![Page 1: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/1.jpg)
Author: Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang , Jian-Lin Chen ,Hsien-Wei Hun ,Ming-Chang Shih and Chia-Nan KaoPublisher: IEEE GLOBECOM 2006Presenter: Zong-Lin SieDate: 2011/03/16
1
![Page 2: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/2.jpg)
Multiple pattern string matching algorithm, such as Aho-Corasick (AC) is basically computational intensive and therefore it is not easy to have a fast software implementation.
Hardware accelerating approach for fast implementation is usual expensive and the interface may become the bottleneck when integrates with existing network appliances. 2
![Page 3: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/3.jpg)
This paper presents an efficient pre-filtering algorithm to filter clean packets so that the string matching in the NIDS can be speed-up.
The proposed algorithm uses a tiny data structure , and is light-computational and cache-resident.
It can be implemented efficiently in a software-based platform.
3
![Page 4: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/4.jpg)
The pre-filter may generate false positive but not false negative.
4
![Page 5: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/5.jpg)
Super-Symbol Filter (SSF).
The basic idea of SSF is to treat two bytes data as a super-symbol, and the using of bitmap to indicate the occurrence of each super-symbol in the pre-defined patterns.
For example, for the 8-bit ASCII-code, there are 65536 combinations of two bytes data, and a bitmap vector of 65536 entries (64k-bit) is used.
5
![Page 6: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/6.jpg)
6
![Page 7: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/7.jpg)
7
![Page 8: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/8.jpg)
8
![Page 9: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/9.jpg)
To have better accuracy and less number of false positives, the proposed SSF-1 is further extended.
In SSF-2, two match vectors (two bitmaps) are employed in the constructing phase. The First Match Vector (FMV) is used for the super-symbols being conjugated by the first two symbols in each of the patterns. The Rest Match Vector (RMV) is used for the rest super-symbols in the patterns except those in the FMV. 9
![Page 10: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/10.jpg)
10
![Page 11: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/11.jpg)
11
![Page 12: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/12.jpg)
12
![Page 13: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/13.jpg)
By tracking the growing paths of Snort rule patterns, as shown in Table I, the percentage of setting bits for the MV, FMV, and RMV is still very small (5%).
SSF filtering technique is that it is not applicable to one-byte patterns. (Use simple method [11])
13
![Page 14: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/14.jpg)
14
Parallel Bloom Filter (PBF) [11]. Use eight bloom filters and each
consumes 64KB hash space, so the total memory used for the PBF scheme is 8*64KB = 512KB.
Integrated Database Processor (IDP) [12]. Bitmap used in IDP scheme has only 256
entries for one byte symbol.
![Page 15: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/15.jpg)
15
![Page 16: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/16.jpg)
16
![Page 17: Author : Nen-Fu Huang ,Yen-Ming Chu ,Yih-Jou Tzang ,](https://reader035.vdocuments.mx/reader035/viewer/2022062423/568149db550346895db70069/html5/thumbnails/17.jpg)
17