Open AccessApplying Fast String Matching to Intrusion Detection
Author(s) -
Mike Fisk,
George Varghese
Publication year - 2002
Publication title -
osti oai (u.s. department of energy office of scientific and technical information)
Language(s) - English
Resource type - Reports
DOI - 10.21236/ada406266
Subject(s) - intrusion detection system , string searching algorithm , computer science , network packet , pattern matching , string (physics) , speedup , context (archaeology) , matching (statistics) , set (abstract data type) , algorithm , signature (topology) , theoretical computer science , data mining , artificial intelligence , computer network , parallel computing , mathematics , statistics , paleontology , geometry , biology , mathematical physics , programming language
The performance of signature-based network intrusion detection tools is dominated by the string matching of packets against many signatures. In this paper we study how the popular intrusion detecton system Snort can be best optimized to utilize different string matching algorithms. We analyze the performance of Snort's current string matching algorithm, Boyer-Moore, and several alternate algorithms. We show that no single algorithm is fastest in the context of a real Snort rule set. Instead, we develop a hybrid system that utilizes three different search algorithms, including one new algorithm presented in this paper. The result is a system that matches many common packets 5 times faster with an average speedup of 50%. While the context of our analysis is intrusion detection, other problem domains such as virus scanning, firewalls, and layer seven switches benefit from our work.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom