Hybrid Compression of the Aho-Corasick Automaton for Static Analysis in Intrusion Detection Systems

  • Ciprian Pungila
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 189)


We are proposing a hybrid algorithm for constructing an efficient Aho-Corasick automaton designed for data-parallel processing in knowledge-based IDS, that supports the use of regular expressions in the patterns, and validate its use as part of the signature matching process, a critical component of modern intrusion detection systems. Our approach uses a hybrid memory storage mechanism, an adaptation of the Smith-Waterman local-sequence alignment algorithm and additionally employs path compression and bitmapped nodes. Using as a test-bed a set of the latest virus signatures from the ClamAV database, we show how the new automata obtained through our approach can significantly improve memory usage by a factor of times compared to the unoptimized version, while still keeping the throughput at similar levels.


static analysis aho-corasick smith-waterman high compression pattern fragmentation parallel algorithm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A., Corasick, M.: Efficient string matching: An Aid to blbiographic search. CACM 18(6), 333–340 (1975)MathSciNetMATHGoogle Scholar
  2. 2.
    Clam AntiVirus,
  3. 3.
    Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Split Screen: Enabling Efficient, Distributed Malware Detection. In: Proc. 7th USENIX NSDI (2010)Google Scholar
  4. 4.
    Lee, T.H.: Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications. In: Proceedings of 16th International Conference on Computer Communications and Networks, ICCN (2007)Google Scholar
  5. 5.
  6. 6.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31, 2435–2463 (1999)CrossRefGoogle Scholar
  7. 7.
    Pungila, C.: A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis. In: 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (cisis), pp. 392–400 (2009)Google Scholar
  8. 8.
    Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: 23rd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), vol. 4, pp. 2628–2639 (2004)Google Scholar
  9. 9.
    Zha, X., Sahni, S.: Highly Compressed Aho-Corasick Automata For Efficient Intrusion Detection. In: IEEE Symposium on Computers and Communications (ISCC), pp. 298–303 (2008)Google Scholar
  10. 10.
    Pungila, C., Negru, V.: A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching. In: Information Security Conference, ISC (2012)Google Scholar
  11. 11.
    Arshad, J., Townend, P., Xu, J.: A novel intrusion severity analysis approach for Clouds. Future Generation Computer Systems (2011), doi:10.1016/j.future.2011.08.009Google Scholar
  12. 12.
    Corchado, E., Herrero, A.: Neural visualization of network traffic data for intrusion detection. Applied Soft Computing 11(2), 2042–2056 (2011)CrossRefGoogle Scholar
  13. 13.
    Panda, M., Abraham, A., Patra, M.R.: Hybrid Intelligent Approach for Network Intrusion Detection. Procedia Engineering 30, 1–9 (2012), doi:10.1016/j.proeng.2012.01.827CrossRefGoogle Scholar
  14. 14.
    Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 47, 443–453 (1970)CrossRefGoogle Scholar
  15. 15.
    Smith, T.F., Waterman, M.S.: Identification of Common Molecular Subsequences. J. Mol. Biol. 147, 195–197 (1981)CrossRefGoogle Scholar
  16. 16.
    Bioinformatics Explained: Smith-Waterman,
  17. 17.
    Scarpazza, D.P.: Top-Performance Tokenization and Small-Ruleset Regular Expression Matching. Int. J. Parallel Prog. 39, 3–32 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.West University of TimisoaraTimisoaraRomania

Personalised recommendations