1 / 17

Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,

A Non-computational Intensive Pre-filter for Pattern Matching in Network Intrusion Detection Systems. Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang , Jian-Lin Chen ,Hsien-Wei Hun ,Ming-Chang Shih and Chia-Nan Kao Publisher : IEEE GLOBECOM 2006 Presenter :

ayasha
Download Presentation

Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Non-computational Intensive Pre-filter for Pattern Matching in Network Intrusion Detection Systems Author: Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang , Jian-Lin Chen ,Hsien-Wei Hun ,Ming-Chang Shih and Chia-Nan Kao Publisher: IEEE GLOBECOM 2006 Presenter: Zong-Lin Sie Date: 2011/03/16

  2. Introduction • Multiple pattern string matching algorithm, such as Aho-Corasick (AC) is basically computational intensive and therefore it is not easy to have a fast software implementation. • Hardware accelerating approach for fast implementation is usual expensive and the interface may become the bottleneck when integrates with existing network appliances.

  3. Introduction • This paper presents an efficient pre-filtering algorithm to filter clean packets so that the string matching in the NIDS can be speed-up. • The proposed algorithm uses a tiny data structure , and is light-computational and cache-resident. • It can be implemented efficiently in a software-based platform.

  4. Model of Pre-filter • The pre-filter may generate false positive but not false negative.

  5. Proposed algorithm (SSF-1) • Super-Symbol Filter (SSF). • The basic idea of SSF is to treat two bytes data as a super-symbol, and the using of bitmap to indicate the occurrence of each super-symbol in the pre-defined patterns. • For example, for the 8-bit ASCII-code, there are 65536 combinations of two bytes data, and a bitmap vector of 65536 entries (64k-bit) is used.

  6. Proposed algorithm (SSF-1)

  7. Proposed algorithm (SSF-1)

  8. Proposed algorithm (SSF-1)

  9. Proposed algorithm (SSF-2) • To have better accuracy and less number of false positives, the proposed SSF-1 is further extended. • In SSF-2, two match vectors (two bitmaps) are employed in the constructing phase. The First Match Vector (FMV) is used for the super-symbols being conjugated by the first two symbols in each of the patterns. The Rest Match Vector (RMV) is used for the restsuper-symbols in the patterns except those in the FMV.

  10. Proposed algorithm (SSF-2)

  11. Proposed algorithm (SSF-2)

  12. Proposed algorithm (SSF-2)

  13. Scalability & flexibility evalution • By tracking the growing paths of Snort rule patterns, as shown in Table I, the percentage of setting bits for the MV, FMV, and RMV is still very small (5%). • SSF filtering technique is that it is not applicable to one-byte patterns. (Use simple method [11])

  14. Performance evaluation • Parallel Bloom Filter (PBF) [11]. Use eight bloom filters and each consumes 64KB hash space, so the total memory used for the PBF scheme is 8*64KB = 512KB. • Integrated Database Processor (IDP) [12]. Bitmap used in IDP scheme has only 256 entries for one byte symbol.

  15. Performance evaluation

  16. Performance evaluation

  17. Performance evaluation

More Related