Two-phase Pattern Matching for Regular Expressions in Intrusion Detection Systems.
Saved in:
| Title: | Two-phase Pattern Matching for Regular Expressions in Intrusion Detection Systems. |
|---|---|
| Authors: | CHANG-CHING YANG1, CHEN-MOU CHENG, SHENG-DE WANG |
| Source: | Journal of Information Science & Engineering. Sep2010, Vol. 26 Issue 5, p1563-1582. 20p. 8 Diagrams, 5 Charts, 2 Graphs. |
| Subject Terms: | Intrusion detection systems (Computer security), Machine theory, Robots, Field programmable gate arrays, Computer network security |
| Abstract: | Regular expressions are used to describe security threats' signatures in network intrusion detection (NID) systems. To identify suspicious packets using regular expression matching, many NID systems use memory-based deterministic finite-state automata (DFA) with one-pass-scanning model, which is fast and allows dynamic updates. However, a number of practical signature patterns commonly found in a variety of NID systems, e.g., ".*A.{N}B", can cause a state-explosion problem in such a model. In this paper, we propose a two-phase pattern matching engine (TPME) to solve this problem. In our proposed approach, the state storage cost is reduced to linearly dependent on the number of repetitions N in the patterns. With the new approach, we are now able to handle those practical patterns that would have caused the state-explosion problem in memory-based DFA. We report our implementation of TPME on a field programmable gate array (FPGA). With our prototype implementation, we can achieve a throughput of more than 1.86 gigabits per second for pattern matching in a practical NID system. [ABSTRACT FROM AUTHOR] |
| Database: | Supplemental Index |
Full Text Finder 
Nájsť tento článok vo Web of Science Be the first to leave a comment!