Open Access  Subscription or Fee Access

The phenomenal growth of the Internet in the last decade and society's increasing dependence on it has brought along, a flood of security attacks on the networking and computing infrastructure. Intrusion Detection Systems (IDSs) have become widely recognized as powerful tools for identifying, deterring and deflecting malicious attacks over the network. Essential to almost every intrusion detection system is the ability to search through packets and identify content that matches known attacks. Network Intrusion Detection and Prevention Systems have emerged as one of the most effective ways of providing security to those connected to the network, and at the heart of almost every modern intrusion detection system is a pattern matching algorithm. Pattern matching relies on deterministic finite automata (DFA) to search for predefined patterns. Here modifications to the Aho-Corasick pattern-matching algorithm are proposed that drastically reduce the amount of memory required and improve its performance. For Snort rule sets, the new algorithm achieves 30% of memory reduction compared with the traditional Aho–Corasick algorithm. In addition, we can gain further reduction in memory by integrating our approach to the bit-split algorithm which is the state-of-the-art memory-based approach.

Aho–Corasick (AC) Algorithm, Finite Automata, Pattern Matching, Intrusion Detection System

A. V. Aho and M. J. Corasick, “Efficient string matching: An AID to bibliographic search,” CommunACM vol. 18, no. 6, pp. 333– 340, 1975.

M. Aldwairi, T. Conte, and P.Franzon, “Configurable string matching hardware for speeding up intrusion detection,” Proc. ACM SIGARCH Comput. Arch. News, vol.33, no. 1, pp. 99–107, 2005.

M. Alicherry, M . Muthuprasanna, and V. Kumar, “High speed pattern Matching for network IDS/IPS,” in Proc. IEEE Int. Conf. Netw. Protocols (ICNP) , 2006, pp. 187–196.

B. Brodie, R. Cytron, and D. Taylor, “A scalable architecture for high-throughput regular expression pattern matching,” in Proc. 33rd Int. Symp. Comput. Arch. (ISCA) , 2006, pp. 191–122.

Z. K. Baker and V. K. Prasanna, “High-throughput linked-pattern matching for intrusion detection systems,” in Proc. Symp. Arch. For Netw. Commun. Syst. (ANCS) , Oct.2005, pp. 193–202

Application layer packet classifier for Linux, 2008. .

S. Sen, O. Spatscheck, D. Wang, Accurate, scalable in-network identification of P2P traffic using application signatures, in: Proceedings of WWW 2004,Manhattan, 2004.

A.V. Aho, M.J. Corasick, Efficient string matching: an aid to bibliographic search, Communications of the ACM 18 (6) (1975) 333–340.

Knuth.D.E, Morris.J.H Fast pattern matching in strings TR CS-74440, Stanford University, California,1974.

Booth, T.L Sequential Machines and Automata Theory. Wiley, Newyork, 1967.

Kohavi, Z. Switching and Finite Automata Theory. McGraw hill, Newyork, 1970.

Harrison , M.C. Implementation of the substring test by hashing. Comm ACM14:12 (December 1971), 777-779.

Fischer, M.J., and Paterson, M.S. String matching and other products. Technical Report 41, Project MAC, M.I.T., 1974.

Bullen, R.H., Jr., and Millien,J.K, Microtext- the design of a micro programmed finite state search machine for full-text retrieval. Proc. Fall Joint Computer Conference, 1972, pp. 479-488.

Brzozowski, J.A. Derivatives of regular expressions. J. ACM 11:4 (October 1964), 481- 494.