Skip Navigation


The Computer Journal Advance Access originally published online on April 15, 2009
The Computer Journal 2009 52(6):699-723; doi:10.1093/comjnl/bxp026
This Article
Right arrow Full Text (PDF)
Right arrow All Versions of this Article:
52/6/699    most recent
bxp026v1
Right arrow Alert me when this article is cited
Right arrow Alert me if a correction is posted
Services
Right arrow Email this article to a friend
Right arrow Similar articles in this journal
Right arrow Alert me to new issues of the journal
Right arrow Add to My Personal Archive
Right arrow Download to citation manager
Right arrowRequest Permissions
Google Scholar
Right arrow Articles by Chen, Z.
Right arrow Articles by Delis, A.
Social Bookmarking
Add to CiteULike   Add to Connotea   Add to Del.icio.us  
What's this?

© The Author 2009. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions, please email: journals.permissions@oxfordjournals.org

A Digest and Pattern Matching-Based Intrusion Detection Engine

Zhongqiang Chen1,*, Yuan Zhang2, Zhongrong Chen3 and Alex Delis4

1 Yahoo! Inc., Santa Clara, CA 95054, USA
2 Department of Mathematics, Florida State University, Tallahassee, FL 32306, USA
3 ProMetrics Inc., King of Prussia, PA 19406, USA
4 Department of Informatics and Telecommunications, University of Athens, Athens, 15784, Greece

* Corresponding author: zqchen{at}yahoo-inc.com

Received 5 October 2008; revised 14 March 2009

Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Key Words: pattern matching engine of IDSs/IPSs • multi-pattern matching algorithms • fingerprinting and digesting techniques • intrusion detection process

Handling editor: Alison Bentley and Florence Leroy.


Add to CiteULike CiteULike   Add to Connotea Connotea   Add to Del.icio.us Del.icio.us    What's this?




Disclaimer: Please note that abstracts for content published before 1996 were created through digital scanning and may therefore not exactly replicate the text of the original print issues. All efforts have been made to ensure accuracy, but the Publisher will not be held responsible for any remaining inaccuracies. If you require any further clarification, please contact our Customer Services Department.