Two-stage decomposition of SNORT rules towards efficient hardware implementation

The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution is to close the performance gap through hardware implementation of security functions. However, continuously expanding signature databases have become a major impediment to achieving scalable hardware based pattern matching. Additionally, evolutionary rule databases have necessitated real time online updating for reconfigurable hardware implementations. Based on the observation that signature patterns are constructed from combinations of a limited number of primary patterns, we propose to decompose the Snort signature patterns. These smaller primary pattern sets can be stored along with their associations to allow dynamic signature pattern reconstruction. Not only does the matching operation potentially become more scalable, but the real time online updating task is simplified. The approach is verified with patterns from the latest version of the Snort rule database. The experimental results show that after decomposition, a reduction in size of over 77% can be achieved on Snort signature patterns.