data sets. Experimental results show that, when compared with the traditional Aho-Corasick algorithm, our hybrid solution saves 60~95% memory space while guarantees stable performance on large pattern sets and against adverse test traffic.

ZHANG Li-Hua,XU Wen-li

DOI: https://doi.org/10.3321/j.issn:0254-4164.1999.07.011

1999-01-01

Chinese Journal of Computers

Abstract:Point pattern matching has a wide variety of application in pattern recognition and machine vision.This paper describes two algorithms for point pattern matching.These algorithms use geometrical constraints to avoid testing the correspondence of all point exhaustively and constrain the range of correspondence search.The matching results are invariant to rotation,translation and scaling. Experimental result shows the effectiveness of the algorithms.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.