Fast Content-Based Packet Handling for Intrusion Detection

Abstract

It is becoming increasingly common for network devices to handle packets based on the contents of packet payloads. Example applications include intrusion detection, firewalls, web proxies, and layer seven switches. This paper analyzes the problem of intrusion detection and its reliance on fast string matching in packets. We show that the problem can be restructured to allow the use of more efficient string matching algorithms that operate on sets of patterns in parallel. We then introduce and analyze a new string matching algorithm that has average-case performance that is better than Aho-Corasick, a popular linear-time algorithms and much better than the iterative use of Royer-Moore currently used in the popular intrusion detection platform Snort. We then measure the actual performance of several search algorithms on actual packet traces and rulesets. Our results provide lessons on the structuring of content-based handlers.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
May 01, 2001
Accession Number
ADA406413

Entities

People

  • George Varghese
  • Mike Fisk

Organizations

  • Los Alamos National Laboratory

Tags

Communities of Interest

  • Advanced Electronics
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Algorithms
  • Analyzers
  • Classification
  • Commerce
  • Computer Science
  • Construction
  • Detection
  • Detectors
  • Electronic Commerce
  • Filters
  • Flight Recorders
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Platforms
  • Probability

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Cybersecurity.
  • Operations Research