KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지

An Efficient String Matching Algorithm Using Bidirectional and Parallel Processing Structure for Intrusion Detection System

  • Chang, Gwo-Ching (Department of Information Engineering, I-Shou University) ;
  • Lin, Yue-Der (Department of Automatic Control Engineering & Master Program of Biomedical Informatics and Biomedical Engineering, Feng-Chia University)
  • Received : 2010.06.06
  • Accepted : 2010.08.13
  • Published : 2010.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

Rapid growth of internet applications has increased the importance of intrusion detection system (IDS) performance. String matching is the most computation-consuming task in IDS. In this paper, a new algorithm for multiple string matching is proposed. This proposed algorithm is based on the canonical Aho-Corasick algorithm and it utilizes a bidirectional and parallel processing structure to accelerate the matching speed. The proposed string matching algorithm was implemented and patched into Snort for experimental evaluation. Comparing with the canonical Aho-Corasick algorithm, the proposed algorithm has gained much improvement on the matching speed, especially in detecting multiple keywords within a long input text string.

Keywords

References

  1. A.V. Aho and M.J. Corasick, "Efficient string matching," Communications ACM , vol. 18, no. 6, pp. 333-340, 1975. https://doi.org/10.1145/360825.360855
  2. K. Ando, T. Kinoshita, M. Shishibori, and J. Aoe, "An improvement of the Aho-Corasick machine," Information Science, vol. 111, pp. 139-151, 1998. https://doi.org/10.1016/S0020-0255(98)00018-8
  3. M. Aldwairi, T. Conte, and P. Franzon, "Configurable string matching hardware for speeding up intrusion detection," ACM SIGARCH Computer Architecture News, vol. 33, no. 1, pp. 99-107, 2005. https://doi.org/10.1145/1055626.1055640
  4. R.T. Liu, N.F. Huang, C.H. Chen, and C.N. Kao, "A fast string matching algorithm for network processor-based intrusion detection system," ACM Trans. on Embedded Computing Systems, vol. 3, no. 3, pp. 614-633, 2004. https://doi.org/10.1145/1015047.1015055
  5. S. S. Sheik, S. K. Aggarwal, A. Poddar, B. Sathiyabhama, N. Balakrishnan, and K. Sekar, "Analysis of string searching algorithms on biological sequence databases," Journal of CURR SCIENCE, vol. 89, no. 2, pp. 368-374, 2005.
  6. D.E. Knuth, J.H. Morris Jr., and V.R. Pratt, "Fast pattern matching in strings," SIAM J. Comput. vol. 6, pp. 323-350, 1977. https://doi.org/10.1137/0206024
  7. R. S. Boyer and J. S. Moore, "A fast string searching algorithm," Communication ACM, vol. 20, no. 10, pp. 762-772, 1977. https://doi.org/10.1145/359842.359859
  8. S. Wu and U. Manber, "A fast algorithm for multi-pattern searching," Technical Report TR-94-17, University of Arizona, pp. 1-11, 1994.
  9. N. Tuck, T. Sherwood, B. Calder and G. Varghese, "Deterministic memory-efficient string matching algorithms for intrusion detection," in Proc. of the IEEE Infocom conf., pp. 333-340, 2004.
  10. L. Tan and T. Sherwood, "A high throughput string matching architecture for intrusion detection and prevention," in Proc. of 32nd International Symp. on Computer Architecture, pp. 112-122, 2005.
  11. C. Coit, S. Staniford, and J. McAlerney, "Towards faster string matching for intrusion detection," in Proc. of the DARPA Information Survivability Conf. and Exhibition, pp. 367-373, 2002.
  12. Y. Mishina and K. Kojima, "String matching on IDP: A string matching algorithm for vector processors and its implementation," in Proc. of IEEE International Conf. on Computer Design, pp. 394-401, 1993.
  13. H. M. Bluthgen, T. Noll, and R. Aachen, "A programmable processor for approximate string matching with high throughput rate," in Proc. of IEEE International Conf. on Application-Specific Systems, Architectures, and Processors, pp. 309-316, 2000.
  14. R. Franklin, D. Carver, and B. L. Hutchings, "Assisting network intrusion detection with reconfigurable hardware," in Proc. of 10th IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 111-120, 2002.
  15. S. Dharmapurikar, P. Krishnamurthy, T. S. Sproull, and J. W. Lockwood, "Deep packet inspection using parallel bloom filters," IEEE Micro, vol. 24, no. 1, pp.52-61, 2004. https://doi.org/10.1109/MM.2004.1268997
  16. K. K. Tseng, Y. D. Lin, T. H. Lee, and Y. C. Lai, "A parallel automaton string matching with pre-hashing and root-indexing techniques for content filtering coprocessor," in Proc. of the 16th IEEE International Conf. on Application-Specific Systems, Architectures, and Processors, pp. 113-118, 2005.
  17. Christopher V. Kopek, Errin W. Fulp, and Patrick S. Wheeler, "Distributed data parallel techniques for content-matching intrusion detection systems," in Proc. of the IEEE Military Communications Conference, pp. 1-7, 2007.
  18. M. Fisk and G. Varghese, "Applying fast string matching to intrusion detection," Technical Report CS2001-0670, UCSD, 2001.
  19. $DEFCON^{\circledR}$ Hacking conference, http://www.defcon.org/