Skip to main content
SpringerLink
Log in

Variable Length Pattern Matching for Hardware Network Intrusion Detection System

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12

Similar content being viewed by others

References

  1. Sourcefire (2003). Snort: The open source network intrusion detection system. Columbia: Sourcefire.

  2. Boyer R. S., & Moore J. S. (1977). A fast string searching algorithm. Communications of the ACM, 20, 762–772.

    Article  Google Scholar 

  3. Anagnostakis, K. G., Antonatos, S., Markatos, E. P., & Polychronakis, M. (2003). E2xb: A domain-specific string matching algorithm for intrusion detection. In Proceedings of the 18th IFIP international security conference(SEC2003).

  4. Aho, V. A., & Corasick, M. J. (1975). Efficient string matching: An aid to bibliographic search. Communications of the ACM, 18, 333–340.

    Article  MATH  MathSciNet  Google Scholar 

  5. Fisk, M., & Varghese, G. (2002). An analysis of fast string matching applied to content-based forwarding and intrusion detection. In Technical report CS2001-0670 (updated version). San Diego: University of California.

    Google Scholar 

  6. Norton, M., & Roelker, D. (2002). Snort 2.0: Detection revised. http://www.sourcefire.com/.

  7. Fisk, M., & Varghese, G. (2004). Applying fast string matching to intrusion detection. Technical Report CS2001-0670, UCSD

  8. Tuck, N., Sherwood, T., Calder, B., & Varghese, G. (2004). Deterministic memory-efficient string matching algorithms for intrusion detection. In Proceedings of the 23rd conference of the IEEE communications society (Infocomm), March.

  9. Aldwairi, M., Conte, T., & Franzon, P. (2005). Configurable string matching hardware for speeding up intrusion detection. In Workshop on architecture support for security and anti-virus (pp. 99–107).

  10. Baker, Z. K. (2004). Time and area efficient pattern matching on fpgas. In Proceedings of the 2004 ACM/SIGDA 12th international symposium on field programmable gate arrays (pp. 223–232).

  11. Knuth, D. E., Morris, J., & Pratt, V. R. (1977). Fast pattern matching in string. SIAM Journal on Computing, 6, 323–350.

    Article  MATH  MathSciNet  Google Scholar 

  12. Li, S., Torresen, J., & Soraasen, O. (2003). Exploiting reconfigurable hardware for network security. In Proceedings of the 11th IEEE symposium on field-programmable custom computing machines.

  13. Kruegel, C., et al. (2002). Automatic rule clustering for improved, signature based intrusion detection. Santa Barbara: University of California.

    Google Scholar 

  14. Tan, L., & Sherwood, T. (2005). A high throughput string matching architecture for intrusion detection and prevention. In Proceedings of the 32nd annual international symposium on computer architecture (pp. 112–122).

  15. Liu, R.-T., Huang, N.-F., Chen, C.-H., & Kao, C.-N. (2004). A fast string-matching algorithm for nerwork processor-based intrusion detection system. ACM Transactions on Embedded Computing Systems, 3, 614–633

    Article  Google Scholar 

  16. Dharmapurikar, S., Krishnamurthy, P., Sproull, T. & Lockwood, J. (2003). Deep packet inspection using parallel bloom filters. In Proceedings of HotL.

  17. Bloom, B. H. (1970). Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, 13, 422–426.

    Article  MATH  Google Scholar 

  18. Song, H., & Lockwood, J. (2005). Multi-pattern signature matching for hardware network intrusion detection systems. In Proceedings of IEEE GLOBECOM 2005.

  19. Ramakrishna, M., Fu, E., & Bahcekapili, E. (1994) A performance study of hashing functions for hardware applications. In Proceedings of internal conference on computing and information (pp. 1621–1636).

  20. Gokhake, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., & Hogsett, V. (2002). Towards gigabit rate network intrusion detection. In Proceeding of FPL2002.

  21. Moscola, J., Lockwood, J., Loui, R. P., & Pachos, M. (2003). Implementation of a content-scanning module for an interenet firewall. In Proceeding of FCCM 2003.

  22. Cho, Y. H., Navab, S., & Mangione-Smith, W. H. (2002). Specialized hardware for deep network packet filtering. In Proceeding of FPL 2002: 12th international conference on field-programmable logic and applications, Sept.

  23. Xilinx, Inc. (2004). Virtex-II Pro and virtex-II Pro X platform FPGAs: Complete data sheet. San Jose: Xilinx.

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, City University of Hong Kong, Kowloon, Hong Kong

    Chun Jason Xue

  2. Department of Computer Science and Engineering, Wright State University, Dayton, OH, 45435, USA

    Meilin Liu

  3. Department of Computer Science, University of Texas at Dallas, Richardson, TX, 75083, USA

    QingFeng Zhuge & Edwin Hsing-Mean Sha

Authors
  1. Chun Jason Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meilin Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. QingFeng Zhuge
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Edwin Hsing-Mean Sha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chun Jason Xue.

Additional information

This work is partially supported by HK CityU 7200106-540, TI University Program, NSF CCR-0309461, NSF IIS-0513669, NSFC-60728206.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Xue, C.J., Liu, M., Zhuge, Q. et al. Variable Length Pattern Matching for Hardware Network Intrusion Detection System. J Sign Process Syst Sign Image Video Technol 59, 85–93 (2010). https://doi.org/10.1007/s11265-008-0279-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-008-0279-2

Keywords

Search

Navigation