An Efficient Packet Pre-filtering Algorithm for NIDS

  • Zhong Qiuxi
  • Wan Hui
  • Xie Peidai
  • Chen Cheng
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 126)


The increasing number of rules used in Network Intrusion Detection System(NIDS) based on pattern matching lead to the performance diminishing. An efficient algorithm(Multi-AC) for Packet Pre-filtering is proposed to improve the performance of Packet Pre-filtering and NIDS. By making Multilevel AC finite automata, it reduces the number of rules that are candidates for a full match. Experiments based on Snort show that the rules’ number can be reduced to 11%-14% by using Multi-AC algorithm.


Pattern Match Bloom Filter String Match Candidate Rule Target String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Tang, Y., Luo, J., Xiao, B., Wei, G.: Concept, Characteristics and Defending Mechanism of Worms. IEICE Transactions on Information and Systems E92-D(5), 799–809 (2009)CrossRefGoogle Scholar
  2. 2.
    Tang, Y., Xiao, B., Lu, X.: Using a Bioinformatics Approach to Generate Accurate Exploit-based Signatures for Polymorphic Worms. Computers & Security (Elsevier) 28(8), 827–842 (2009)Google Scholar
  3. 3.
    Snort. Network Intrusion Detection System (EB/OL),
  4. 4.
    Coit, C.J., Staniford, S.: Toward faster string matching for intrusion detection or exceeding the speed of snort. In: Proceedings of 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), pp. 367–373. IEEE CS Press, Piscataway (2001)CrossRefGoogle Scholar
  5. 5.
    Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Commun. ACM 20(10), 762–772 (1977)zbMATHCrossRefGoogle Scholar
  6. 6.
    Aho, A.V., Corasick, M.J.: Efficient String Matching: An Aid to Bibliographic Search. Commun. ACM 18(6), 333–340 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Yu, F., Chen, Z., Diao, Y., et al.: Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection. In: ANCS 2006 (2006)Google Scholar
  8. 8.
    Kumar, S., Dharmapurikar, S., Yu, F., et al.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 339–350. ACM Press, New York (2006)Google Scholar
  9. 9.
    Becchi, M., Cadambi, S.: Memory-Efficient Regular Expression Search Using State Merging. In: IEEE INFOCOM (2007)Google Scholar
  10. 10.
    Markatos, E., Antonatos, S., Polyhronakis, M., et al.: Exclusion-based signature matching for intrusion detection. In: Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN), pp. 146–152 (September 2002)Google Scholar
  11. 11.
    Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: Proceedings of the 11th Symposium on High Performance Interconnects, pp. 44–51 (2003)Google Scholar
  12. 12.
    Attig, M., Dharmapurikar, S., Lockwood, J.: Implementation results of bloom filters for string matching. In: FCCM 2004: Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 322–323. IEEE Computer Society, Washington, DC (2004)CrossRefGoogle Scholar
  13. 13.
    Antonatos, S., Polychronakis, M., Akritidis, P., Anagnostakis, K.G., Markatos, E.P.: Piranha: Fast and memory-efficient pattern matching for intrusion detection. In: Proceedings 20th IFIP International Information Security Conference, SEC (2005)Google Scholar

Copyright information

© Springer-Verlag GmbH Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.School of Computer ScienceNational University of Defense TechnologyChangshaChina

Personalised recommendations