Open Access  Subscription or Fee Access

The most important technology for fast payload inspection is an efficient multi-pattern matching algorithm, which performs exact string matching between packets and a large set of predefined patterns. In this paper, we have proposed a novel Enhanced Hierarchical Multi-pattern Matching Algorithm (EHMA) for packet inspection. Based on the occurrence frequency of grams, a small set of the most frequent grams is discovered and used in the EHMA. EHMA is a two-tier and cluster-wise matching algorithm, which significantly reduces the amount of external memory accesses and the capacity of memory. Using a skippable scan strategy, EHMA speeds up the scanning process. Furthermore, independent of parallel and special functions, EHMA is very simple and therefore practical for both software and hardware implementations. Simulation results reveal that EHMA significantly improves the matching performance. The speed of EHMA is about 0.89-1.161 times faster than that of current matching algorithms. Even under real-life intense attack, EHMA still performs well. An intrusion detection system must reliably detect malicious activities in a network and must perform efficiently to cope with the large amount of network traffic. High attack detection accuracy can be achieved by using Conditional Random fields and high efficiency is achieved by implementing the Layered Approach. System is robust and is able to handle noisy data without compromising performance. To detect as many attacks as possible with minimum number of false alarms, i.e., the system must be accurate in detecting attacks.

Packet Inspection, Payload, EHMA, Intrusion Detection

N. Tuck, T. Sherwood, B. Calder, and G. Varghese, “Deterministic Memory Efficient String Matching Algorithms for Intrusion Detection,” Proc. IEEE INFOCOM ‟04, Mar. 2004.

A.V. Aho and M.J. Corasick, “Efficient String Matching: An Aid to Bibliographic Search,” Comm. ACM, vol. 18, no. 6, pp. 330-340, June 1975.

T.-F. Sheu, N.-F. Huang and H.-P. Lee, “A Novel Hierarchical Matching Algorithm for Intrusion Detection Systems,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM ‟05), Nov. 2005.

S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, “Generating Realistic Workloads for Network Intrusion Detection Systems,” Proc. Fourth Int‟l ACM Workshop Software and Performance (WOSP), 2004.

S. Antonatos, M. Polychronakis, P. Akritidis, K.G. Anagnostakis, and E.P. Markatos, “Piranha: Fast and Memory-Efficient Pattern Matching for Intrusion Detection,” Proc. 20th IFIP Int‟l Information Security Conf. (SEC ‟05), May 2005.

Kapill Kumar Gupta, Baikunth Nath, and Ramamohanarao Kotagiri,“layered approach using Conditional random fields for intrusion detection” Proc. IEEE Transactions on dependable and secure computing, January-march 2010.

Kapill Kumar Gupta, Baikunth Nath, and R. Kotagiri, “Conditional Random Fields for Intrusion Detection,” Proc. 21st Int‟l Conf. Advanced Information Networking and Applications Workshops (AINAW ‟07), pp. 203-208, 2007.