Automata-Theoretic Analysis of Bit-Split Languages for Packet Scanning

  • Ryan Dixon
  • Ömer Eğecioğlu
  • Timothy Sherwood
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5148)

Abstract

Bit-splitting breaks the problem of monitoring traffic payloads to detect the occurrence of suspicious patterns into several parallel components, each of which searches for a particular bit pattern. We analyze bit-splitting as applied to Aho-Corasick style string matching. The problem can be viewed as the recovery of a special class of regular languages over product alphabets from a collection of homomorphic images. We use this characterization to prove correctness and to give space bounds. In particular we show that the NFA to DFA conversion of the Aho-Corasick type machine used for bit-splitting incurs only linear overhead.

Keywords

Intrusion Detection Intrusion Detection System Homomorphic Image String Match Cross Edge 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aho, A.V., Corasick, M.J.: Efficient String Matching: An Aid to Bibliographic Search. Comm. of the ACM 18(6), 333–340 (1975)MATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Baker, Z.K., Prasanna, V.K.: High-throughput Linked-Pattern Matching for Intrusion Detection Systems. In: Proc. of the First Annual ACM Sym. on Arch. for Networking and Comm. Systems (2005)Google Scholar
  3. 3.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-Based Intrusion Detection. J. of Computer Security 10(1/2), 71–104 (2002)Google Scholar
  4. 4.
    Newsome, J., Karp, B., Song, D.X.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: IEEE Sym. on Security and Privacy, pp. 226–241 (2005)Google Scholar
  5. 5.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proc. of LISA 1999: 13th Systems Adm. Conf., November 1999, pp. 229–238 (1999)Google Scholar
  6. 6.
    Tan, L., Sherwood, T.: A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In: ISCA 2005: Proc. of the 32nd Annual Int. Sym. on Computer Architecture, pp. 112–122 (2005)Google Scholar
  7. 7.
    Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection. In: The 23rd Conf. of the IEEE Comm. Society (Infocomm) (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Ryan Dixon
    • 1
  • Ömer Eğecioğlu
    • 1
  • Timothy Sherwood
    • 1
  1. 1.Department of Computer ScienceUniversity of CaliforniaSanta Barbara 

Personalised recommendations