A memory-efficient bit-split parallel string matching using pattern dividing for intrusion detection systems

Hyunjin Kim, Hong Sik Kim, Sungho Kang

Research output: Contribution to journalArticle

20 Citations (Scopus)

Abstract

For the low-cost hardware-based intrusion detection systems, this paper proposes a memory-efficient parallel string matching scheme. In order to reduce the number of state transitions, the finite state machine tiles in a string matcher adopt bit-level input symbols. Long target patterns are divided into subpatterns with a fixed length; deterministic finite automata are built with the subpatterns. Using the pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is proposed for the successive matches with subpatterns. Experimental results show that total memory requirements decrease on average by 47.8 percent and 62.8 percent for Snort and ClamAV rule sets, in comparison with several existing bit-split string matching methods.

Original languageEnglish
Article number5733341
Pages (from-to)1904-1911
Number of pages8
JournalIEEE Transactions on Parallel and Distributed Systems
Volume22
Issue number11
DOIs
Publication statusPublished - 2011 Aug 31

Fingerprint

Pattern matching
Intrusion detection
Finite automata
Data storage equipment
Tile
Hardware
Costs

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Hardware and Architecture
  • Computational Theory and Mathematics

Cite this

@article{2d4fba04d5ab47d183e78ee0f7a9e9a9,
title = "A memory-efficient bit-split parallel string matching using pattern dividing for intrusion detection systems",
abstract = "For the low-cost hardware-based intrusion detection systems, this paper proposes a memory-efficient parallel string matching scheme. In order to reduce the number of state transitions, the finite state machine tiles in a string matcher adopt bit-level input symbols. Long target patterns are divided into subpatterns with a fixed length; deterministic finite automata are built with the subpatterns. Using the pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is proposed for the successive matches with subpatterns. Experimental results show that total memory requirements decrease on average by 47.8 percent and 62.8 percent for Snort and ClamAV rule sets, in comparison with several existing bit-split string matching methods.",
author = "Hyunjin Kim and Kim, {Hong Sik} and Sungho Kang",
year = "2011",
month = "8",
day = "31",
doi = "10.1109/TPDS.2011.85",
language = "English",
volume = "22",
pages = "1904--1911",
journal = "IEEE Transactions on Parallel and Distributed Systems",
issn = "1045-9219",
publisher = "IEEE Computer Society",
number = "11",

}

A memory-efficient bit-split parallel string matching using pattern dividing for intrusion detection systems. / Kim, Hyunjin; Kim, Hong Sik; Kang, Sungho.

In: IEEE Transactions on Parallel and Distributed Systems, Vol. 22, No. 11, 5733341, 31.08.2011, p. 1904-1911.

Research output: Contribution to journalArticle

TY - JOUR

T1 - A memory-efficient bit-split parallel string matching using pattern dividing for intrusion detection systems

AU - Kim, Hyunjin

AU - Kim, Hong Sik

AU - Kang, Sungho

PY - 2011/8/31

Y1 - 2011/8/31

N2 - For the low-cost hardware-based intrusion detection systems, this paper proposes a memory-efficient parallel string matching scheme. In order to reduce the number of state transitions, the finite state machine tiles in a string matcher adopt bit-level input symbols. Long target patterns are divided into subpatterns with a fixed length; deterministic finite automata are built with the subpatterns. Using the pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is proposed for the successive matches with subpatterns. Experimental results show that total memory requirements decrease on average by 47.8 percent and 62.8 percent for Snort and ClamAV rule sets, in comparison with several existing bit-split string matching methods.

AB - For the low-cost hardware-based intrusion detection systems, this paper proposes a memory-efficient parallel string matching scheme. In order to reduce the number of state transitions, the finite state machine tiles in a string matcher adopt bit-level input symbols. Long target patterns are divided into subpatterns with a fixed length; deterministic finite automata are built with the subpatterns. Using the pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is proposed for the successive matches with subpatterns. Experimental results show that total memory requirements decrease on average by 47.8 percent and 62.8 percent for Snort and ClamAV rule sets, in comparison with several existing bit-split string matching methods.

UR - http://www.scopus.com/inward/record.url?scp=80053570343&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80053570343&partnerID=8YFLogxK

U2 - 10.1109/TPDS.2011.85

DO - 10.1109/TPDS.2011.85

M3 - Article

VL - 22

SP - 1904

EP - 1911

JO - IEEE Transactions on Parallel and Distributed Systems

JF - IEEE Transactions on Parallel and Distributed Systems

SN - 1045-9219

IS - 11

M1 - 5733341

ER -