ENREM: An efficient NFA-based regular expression matching engine on reconfigurable hardware for NIDS

Hieu, Tran Trung; Thinh, Tran Ngoc; Tomiyama, Shigenori

doi:10.1016/j.sysarc.2013.03.013

Cited by 14 publications

(5 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ideas on automated rule generation can be traced back to early 2000 (Levine et al, 2003). Many papers on automated rule generation focus on the detection of activity performed after a vulnerability has been exploited (e.g., connecting to command-and-control networks (Zand et al, 2014)), performance improvements (e.g., using field programmable gate arrays (Hieu et al, 2013)), or the creation of new rules by aggregation of existing rules (e.g., by correlating alerts from different NIDSs (Vasilomanolakis et al, 2015)). These contributions are beyond the scope of the study described in this paper as they concern-specific solutions that are not (yet) used by most practitioners.…”

Section: Previous Tests Of Rules and Rulesetsmentioning

confidence: 99%

Variables influencing the effectiveness of signature-based network intrusion detection systems

Sommestad

Holm

Steinvall

2021

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

Contemporary organizations often employ signature-based network intrusion detection systems to increase the security of their computer networks. The effectiveness of a signature-based system primarily depends on the quality of the rules used to associate system events to known malicious behavior. However, the variables that determine the quality of rulesets is relatively unknown. This paper empirically analyzes the detection probability in a test involving Snort for 1143 exploitation attempts and 12 Snort rulesets created by the Emerging Threats Labs and the Sourcefire Vulnerability Research Team. The default rulesets from Emerging Threats raised priority-1-alerts for 39% of the exploit attempts compared to 31% for rulesets from the Vulnerability Research Team. The following features predict detection probability: if the exploit is publicly known, if the ruleset references the exploited vulnerability, the payload, the type of software targeted, and the operating system of the targeted software. The importance of these variables depends on the ruleset used and whether default rules are used. A logistic regression model with these variables classifies 69-92% of the cases correctly for the different rulesets.

show abstract

Section: Previous Tests Of Rules and Rulesetsmentioning

confidence: 99%

Variables influencing the effectiveness of signature-based network intrusion detection systems

Sommestad

Holm

Steinvall

2021

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

show abstract

“…A matching engine for nondeterministic finite automaton (NFA)‐based regular expression has been suggested by Hieu et al . [11], in which a new sharing architecture has been utilised with many other mechanisms to enhance the desired area of pattern matching circuits. Despite that this work utilises a special hardware, i.e.…”

Section: Related Workmentioning

confidence: 99%

QCF for deep packet inspection

Alhisnawi

Ahmadi

2018

IET Networks

View full text Add to dashboard Cite

Deep packet inspection (DPI) acts as a tool to control and classify incoming network traffic depending on users,content, applications and becomes a very important aspect of every network today. Instead of utilising only incoming packet header information, Internet service providers utilise DPI for security purposes, flow management, and routing. The highperformance challenges that face DPI techniques to manage line-speed packet processing with restricted available memory are the increasing traffic volumes and link rates. Bloom (BF) and quotient (QF) filters are effective randomised data structures for performing approximate membership queries. They have been employed in many networking applications including DPI. Nevertheless, they consume more calculations which degrade the system performance. Consequently, in this paper, the authors propose a new variant of membership query data structure, called quotient-based Cuckoo filter (QCF), that reflects a merging process between QF and CF to minimise the calculation overhead and employing it in a DPI system. QCF employs only two hash functions and consumes less calculation overhead than BF, QF, and CF. The implementation results show that using QCF as an identification tool in a DPI system result in a time improvement up to 77% over CF and up to 98% over BF and QF.

show abstract

“…Nevertheless, it only considered matching pattern separately, to solve a combination of several patterns [27,28] presented a multi-pattern signature. A more efficient way to process payload contents is using regular expression matching (REM) which usually includes DFA-based [23] and NFA-based [43]. Simultaneously, in paper [43] gave a comparison between them.…”

Section: B Payload Processing Design Of Netfpga-basedmentioning

confidence: 99%

“…A more efficient way to process payload contents is using regular expression matching (REM) which usually includes DFA-based [23] and NFA-based [43]. Simultaneously, in paper [43] gave a comparison between them. Furthermore, to prevent degrading network throughput in detecting strings in streaming data, a data structure Bloom Filter [24,25] is used in DPI.…”

Section: B Payload Processing Design Of Netfpga-basedmentioning

confidence: 99%

The Development Status and Trend of NetFPGA

Cao

Zheng

Sun

2015

2015 International Conference on Network and Information Systems for Computers

View full text Add to dashboard Cite

In recent years, with the rapid development of the Internet, ever increasing traffic and link-bandwidths presented serious challenges for computer network-related research such as high-speed algorithm and development of high-performance network equipment. Of course, increasing complication in hardware, firewall filtering and Encryption technology, makes programmability getting more and more attention in switches, routers and other network devices. This paper introduces the development process of NetFPGA, makes a comprehensive summary in the study of high performance network, and describes its advantages in high-speed, parallel and real-time. We present a brief introduction to our current work simultaneously. Finally, the paper points out the NetFPGA development direction and trends in future work.

show abstract

ENREM: An efficient NFA-based regular expression matching engine on reconfigurable hardware for NIDS

Cited by 14 publications

References 14 publications

Variables influencing the effectiveness of signature-based network intrusion detection systems

Variables influencing the effectiveness of signature-based network intrusion detection systems

QCF for deep packet inspection

The Development Status and Trend of NetFPGA

Contact Info

Product

Resources

About