DocumentCode
2862143
Title
A Robust Approach for Matching Mixed Casesensitive and Case-insensitive Patterns
Author
Lu, Hongbin ; Zheng, Kai ; Liu, Bin ; Sun, Changhua
Author_Institution
Tsinghua Univ., Beijing
fYear
2007
fDate
19-25 June 2007
Firstpage
72
Lastpage
72
Abstract
As one of the key methods as well as a bottleneck for Network Intrusion Detection Systems (NIDSes) to detect and eliminate malicious traffic, pattern matching is increasingly gaining popularity while also faces threats from hackers\´ overloading attempts. The support of mixed case-sensitive and case-insensitive patterns, which is essential for NIDSes to detect possible attacks targeting different applications and operating systems, is currently a potential vulnerability since the widely used Convert-Search-Verify (CSV) approach encounters severe performance degradation in the worst-case scenarios. This paper firstly gives a thorough analysis on the reasons causing jams in the worst case, and then boosts up the performance by leveraging a novel mechanism named Convert-Search-incrementally-Verify (CSiV). CSiV differs from CSV in that it first merges possible case-sensitive matches to suspicious segments in the "Search" phase, and then leverages an Aho-Corasick like algorithm to verify them. The infeasibility of the simple Double Search (DS) approach is also explained by analyzing its low average-case throughput. Extensive experiments based on real pattern sets along with both collected and artificial traffic traces show that, the performance of the proposed approach outperforms the DS approach by a factor of 2 in the ordinary cases, and is better than the CSV approach up to 5 times under the worst-case scenario, indicating both its feasibility and robustness for a worst-case safe NIDS.
Keywords
Internet; pattern matching; telecommunication security; telecommunication traffic; Internet; case-insensitive pattern matching; convert-search-incrementally-verify approach; double search approach; mixed case-sensitive pattern matching; network intrusion detection system; network security; network traffic; operating system; Computer hacking; Degradation; Face detection; Intrusion detection; Operating systems; Pattern matching; Performance analysis; Robustness; Telecommunication traffic; Throughput;
fLanguage
English
Publisher
ieee
Conference_Titel
Networking and Services, 2007. ICNS. Third International Conference on
Conference_Location
Athens
Print_ISBN
978-0-7695-2858-9
Type
conf
DOI
10.1109/ICNS.2007.16
Filename
4438321
Link To Document