High performance string matching algorithm for a network intrusion prevention system (NIPS)

Weinsberg, Yaron; Tzur-David, Shimrit; Dolev, Danny; Anker, Tal

doi:10.1109/hpsr.2006.1709697

Cited by 37 publications

(14 citation statements)

References 8 publications

(9 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yu et al [33] propose a TCAM-based scheme for matching simple regular expressions or strings. Weinsberg et al [31] introduces the rotating TCAM (RTCAM), which uses shifted patterns to increase matching speeds further. In all TCAM approaches, pattern lengths are limited to TCAM width and the complexity of acceptable regular expressions is greatly limited.…”

Section: Related Workmentioning

confidence: 99%

Speculative Parallel Pattern Matching

Luchaup

Smith

Estan

et al. 2011

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Abstract-Intrusion prevention systems (IPSs) determine whether incoming traffic matches a database of signatures, where each signature is a regular expression and represents an attack or a vulnerability. IPSs need to keep up with ever-increasing line speeds, which has lead to the use of custom hardware. A major bottleneck that IPSs face is that they scan incoming packets one byte at a time, which limits their throughput and latency. In this paper, we present a method to search for arbitrary regular expressions by scanning multiple bytes in parallel using speculation. We break the packet in several chunks, opportunistically scan them in parallel, and if the speculation is wrong, correct it later. We present algorithms that apply speculation in single-threaded software running on commodity processors as well as algorithms for parallel hardware. Experimental results show that speculation leads to improvements in latency and throughput in both cases.Index Terms-Low latency, multibyte, multibyte matching, parallel pattern matching, parallel regular expression matching, regular expressions, speculative pattern matching.

show abstract

Section: Related Workmentioning

confidence: 99%

Speculative Parallel Pattern Matching

Luchaup

Smith

Estan

et al. 2011

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…Although this technique can greatly improve the ability of preventing intrusion, issues with misreporting of intrusion prevention in IDS and filch of information in SAN need to be considered in future. A novel pattern-matching algorithm, which uses ternary content addressable memory (TCAM) and capable of matching multiple patterns in a single operation was considered in (Weinberg et al, 2006). This system is compatible with Snort's rules syntax, which is the de facto standard for intrusion prevention systems.…”

Section: Intrusion Prevention Systemsmentioning

confidence: 97%

An Intrusion Detection Technique Based on Discrete Binary Communication Channels

Ampah¹,

Akujuobi²,

Annamalai³

2011

Intrusion Detection Systems

View full text Add to dashboard Cite

“…Yu et al [30] propose a TCAM-based scheme for matching simple regular expressions or strings. Weinsberg et al [29] introduces the Rotating TCAM (RTCAM), which uses shifted patterns to increase matching speeds further. In all TCAM approaches, pattern lengths are limited to TCAM width and the complexity of acceptable regular expressions is greatly limited.…”

Section: Related Workmentioning

confidence: 99%

Multi-byte Regular Expression Matching with Speculation

Luchaup

Smith

Estan³

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Intrusion prevention systems determine whether incoming traffic matches a database of signatures, where each signature in the database represents an attack or a vulnerability. IPSs need to keep up with ever-increasing line speeds, which leads to the use of custom hardware. A major bottleneck that IPSs face is that they scan incoming packets one byte at a time, which limits their throughput and latency. In this paper, we present a method for scanning multiple bytes in parallel using speculation. We break the packet in several chunks, opportunistically scan them in parallel and if the speculation is wrong, correct it later. We present algorithms that apply speculation in single-threaded software running on commodity processors as well as algorithms for parallel hardware. Experimental results show that speculation leads to improvements in latency and throughput in both cases.

show abstract

High performance string matching algorithm for a network intrusion prevention system (NIPS)

Cited by 37 publications

References 8 publications

Speculative Parallel Pattern Matching

Speculative Parallel Pattern Matching

An Intrusion Detection Technique Based on Discrete Binary Communication Channels

Multi-byte Regular Expression Matching with Speculation

Contact Info

Product

Resources

About