A memory-based NFA regular expression match engine for signature-based intrusion detection

Pao, Derek; Or, Nga Lam; Cheung, Ray C. C.

doi:10.1016/j.comcom.2013.03.002

Cited by 14 publications

(4 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is considered more precise and accurate than anomalybased detection and has no false positive rate. However, it has its own limitation that makes it cover limited types of attacks since the attack patterns have to be known in advance [16]. Several worms can be detected by pattern-matching algorithms such as code red attack.…”

Section: Cl-cidps Main Blocks Methodology and Workflowmentioning

confidence: 99%

cl-CIDPS: A Cloud Computing Based Cooperative Intrusion Detection and Prevention System Framework

Al-Mousa

Nasir

2015

Communications in Computer and Information Science

View full text Add to dashboard Cite

Abstract. Cloud Computing is one of today's most promising technologies due to its cost-efficiency, flexibility and scalability for computing processes. However, the complex architecture of cloud infrastructure and the different levels of users lead to special requirements especially in security area. The Cloud provider is responsible for providing secure, reliable and trustful services to its consumers. Network intrusion detection system and network intrusion prevention system (IDPS), is a pioneer active security-defensive mechanism that is ideal to be used in cloud computing. Collaborative or cooperative IDS had been a hot topic for the last few years. However, there were some limitations in previous techniques indicating that they are not sufficient to cover all security threats in clouds. The main objective is to propose a cloud based cooperative intrusion detection and prevention system (cl-CIDPS). The system adds several contributions to the area of IDPS in clouds by proposing an integrated design that considers detection, prevention and logging capabilities applying both signature and anomaly detection mechanisms. cl-CIDPS was evaluated using a powerful network security simulator tool (Nessi2) that is capable of testing detection units and communication schemas. NeSSi2 was extended for a cloudbased IDPS presenting a valuable simulation background that can be used by future researches to evaluate similar proposed techniques for cloud computing infrastructure.

show abstract

Section: Cl-cidps Main Blocks Methodology and Workflowmentioning

confidence: 99%

cl-CIDPS: A Cloud Computing Based Cooperative Intrusion Detection and Prevention System Framework

Al-Mousa

Nasir

2015

Communications in Computer and Information Science

View full text Add to dashboard Cite

show abstract

“…An extended P-AC detection method called PACX is used to detect fixed-length tokens with 4 to 15 bytes that contain a string component at the front plus a small number of wildcard bytes, nibbles and/or alternate bytes. MX-NFA [8] is a more general regex detection method, and it is used to detect more complex tokens that may contain counting block(s) and other regex features. Displacement counts between tokens will be verified by the aggregation unit (AU).…”

Section: Proposed Detection Methodsmentioning

confidence: 99%

“…In this paper, we shall present hardware architectures to detect the remaining 6.4K regex patterns in the ClamAV virus database. The techniques that we have developed for string matching [3][4] [6] [7], regex matching [5] [8], perfect hash table organization [9], and codeword assignment scheme [10] will be applied in this work. It would be highly desirable for readers to have read some of our previous publications in this topic, in particular [5].…”

Section: Introductionmentioning

confidence: 99%

MEMORY-Based Hardware Architectures to Detect ClamAV Virus Signatures with Restricted Regular Expression Features

Wang

Pao

2016

IEEE Trans. Comput.

Self Cite

View full text Add to dashboard Cite

We aim to implement a single-chip hardware detection engine for virus scanning. Our study is based on the ClamAV virus database, which contains 88.9K strings and 9.6K extended hex-signatures with restricted regular expression (regex) features. We have previously presented cost-effective hardware architectures to detect the 88.9K strings and 3.2K regex patterns that are composed of multiple string segments. In this paper, we shall present hardware architectures to detect the remaining 6.4K regex patterns. Our method is based on the information reduction approach. We transform the byte-oriented matching problem to a token-based matching problem. A regex pattern contains one or more segments, and a segment may be subdivided into multiple non-trivial tokens. In general, a token is associated with one or a few regexes only. The input bytestream is converted into a token-stream using dedicated hardware units, where the number of tokens is much less than the number of bytes. The token-stream is processed by a NFA-based aggregation unit to determine if any segment can be found. Detected segments are further processed by a scoreboard to determine if any multi-segment pattern can be found. For proof-ofconcept, our method is implemented on a Virtex-6 FPGA which consumes 1.84 MB on-chip memory.

show abstract

“…Non-deterministic finite automaton (NFA) is used in a memory-based architecture to speed up regular expression matching. This technique also supports dynamic updates and offers constant throughput (Pao et al, 2013). The contextual information and hash functions are integrated with IDS to construct an adaptive hash-based non-critical alarm filter.…”

Section: Signature-based Idsmentioning

confidence: 99%

Internet attacks and intrusion detection system

Singh

Kumar

Singla

et al. 2017

OIR

View full text Add to dashboard Cite

Purpose The paper addresses various cyber threats and their effects on the internet. A review of the literature on intrusion detection systems (IDSs) as a means of mitigating internet attacks is presented, and gaps in the research are identified. The purpose of this paper is to identify the limitations of the current research and presents future directions for intrusion/malware detection research. Design/methodology/approach The paper presents a review of the research literature on IDSs, prior to identifying research gaps and limitations and suggesting future directions. Findings The popularity of the internet makes it vulnerable against various cyber-attacks. Ongoing research on intrusion detection methods aims to overcome the limitations of earlier approaches to internet security. However, findings from the literature review indicate a number of different limitations of existing techniques: poor accuracy, high detection time, and low flexibility in detecting zero-day attacks. Originality/value This paper provides a review of major issues in intrusion detection approaches. On the basis of a systematic and detailed review of the literature, various research limitations are discovered. Clear and concise directions for future research are provided.

show abstract

A memory-based NFA regular expression match engine for signature-based intrusion detection

Cited by 14 publications

References 33 publications

cl-CIDPS: A Cloud Computing Based Cooperative Intrusion Detection and Prevention System Framework

cl-CIDPS: A Cloud Computing Based Cooperative Intrusion Detection and Prevention System Framework

MEMORY-Based Hardware Architectures to Detect ClamAV Virus Signatures with Restricted Regular Expression Features

Internet attacks and intrusion detection system

Contact Info

Product

Resources

About