Abstract
The signature-based intrusion detection systems are one of the most commonly used software to protect computer networks by comparing incoming traffic with stored signatures. However, the process of signature matching is a key challenge, in which the workload is generally at least linear to the size of a target string. To solve this problem, exclusive signature matching (ESM) has been proposed based on the observation that most network packets would not match any IDS signatures. But this kind of schemes like the single character frequency-based ESM has not been extensively evaluated. In this paper, our interests are to verify the observation above and evaluate the single character frequency-based ESM in regular networks and hostile environments respectively. In the hostile experiment, we specifically design two malicious situations to test the scheme performance. The experimental results show that the single character frequency-based ESM works fine in a regular network, but its performance would be greatly decreased in a hostile environment.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A.V., Corasick, M.J.: Efficient string matching: An aid to bibliographic search. Communications of the ACM 18(6), 333–340 (1975)
Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the ACM 20(10), 762–772 (1977)
Chen, Z., Zhang, Y., Chen, Z., Delis, A.: A digest and pattern matching-based intrusion detection engine. Computer Journal 52(6), 699–723 (2009)
Commentz-Walter, B.: String Matching Algorithm Fast on the Average. In: Maurer, H.A. (ed.) ICALP 1979. LNCS, vol. 71, pp. 118–132. Springer, Heidelberg (1979)
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational experiences with high-volume network intrusion detection. In: Proceedings of ACM CCS, pp. 2–11 (2004)
Fisk, M., Varghese, G.: An analysis of fast string matching applied to content-based forwarding and intrusion detection. Technical Report CS2001-0670, University of California, San Diego (2002)
Horspool, R.: Practical fast searching in strings. Software Practice and Experience 10, 501–506 (1980)
Kim, K., Kim, Y.: A fast multiple string pattern matching algorithm. In: Proceedings of AoM/IAoM Conference on Computer Science (1999)
Liu, X., Liu, X., Sun, N.: Fast and compact regular expression matching using character substitution. In: Proceedings of ANCS, pp. 85–86 (2012)
Markatos, E.P., Antonatos, S., Polychronakis, M., Anagnostakis, K.G.: Exclusion-based signature matching for intrusion detection. In: Proceedings of International Conference on Communications and Computer Networks, pp. 146–152 (2002)
Anagnostakis, K.G., Antonatos, S., Markatos, E.P., Polychronakis, M.: E2xB: A Domain-Specific String Matching Algorithm for Intrusion Detection. In: Gritzalis, D., De Capitani di Vimercati, S., Samarati, P., Katsikas, S. (eds.) Security and Privacy in the Age of Uncertainty. IFIP, vol. 122, pp. 217–228. Springer, Boston (2003)
Meng, Y., Li, W., Kwok, L.-F.: Single Character Frequency-based Exclusive Signature Matching Scheme. In: Lee, R. (ed.) Computer and Information Science 2012. SCI, vol. 429, pp. 67–80. Springer, Heidelberg (2012)
Meng, Y., Li, W.: Adaptive Character Frequency-based Exclusive Signature Matching Scheme in Distributed Intrusion Detection Environment. In: Proceedings of TrustCom, pp. 223–230. IEEE (2012)
Meng, Y., Li, W., Kwok, L.F.: Towards Adaptive Character Frequency-based Exclusive Signature Matching Scheme and its Applications in Distributed Intrusion Detection. Computer Networks 57(17), 3630–3640 (2013)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)
Ramakrishnan, K., Nikhil, T., Jignesh, M.: SigMatch: fast and scalable multi-pattern matching. VLDB Endowment 3(1-2), 1173–1184 (2010)
Rivest, R.L.: On the worst-case behavior of string-searching algorithms. SIAM Journal on Computing 6, 669–674 (1977)
Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316 (2010)
Sourdis, I., Dimopoulos, V., Pnevmatikatos, D., Vassiliadis, S.: Packet pre-filtering for network intrusion detection. In: Proceedings of ANCS, pp. 183–192 (2006)
Snort, The Open Source Network Intrusion Detection System, http://www.snort.org/
Stakhanova, N., Ren, H., Ghorbani, A.A.: Selective Regular Expression Matching. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 226–240. Springer, Heidelberg (2011)
Wireshark, Network Protocol Analyzer, http://www.wireshark.org
Wu, S., Manber, U.: A Fast Algorithm for Multi-Pattern Seaching. Technical Report TR-94-17, Department of Computer Science. University of Arizona (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Meng, W., Li, W., Kwok, LF. (2014). An Evaluation of Single Character Frequency-Based Exclusive Signature Matching in Distinct IDS Environments. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_29
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)