| Summary: | 碩士 === 長庚大學 === 資訊工程學系 === 102 === With the increased popularity of the Internet, network security issues have become more important than ever. Network Intrusion Detection System (NIDS) has been widely used to protect hosts from external attacks. These devices monitor packets in the network and scan packet payloads to detect malicious intrusions according to the predefined rules called patterns or signatures. Studies have revealed that NIDS spends a great portion of time performing pattern matching. Thus, the performance of a NIDS highly depends on the adopted pattern matching algorithm. Conventional pattern matching algorithms build a Finite State Machine (FSM) to compare packet payloads. However, it requires a great deal of memory to store a FSM. As the number of patterns increases, the required memory size increases, which in turn causes the performance of the pattern matching algorithm to decrease. A head-body finite automaton (HBFA), which was proposed recently, can be used to deal with the above problem by decomposing a FSM into two parts: a head DFA (H-DFA) and a body NFA (B-NFA). The H-DFA deals with the frequently accessed states, and performs similar to the well-known Aho-Corasick (AC) DFA, while the B-NFA stores the required data structure in a compact way and accelerates the operations using single-instruction multiple-data (SIMD) instructions. Although the HBFA can achieve better performance than AC-DFA, the head-body partitioning is performed statically, which cannot fully utilize the memory. In this thesis, we propose a pattern matching algorithm with a scalable partitioning strategy to improve the memory utilization. By fully utilizing the memory, the proposed algorithm can provide a high throughput than the HBFA. Simulation results show that the proposed algorithm can reach up to 60% performance improvement for Snort rules, and up to 55% for ClamAV rules.
|
|---|
