A digest and pattern matching-based intrusion detection engine

Zhongqiang Chen, Yuan Zhang, Zhongrong Chen, Alex Delis

Research output: Contribution to journalArticlepeer-review

Abstract

Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer-Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom-Filter and Rabin-Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Original languageEnglish (US)
Pages (from-to)699-723
Number of pages25
JournalComputer Journal
Volume52
Issue number6
DOIs
StatePublished - 2009

Keywords

  • Finger printing and digesting techniques
  • Intrusion detection process
  • Multi-pattern matching algorithms
  • Pattern matching engine of IDSs/IPSs

ASJC Scopus subject areas

  • Computer Science(all)

Fingerprint Dive into the research topics of 'A digest and pattern matching-based intrusion detection engine'. Together they form a unique fingerprint.

Cite this