Abstract
We consider the problem of string matching in Network Intrusion Detection Systems (NIDSes). String matching computations dominate in the overall cost of running a NIDS, despite the use of efficient general-purpose string matching algorithms. Aiming at increasing the efficiency and capacity of NIDSes, we have designed E 2 xB, a string matching algorithm that is tailored to the specific characteristics of NIDS string matching. We have implemented E 2 xB in snort, a popular open-source NIDS, and present experiments comparing E 2 xB with the current best alternative solution. Our results suggest that for typical traffic patterns E 2 xB improves NIDS performance by 10%–36%, while for certain ruleset and traffic patterns string matching performance can be improved by as much as a factor of three.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35691-4_52
Chapter PDF
Similar content being viewed by others
References
A.V. Aho and M.J. Corasick. Fast pattern matching: an aid to bibliographic search. Communications of the ACM, 18 (6): 333–340, June 1975.
R. Bace and P. Mell. Intrusion Detection Systems. National Institute of Standards and Technology (N1ST), Special Publication 800–31, 2001.
R.S. Boyer and J.S. Moore. A fast string searching algorithm. Communications of the ACM, 20 (10): 762–772, October 1977.
C. Jason Coit, S. Staniford, and J. McAlerney. Towards faster pattern matching for intrusion detection, or exceeding the speed of snort. In Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), June 2002.
C. Courcoubetis and V. A. Siris. Measurement and analysis of real network traffic. In Proceedings of the 7th Hellenic Conference on Informatics (HCI’99), August 1999.
M. Fisk and G. Varghese. An analysis of fast string matching applied to content-based forwarding and intrusion detection. Technical Report CS2001–0670 (updated version), University of California - San Diego, 2002.
Pankaj Gupta and Nick McKeown. Packet classification on multiple fields. In Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, pages 147–160. ACM Press, 1999.
Dan Gusfield. Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. University of California Press, 1997.
R.N. Horspool. Practical fast searching in strings. Software–Practice and Experience, 10 (6): 501–506, 1980.
T. V. Lakshman and D. Stiliadis. High-speed policy-based packet forwarding using efficient multi-dimensional range matching. In Proceedings of the ACM SIGCOMM ‘88 conference on Applications, technologies, architectures, and protocols for computer communication, pages 203–214. ACM Press, 1998.
Evangelos P. Markatos, Spyros Antonatos, Michalis Polychronakis, and Kostas G. Anagnostakis. ExB: Exclusion-based signature matching for intrusion detection. In Proceedings of the LASTED International Conference on Communications and Computer Networks (CCN), pages 146–152, November 2002.
L. McVoy and C. Staelin. lmbench: Portable tools for performance analysis. In Proc. of the 1996 Usenix Technical Conference, pages 279–294, January 1996.
Martin Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of the 1999 USENIX LISA Systems Administration Conference,November 1999. (available from http://www.snort.arg/).
Brinkley Sprunt. Brink and abyss: Pentium 4 performance counter tools for linux, February 2002. Available from http://www.eg.bucknell.edu/“bspnmt/.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this paper
Cite this paper
Anagnostakis, K.G., Antonatos, S., Markatos, E.P., Polychronakis, M. (2003). E 2 xB: A Domain-Specific String Matching Algorithm for Intrusion Detection. In: Gritzalis, D., De Capitani di Vimercati, S., Samarati, P., Katsikas, S. (eds) Security and Privacy in the Age of Uncertainty. SEC 2003. IFIP — The International Federation for Information Processing, vol 122. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35691-4_19
Download citation
DOI: https://doi.org/10.1007/978-0-387-35691-4_19
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6489-5
Online ISBN: 978-0-387-35691-4
eBook Packages: Springer Book Archive