Fast Signature Matching Using Extended Finite Automaton (XFA)

Smith, Randy; Estan, Cristian; Jha, Somesh; Siahaan, Ida

doi:10.1007/978-3-540-89862-7_15

Cited by 15 publications

(12 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While thisanalysis might be straightforward for simple rules (for example, rules only limited to the IP address and port information), its ineffectiveness becomes clear when more complex rules sets incorporating character counts andregular expressions (REs)are considered. In the past, IDS rules, and inparticular, regular expressions have been successfully modeled using various extensions of an automaton [16]. Following this direction IDS rules are modelledas a Deterministic Finite Automaton (DFA) that allows one to capture thesemantics of the rule.…”

Section: B Rule Analysismentioning

confidence: 99%

Deterministic Finite Automata for pattern matching in FPGA for intrusion detection

BabuKaruppiah

Rajaram²

2011

2011 International Conference on Computer, Communication and Electrical Technology (ICCCET)

View full text Add to dashboard Cite

Intrusion detection has been at the center of intense research in the last decade owing to the rapid increase of sophisticated attacks on computer systems.Network Intrusion Detection Systems (NIDS) detect and prevent numerous security threats in network traffic. Recent Network Intrusion Detection Systems (NIDS) use regular expressions to represent suspicious or malicious character sequences in packet payloads in a more efficient way. They require high-speed packet processing providing a challenging case study for pattern matching using regular expressions. This paper presents an efficient method for finding matches to a given regular expression in a given text using FPGAs. This paper introduces a Deterministic Finite Automata (DFA) method of hardware implementation to support regular expressions.

show abstract

Section: B Rule Analysismentioning

confidence: 99%

Deterministic Finite Automata for pattern matching in FPGA for intrusion detection

BabuKaruppiah

Rajaram²

2011

2011 International Conference on Computer, Communication and Electrical Technology (ICCCET)

View full text Add to dashboard Cite

show abstract

“…Current IDS Capabilities: The field of signature matching mainly focuses on three types of signatures: strings, regular expressions (REs), and vulnerability-based signatures [4,19,26,25,7,24]. Despite continuous efforts to enhance the performance of the matching engine in current IDSes, the accuracy of such systems is hindered by the limited capabilities of regular expressions to represent all attacks as they incur a high number of false positives and false negatives.…”

Section: Related Workmentioning

confidence: 99%

“…Regular expression (RE) signatures can be represented in deterministic finite automaton (DFA) [26] or non-deterministic finite automaton (NFA) [9]. Smith et al [25] propose a combination of DFA and NFA called extended finite automaton (XFA) where a finite memory is manipulated by instructions attached to states and edges to track dependencies. An XFA is both memory-efficient and time-efficient.…”

Section: Related Workmentioning

confidence: 99%

Towards vulnerability-based intrusion detection with event processing

Farroukh

Sadoghi

Jacobsen

2011

Proceedings of the 5th ACM International Conference on Distributed Event-Based System

View full text Add to dashboard Cite

Computer systems continue to be breached despite substantial investments in defense mechanisms to stop attacks from propagating. The accuracy of current intrusion detection systems (IDSes) is hindered by the limited capability of regular expressions (REs) to express the exact vulnerability. Recent advances have proposed vulnerability-based IDSes that parse traffic and retrieve protocol semantics to describe the vulnerability. Such a description of attacks is analogous to subscriptions that specify events of interest in event processing systems. However, the matching engine of state-of-theart IDSes lacks efficient matching algorithms that can process many signatures simultaneously. In this work, we place event processing in the core of the IDS and propose novel algorithms to efficiently match vulnerability signatures. Also, we are among the first to detect complex attacks such as the Conficker worm which requires correlating multiple protocol data units (MPDUs) while maintaining a small memory footprint. Finally, we show that our algorithms are resilient to attacks through extensive testing of the IDS under different workloads. Our approach incurs negligible overhead when processing clean traffic and is faster than existing systems.

show abstract

“…While these methods offer significant performance improvements, they are limited in their application abilities. As such, XFA [17] is not capable of representing complex regular expressions owing to a potential exponential memory blow-up, while a hybrid automaton [6] relies on manually constructed regular expressions. Since the memory and time performance requirements are less critical in the inconsistency discovery process, we utilize an NFA approach for modeling attack signatures.…”

Section: Related Workmentioning

confidence: 99%

“…While this analysis might be straightforward for simple rules (for example, rules only limited to the IP address and port information), its ineffectiveness becomes clear when we consider more complex rules sets incorporating character counts and regular expressions (REs). In the past, IDS rules, and in particular, regular expressions have been successfully modeled using various extensions of an automaton [6,17]. We follow this direction and model IDS rules as a nondeterministic automaton (NFA) that allows one to capture the semantics of the rule.…”

Section: Nfa-based Approach To Rule Analysismentioning

confidence: 99%

Managing intrusion detection rule sets

Stakhanova

Ghorbani

2010

Proceedings of the Third European Workshop on System Security

View full text Add to dashboard Cite

The prevalent use of the signature-based approach in modern intrusion detection systems (IDS) emphasizes the importance of the efficient management of the employed signature sets. With the constant discovery of new threats and vulnerabilities, the complexity and size of signature sets reach the point where the manual management of rules becomes a challenging (if not impossible) task for the system administrators. While the automated support of signature management is desirable, the main difficulty that arises in this context is the diversity in syntactical representations of signatures generally allowed in IDS. In this paper, we focus on the automated approach to signature management. Specifically, we propose a model for signature analysis that brings out the semantic inconsistencies in the IDS rule sets. To address the syntactical diversity of the signatures, we use the strengths of a nondeterministic automaton (NFA) and model the individual rules as finite machines to analyze their equivalence. The effectiveness of the proposed approach is evaluated on two collections of attack signatures: the rule sets of the open source Snort IDS and Bleeding Edge Threats.

show abstract

Fast Signature Matching Using Extended Finite Automaton (XFA)

Cited by 15 publications

References 19 publications

Deterministic Finite Automata for pattern matching in FPGA for intrusion detection

Deterministic Finite Automata for pattern matching in FPGA for intrusion detection

Towards vulnerability-based intrusion detection with event processing

Managing intrusion detection rule sets

Contact Info

Product

Resources

About