Information and Communications Magazine (정보와 통신)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

Deep Packet Inspection for Intrusion Detection Systems: A Survey

  • Published : 2007.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Deep packet inspection is widely recognized as a powerful way which is used for intrusion detection systems for inspecting, deterring and deflecting malicious attacks over the network. Fundamentally, almost intrusion detection systems have the ability to search through packets and identify contents that match with known attach. In this paper we survey the deep packet inspection implementations techniques, research challenges and algorithm. Finally, we provide a comparison between the different applied system.

Keywords

References

  1. A. V. Aho and M. J. Corasick, Efficient string matching: An aid to bibliographic search. Commun, ACM, 18(6):333-340, 1975 https://doi.org/10.1145/360825.360855
  2. M. Aldwairi, T. M. Conte, and P. D. Franzon. Configurable string matching hardware for speeding up intrusion detection. SIGARCH Computer Architecture News, 33(1): 99-107, 2005 https://doi.org/10.1145/1055626.1055640
  3. M. Alicherry, M. Muthuprasanna, and V. Kumar. High speed pattern matching for network ids/ips. In ICNP, pages 187-196, 2006
  4. S. Antonatos, K. G. Anagnostakis, and E. P. Markatos. Generating realistic workloads for network intrusion detection systems. In WOSP, pages 207-215, 2004
  5. M. Attig, S. Dharmapurikar, and J. W. Lockwood. Implementation results of bloom ?lters for string matching. In FCCM, pages 322-323, 2004
  6. M. Attig and J. W. Lockwood. Sift: Snort intrusion ?lter for tcp, In Hot Interconnects, pages 121-127. IEEE Computer Society, 2005
  7. Z. K. Baker and V. K. Prasanna. Automatic synthesis of e?cient intrusion detection systems on fpgas. In FPL, pages 311-321, 2004
  8. H. Bos and K. Huang. Towards software-based signature detection for intrusion prevention on the network card. In RAID, pages 102-123, 2005
  9. R. S. Boyer and J. S. Moore. A fast string searching algorithm. Communications of the ACM., 20(10):761-772, 1977
  10. Bro. Intrusion detection system. http://www broids.org/
  11. Y. H. Cho and W. H. Mangione-Smith. Deep packet filter with dedicated logic and read only memories. FCCM, 00:125-134, 2004
  12. C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kon, and A. Thomas. A hardware platform for network intrusion detection and prevention. In Third Workshop on Network Processors and Applications, Madrid, Spain, 2004
  13. C. R. Clark and D. E. Schimmel, Scalable pattern matching for high speed networks. In IEEE Symposium on Field-Programmable Custom Computing Machines, (FCCM), pages 249-257, 2004
  14. C. Coit, S. Staniford, and J. Mcalemey, Towards faster string matching for intrusion detection or exceeding the speed of snort. In DARPA Information Survivability Conference & Exposition II, pages 367- 373, 2001
  15. B. Commentz-Walter. A string matching algorithm fast on the average. In Proceedings of ICALP, page 118132, 1979
  16. W. de Bruijn, A. Slowinska, K. van Reeuwijk, T. Hruby, L. Xu, and H. Bas. Safecard: A gigabit ips on the network card. In RAID, pages 311-330, 2006
  17. S. Dharmapurikar, P, Krishnamurthy, T. S. Sproull, and J. W. Lockwood. Deep packet inspection using parallel bloom filters, IEEE Micro, 24(1):52-61, 2004 https://doi.org/10.1109/MM.2004.1268997
  18. S. Dharmapurikar and J. Lockwood. Fast and scalable pattern matching for content filtering, In ANCS '05: Proceedings of the 2005 symposium on Architecture for networking and communications systems, pages 183 192, 2005
  19. S. C. I. Engine. Hardware regex acceleration ip. http://safenet-inc. com/Library/3/SafeXceI4850ProductBrief.pdf
  20. Y. Fang, R. H. Katz, and T. V. Lakshman. Gigabit rate packet pattern-matching using team. In ICNP, pages 174-183, 2004
  21. J. E. Hopcroft, J. D. Ullman, and R. Motwani. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, 2001
  22. Intel. Intel 2800 network processor, hardware reference manual. Jan. 2004
