Author: Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang , Jian-Lin Chen ,Hsien-Wei Hun ,Ming-Chang Shih and Chia-Nan KaoPublisher: IEEE GLOBECOM 2006Presenter: Zong-Lin SieDate: 2011/03/16
1
Multiple pattern string matching algorithm, such as Aho-Corasick (AC) is basically computational intensive and therefore it is not easy to have a fast software implementation.
Hardware accelerating approach for fast implementation is usual expensive and the interface may become the bottleneck when integrates with existing network appliances. 2
This paper presents an efficient pre-filtering algorithm to filter clean packets so that the string matching in the NIDS can be speed-up.
The proposed algorithm uses a tiny data structure , and is light-computational and cache-resident.
It can be implemented efficiently in a software-based platform.
3
The pre-filter may generate false positive but not false negative.
4
Super-Symbol Filter (SSF).
The basic idea of SSF is to treat two bytes data as a super-symbol, and the using of bitmap to indicate the occurrence of each super-symbol in the pre-defined patterns.
For example, for the 8-bit ASCII-code, there are 65536 combinations of two bytes data, and a bitmap vector of 65536 entries (64k-bit) is used.
5
6
7
8
To have better accuracy and less number of false positives, the proposed SSF-1 is further extended.
In SSF-2, two match vectors (two bitmaps) are employed in the constructing phase. The First Match Vector (FMV) is used for the super-symbols being conjugated by the first two symbols in each of the patterns. The Rest Match Vector (RMV) is used for the rest super-symbols in the patterns except those in the FMV. 9
10
11
12
By tracking the growing paths of Snort rule patterns, as shown in Table I, the percentage of setting bits for the MV, FMV, and RMV is still very small (5%).
SSF filtering technique is that it is not applicable to one-byte patterns. (Use simple method [11])
13
14
Parallel Bloom Filter (PBF) [11]. Use eight bloom filters and each
consumes 64KB hash space, so the total memory used for the PBF scheme is 8*64KB = 512KB.
Integrated Database Processor (IDP) [12]. Bitmap used in IDP scheme has only 256
entries for one byte symbol.
15
16
17