A flexible pattern-matching algorithm for network intrusion detection systems using multi-core processors

Chun Liang Lee*, Tzu Hao Yang

*Corresponding author for this work

Research output: Contribution to journalJournal Article peer-review

4 Scopus citations

Abstract

As part of network security processes, network intrusion detection systems (NIDSs) determine whether incoming packets contain malicious patterns. Pattern matching, the key NIDS component, consumes large amounts of execution time. One of several trends involving general-purpose processors (GPPs) is their use in software-based NIDSs. In this paper, we describe our proposal for an efficient and flexible pattern-matching algorithm for inspecting packet payloads using a head-body finite automaton (HBFA). The proposed algorithm takes advantage of multi-core GPP parallelism and single-instruction multiple-data operations to achieve higher throughput compared to that resulting from traditional deterministic finite automata (DFA) using the Aho-Corasick algorithm. Whereas the head-body matching (HBM) algorithm is based on pre-defined DFA depth value, our HBFA algorithm is based on head size. Experimental results using Snort and ClamAV pattern sets indicate that the proposed algorithm achieves up to 58% higher throughput compared to its HBM counterpart.

Original languageEnglish
Article number58
JournalAlgorithms
Volume10
Issue number2
DOIs
StatePublished - 01 06 2017

Bibliographical note

Publisher Copyright:
© 2017 by the authors.

Keywords

  • Deep packet inspection
  • Intrusion detection system
  • Network security
  • Pattern matching algorithm

Fingerprint

Dive into the research topics of 'A flexible pattern-matching algorithm for network intrusion detection systems using multi-core processors'. Together they form a unique fingerprint.

Cite this