  23. C. IOS. Intrusion prevention systems deployment guide. http://www.cisco.com/
  24. D. Knuth. The Art of Computer Programming: Seminumerical Algorithms, volume Vol. 2, third edition. Addison-Wesley, ISBN: 0-201-89684-2, 1997
  25. J. Kruskal, On the shortest spanning subtree of a graph and traveling salesman problem. The American Mathematical Society, 7:45-50,1956
  26. S. Kumar, S. Dharmapurikar, F. Yu, p. Crowley, and J. S. Turner. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In SIGCOMM, pages 339-350, 2006
  27. S. Kumar, J. S. Turner, and J. Williams. Advanced algorithms for fast and scalable deep packet inspection. In ANCS, pages 81-92, 2006
  28. L7-filter. Application layer packet classifier. http://17filter.sourceforge.net/
  29. K. Lakshminarayanan, A. Rangarajan, and S. Venkatachary, Algorithms for advanced packet classi?cation with ternary cams. In SIGCOMM, pages 193-204, 2005
  30. G. Papadopoulos and D. N. Pnevmatikatos. Hashing + memory = low cost, exact pattern matching. In FPL, pages 39-44, 2005
  31. M. Rash, A. D. Orebaugh, G. Clark, B. Pinkard, and J. Babbin. Intrusion Prevention and Active Response: Deploying Network and Host IPS. Syngress, 2005
  32. S. Rubin, S. Jha, and B. P. Miller. Protomatching network tra?c for high throughput network intrusion detection. In ACM Conference on Computer and Communications Security, pages 47-58, 2006
  33. R. Sidhu and P. V. K. Fast regular expression matching using fpgas. In FPL, pages 484-493, 2004
  34. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm ?ngerprinting. In OSDI, pages 45-60, 2004
  35. SNORT. Network intrusion detection system. http://www.snort.org/
  36. I. Sourdis and D. Pnevmatikatos. Pre-decoded cams for e?cient and high-speed nids pattern matching. In FCCM, pages 258-267, 2004
  37. Y. Sugawara, M. Inaba, and K. Hiraki. Over 10gbps string matching mechanism for multi-stream packet scanning systems. In FCCM, IEEE, pages 227-238, 2001.
  38. J. -S. Sung, eok Min Kang, Y. Lee, T. -G. Kwon, and B.T. Kim. A multi-gigabit rate deep packet inspection algorithm using team, In GLOCOM, pages 453- 457, 2005
  39. J. -S. Sung, S. -M. Kang, Y. and T. -G. Kwon, A fast pattermmatching algorithm for network intrusion detection system. In Networking, pages 1157-1162, 2006
  40. L. Tan, B. Brotherton, and T. Sherwood. Bit-split stringmatching engines for intrusion detection and prevention. TACO, ACM, 3(1):3-34, 2006 https://doi.org/10.1145/1132462.1132464
  41. D. E. Taylor. Survey and taxonomy of packet classi?cation techniques. ACM Com put. Surv., 37(3):238-275, 2005 https://doi.org/10.1145/1108956.1108958
  42. Tipping PointX0506. Tipping-point intrusion prevention systems. http://www.tippingpoint.com/products ips.html
  43. G. Tripp. A finite-state-machine based string matching system for intrusion detection on high-speed networks. In EICAR 2005 Conference Proceedings, pages 26-40, May 2005
  44. N. Tuck, T. Sherwood, B. Calder, and G. Varghese. Deterministic memory-eficient string matching algorithms for intrusion detection. In INFOCOM, 2004
  45. J. van Lunteren, High-performance pattern-matching for intrusion detection. In INFOCOM, 2006
  46. Y. Weinsberg, S. Tzur-David, D. Dolev, and T. Anker. High performance string matching algorithm for a network intrusion prevention system (nips). In HPSR, pages 7-pp, 2006
  47. P. Wheeler and E. W. Fulp. A taxonomy of parallel techniques for intrusion detection. In A CM Southeast Regional Conference, pages 278-282, 2007
  48. S. Wu and U. Manber. A fast algorithm for multi pattern searching. Technical Report TR-94-17, Department of Computer Science, University of Arizona, 1994
  49. S. Yoon, B. Kim, and J. Qh. High-performance stateful intrusion detection system. In IEEE, Computational Intelligence and Security, volume 01, pages 574-579, 2006
  50. S. Yusuf and W. Luk. Bitwise optimised cam for network intrusion detection systems. In FPL, pages 444-449, 2005
  51. Virtex-II Platform FPGAs: Complete Data Sheet. 2005. http:/direet.xilinx.com/bvdocs/publications/ds031.pdf