Exscind: Fast pattern matching for intrusion detection using exclusion and inclusion filters

Aldwairi, Monther; Alansari, Duaa

doi:10.1109/nwesp.2011.6088148

Cited by 16 publications

(8 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Experiments are run on a set of trace files collected using Wireshark network protocol analyzer [20]. A thorough description and analysis of the traces is presented by Aldwairi and Alansari [21]. The number of intrusions and the distribution of the intrusions across the traces vary from trace to trace.…”

Section: Resultsmentioning

confidence: 99%

Function and Data Parallelization of Wu-Manber Pattern Matching for Intrusion Detection Systems

Kharbutli

Aldwairi

Mughrabi

2012

NPA

Self Cite

View full text Add to dashboard Cite

The safeguarding of networks from malicious activities and intrusions continues to be one of the most important aspects in network security. Intrusion Detection Systems (IDSs) play a fundamental role in network protection. Unfortunately, the speeds of existing IDSs are unable to keep up with the rapid increases in network speeds and attack complexities. Fortunately, parallel computing on multi-core systems can lend a helping hand mitigating this performance gap. In this paper, novel and effective parallel implementations of the Wu-Manber (WM) algorithm for signature-based detection systems are proposed, implemented, and evaluated. The proposed function and data parallel algorithms prove to be effective in terms of execution time reduction and load balancing, thus providing swift intrusion detection at increased network bandwidths. The algorithms achieve an optimal load balance and an average speedup of 2x for four cores.

show abstract

Section: Resultsmentioning

confidence: 99%

Function and Data Parallelization of Wu-Manber Pattern Matching for Intrusion Detection Systems

Kharbutli

Aldwairi

Mughrabi

2012

NPA

Self Cite

View full text Add to dashboard Cite

show abstract

“…We proposed a new faster and memory-efficient software-based system, Exscind (EXcluSion inClusIoN intrusion Detection). 14 Exscind means to cut off or exclude from the union, which sums the main idea of the algorithm: to exclude clean traffic without performing costly PM. To achieve this, the Bloom filter is deployed in a novel manner.…”

Section: Exscind Overviewmentioning

confidence: 99%

“…Moreover, the number of signatures is increasing significantly as new attacks appear. From 2003 to 2011, the number of Snort rules containing signatures increased from 1542 to 9945, respectively 14 . Researchers found that PM is the most computationally expensive part that requires almost 30%‐60% of total signature‐based IDS processing time 15 .…”

Section: Introductionmentioning

confidence: 99%

“…On the other hand, if the traffic is malicious, the system excludes as many unmatched signatures as possible and includes just a subset of signatures that have a high probability of being a match. Finally, the system marks the location of the first probable match, to skip forward 14 . Experimental results show that the proposed system can accelerate signature‐based IDS by several times compared with the regular WM system used by Snort 19 .…”

Section: Introductionmentioning

confidence: 99%

“…From 2003 to 2011, the number of Snort rules containing signatures increased from 1542 to 9945, respectively. 14 Researchers found that PM is the most computationally expensive part that requires almost 30%-60% of total signature-based IDS processing time. 15 Pattern matching is at the core of antivirus software as well, with signatures in ClamAV exceeding 1.5 million, it is becoming harder to deploy antivirus at Internet gateways.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

n‐Grams exclusion and inclusion filter for intrusion detection in Internet of Energy big data systems

Aldwairi

Alansari

2019

Trans Emerging Tel Tech

Self Cite

View full text Add to dashboard Cite

The advent of Internet of Energy (IoE) and the seamless integration of grid operators, power generators, distributors, sensors, and end users promise more efficient use of energy. However, the IoE will inherit the vulnerabilities from all of the integrated systems, and this raises concerns for trust and privacy. The evolving complexity and increased speed of network‐based attacks emphasizes the need for an efficient intrusion detection system. Consequently, with the emergence of new attacks and the increasing number of signatures, traditional signature‐based intrusion detection systems cannot both sift through big data and meet high network speeds. Detection performance severely deteriorates when matching hundreds of gigabits per second to the growing number of attack signatures. Given that pattern matching takes up to 60% of the overall intrusion detection time, this paper presents a new and fast software‐based pattern matching system, Exscind. It proposes an exclusion‐inclusion filter to preclude clean traffic before having to do expensive pattern matching. Additionally, if the traffic is malicious, the system only matches against a subset of signatures that have a high probability of being a match. We extensively evaluate the system's performance and conclude that using 6‐grams signature prefix provides the best speedup and memory consumption with negligible false positives and linear scaling. We report a best‐case speedup of 6.5 times for normal traffic and 1.53 times for the worst possible scenario. For best‐case normal traffic, Exscind skips pattern matching for 98.36% of the packets.

show abstract

Intrusion Detection Systems

Reznik¹

2021

Intelligent Security Systems

View full text Add to dashboard Cite

Exscind: Fast pattern matching for intrusion detection using exclusion and inclusion filters

Cited by 16 publications

References 9 publications

Function and Data Parallelization of Wu-Manber Pattern Matching for Intrusion Detection Systems

Function and Data Parallelization of Wu-Manber Pattern Matching for Intrusion Detection Systems

n‐Grams exclusion and inclusion filter for intrusion detection in Internet of Energy big data systems

Intrusion Detection Systems

Contact Info

Product

Resources

About