Skip to main content
Springer Nature Link
Log in

Hybrid Compression of the Aho-Corasick Automaton for Static Analysis in Intrusion Detection Systems

  • Conference paper
International Joint Conference CISIS’12-ICEUTE´12-SOCO´12 Special Sessions

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 189))

Abstract

We are proposing a hybrid algorithm for constructing an efficient Aho-Corasick automaton designed for data-parallel processing in knowledge-based IDS, that supports the use of regular expressions in the patterns, and validate its use as part of the signature matching process, a critical component of modern intrusion detection systems. Our approach uses a hybrid memory storage mechanism, an adaptation of the Smith-Waterman local-sequence alignment algorithm and additionally employs path compression and bitmapped nodes. Using as a test-bed a set of the latest virus signatures from the ClamAV database, we show how the new automata obtained through our approach can significantly improve memory usage by a factor of times compared to the unoptimized version, while still keeping the throughput at similar levels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Aho, A., Corasick, M.: Efficient string matching: An Aid to blbiographic search. CACM 18(6), 333–340 (1975)

    MathSciNet  MATH  Google Scholar 

  2. Clam AntiVirus, http://www.clamav.net

  3. Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Split Screen: Enabling Efficient, Distributed Malware Detection. In: Proc. 7th USENIX NSDI (2010)

    Google Scholar 

  4. Lee, T.H.: Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications. In: Proceedings of 16th International Conference on Computer Communications and Networks, ICCN (2007)

    Google Scholar 

  5. Snort, http://www.snort.org/

  6. Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31, 2435–2463 (1999)

    Article  Google Scholar 

  7. Pungila, C.: A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis. In: 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (cisis), pp. 392–400 (2009)

    Google Scholar 

  8. Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: 23rd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), vol. 4, pp. 2628–2639 (2004)

    Google Scholar 

  9. Zha, X., Sahni, S.: Highly Compressed Aho-Corasick Automata For Efficient Intrusion Detection. In: IEEE Symposium on Computers and Communications (ISCC), pp. 298–303 (2008)

    Google Scholar 

  10. Pungila, C., Negru, V.: A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching. In: Information Security Conference, ISC (2012)

    Google Scholar 

  11. Arshad, J., Townend, P., Xu, J.: A novel intrusion severity analysis approach for Clouds. Future Generation Computer Systems (2011), doi:10.1016/j.future.2011.08.009

    Google Scholar 

  12. Corchado, E., Herrero, A.: Neural visualization of network traffic data for intrusion detection. Applied Soft Computing 11(2), 2042–2056 (2011)

    Article  Google Scholar 

  13. Panda, M., Abraham, A., Patra, M.R.: Hybrid Intelligent Approach for Network Intrusion Detection. Procedia Engineering 30, 1–9 (2012), doi:10.1016/j.proeng.2012.01.827

    Article  Google Scholar 

  14. Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 47, 443–453 (1970)

    Article  Google Scholar 

  15. Smith, T.F., Waterman, M.S.: Identification of Common Molecular Subsequences. J. Mol. Biol. 147, 195–197 (1981)

    Article  Google Scholar 

  16. Bioinformatics Explained: Smith-Waterman, http://www.clcbio.com/sciencearticles/Smith-Waterman.pdf

  17. Scarpazza, D.P.: Top-Performance Tokenization and Small-Ruleset Regular Expression Matching. Int. J. Parallel Prog. 39, 3–32 (2011)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. West University of Timisoara, Blvd. V. Parvan 4, Timisoara, 300223, Timis, Romania

    Ciprian Pungila

Authors
  1. Ciprian Pungila
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ciprian Pungila .

Editor information

Editors and Affiliations

  1. , Department of Civil Engineering, University of Burgos, Campus Vena (Edif.C), C/ Francisco de Vitoria, s/n, Burgos, 09006, Spain

    Álvaro Herrero

  2. VŠB-TU Ostrava, 17. listopadu 15, Ostrava, 70833, Czech Republic

    Václav Snášel

  3. MIR Labs, Scientific Network for Innovation, Machine Intelligence Research Labs, Auburn, 98071, USA

    Ajith Abraham

  4. VŠB-TU Ostrava, 17. listopadu 15, Ostrava, 70833, Czech Republic

    Ivan Zelinka

  5. , Department of Civil Engineering, University of Burgos, Campus Vena (Edif.C), C/ Francisco de Vitoria, s/n, Burgos, 09006, Spain

    Bruno Baruque

  6. Universidad de Salamanca, Plaza de la Merced S/N, Salamanca, 37008, Spain

    Héctor Quintián

  7. University of Coruña, Avda. 19 de febrero, s/n, Coruña, 15405 A, Spain

    José Luis Calvo

  8. y León, Pol. Ind. Villalonquéjar, Instituto Tecnológico de Castilla, Lopez Bravo 70, Burgos, 09001, Spain

    Javier Sedano

  9. Universidad de Salamanca, Plaza de la Merced S/N, Salamanca, 37008, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pungila, C. (2013). Hybrid Compression of the Aho-Corasick Automaton for Static Analysis in Intrusion Detection Systems. In: Herrero, Á., et al. International Joint Conference CISIS’12-ICEUTE´12-SOCO´12 Special Sessions. Advances in Intelligent Systems and Computing, vol 189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33018-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33018-6_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33017-9

  • Online ISBN: 978-3-642-33018-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics