Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Applying Fast String Matching to Intrusion Detection

Conference ·
DOI:https://doi.org/10.21236/ADA406266· OSTI ID:975767
 [1];  [2]
  1. Mike E.
  2. George
+ Show Author Affiliations

The performance of signature-based network intrusion detection tools is dominated by the string matching of packets against many signatures. In this paper we study how the popular intrusion detecton system Snort can be best optimized to utilize different string matching algorithms. We analyze the performance of Snort's current string matching algorithm, Boyer-Moore, and several alternate algorithms. We show that no single algorithm is fastest in the context of a real Snort rule set. Instead, we develop a hybrid system that utilizes three different search algorithms, including one new algorithm presented in this paper. The result is a system that matches many common packets 5 times faster with an average speedup of 50%. While the context of our analysis is intrusion detection, other problem domains such as virus scanning, firewalls, and layer seven switches benefit from our work.

Research Organization:
Los Alamos National Laboratory
Sponsoring Organization:
DOE
OSTI ID:
975767
Report Number(s):
LA-UR-01-5459
Country of Publication:
United States
Language:
English

Similar Records

Efficient pattern matching on GPUs for intrusion detection systems
Conference · Mon May 17 00:00:00 EDT 2010 · OSTI ID:986274
Integrated Scalable Parallel Firewall and Intrusion Detection System for High-Speed Networks
Technical Report · Sat Aug 01 00:00:00 EDT 2009 · OSTI ID:963374
Autonomous Rule Creation for Intrusion Detection
Conference · Fri Apr 01 00:00:00 EDT 2011 · OSTI ID:1023508

Related Subjects

97 MATHEMATICS AND COMPUTING
ALGORITHMS
DETECTION
HYBRID SYSTEMS
PERFORMANCE
SWITCHES