Zobrazit v EDS

Two-phase Pattern Matching for Regular Expressions in Intrusion Detection Systems.

Uloženo v:

Podrobná bibliografie
Název:	Two-phase Pattern Matching for Regular Expressions in Intrusion Detection Systems.
Autoři:	CHANG-CHING YANG¹, CHEN-MOU CHENG, SHENG-DE WANG
Zdroj:	Journal of Information Science & Engineering. Sep2010, Vol. 26 Issue 5, p1563-1582. 20p. 8 Diagrams, 5 Charts, 2 Graphs.
Témata:	Intrusion detection systems (Computer security), Machine theory, Robots, Field programmable gate arrays, Computer network security
Abstrakt:	Regular expressions are used to describe security threats' signatures in network intrusion detection (NID) systems. To identify suspicious packets using regular expression matching, many NID systems use memory-based deterministic finite-state automata (DFA) with one-pass-scanning model, which is fast and allows dynamic updates. However, a number of practical signature patterns commonly found in a variety of NID systems, e.g., ".*A.{N}B", can cause a state-explosion problem in such a model. In this paper, we propose a two-phase pattern matching engine (TPME) to solve this problem. In our proposed approach, the state storage cost is reduced to linearly dependent on the number of repetitions N in the patterns. With the new approach, we are now able to handle those practical patterns that would have caused the state-explosion problem in memory-based DFA. We report our implementation of TPME on a field programmable gate array (FPGA). With our prototype implementation, we can achieve a throughput of more than 1.86 gigabits per second for pattern matching in a practical NID system. [ABSTRACT FROM AUTHOR]
Databáze:	Supplemental Index

Full Text Finder

Nájsť tento článok vo Web of Science

Popis
Abstrakt:	Regular expressions are used to describe security threats' signatures in network intrusion detection (NID) systems. To identify suspicious packets using regular expression matching, many NID systems use memory-based deterministic finite-state automata (DFA) with one-pass-scanning model, which is fast and allows dynamic updates. However, a number of practical signature patterns commonly found in a variety of NID systems, e.g., ".*A.{N}B", can cause a state-explosion problem in such a model. In this paper, we propose a two-phase pattern matching engine (TPME) to solve this problem. In our proposed approach, the state storage cost is reduced to linearly dependent on the number of repetitions N in the patterns. With the new approach, we are now able to handle those practical patterns that would have caused the state-explosion problem in memory-based DFA. We report our implementation of TPME on a field programmable gate array (FPGA). With our prototype implementation, we can achieve a throughput of more than 1.86 gigabits per second for pattern matching in a practical NID system. [ABSTRACT FROM AUTHOR]
ISSN:	10162364