Content-Split Based Effective String-Matching for Multi-Core Based Intrusion Detection Systems

We present a content split approach (CSA), tailored specifically for signature-based network intrusion detection. This algorithm logically partition the content of IP packets into three parts and internally uses boyer-moorehorspool algorithm to carry out string-matching simultaneously on these parts. Traditionally, skip based pattern matching algorithms use a single sliding window moving from left to right to detect a pattern to be matched, whereas CSA uses two sliding windows of the pattern simultaneously-one moving towards the right from the start position, towards the middle of the string, and the second starting from the middle and moving towards the end of the string. If both these moving patterns never find a match then CSA evaluates the middle of the string. In this paper, firstly we present our approach and experiments, secondly, we present an extension for Jumbo frames and finally, we present the application of our algorithm for multicore based intrusion detection system.