Traffic-Aware Packet Matching for Intrusion Detection Systems

Atsushi Yoshioka; Min Sik Kim

4th International IEEE Conference on Broadband Communications, Networks, Systems

Research Article

Traffic-Aware Packet Matching for Intrusion Detection Systems

Cite: BibTeX Plain Text

@INPROCEEDINGS{10.1109/BROADNETS.2007.4550445,
    author={Atsushi Yoshioka and Min Sik Kim},
    title={Traffic-Aware Packet Matching for Intrusion Detection Systems},
    proceedings={4th International IEEE Conference on Broadband Communications, Networks, Systems},
    publisher={IEEE},
    proceedings_a={BROADNETS},
    year={2010},
    month={5},
    keywords={},
    doi={10.1109/BROADNETS.2007.4550445}
}

Atsushi Yoshioka
Min Sik Kim
Year: 2010
Traffic-Aware Packet Matching for Intrusion Detection Systems
BROADNETS
IEEE
DOI: 10.1109/BROADNETS.2007.4550445

Atsushi Yoshioka¹^,*, Min Sik Kim¹^,*

1: School of Electrical Engineering and Computer Science Washington State University Pullman, Washington 99164–2752, U.S.A.

*Contact email: ayoshiok@eecs.wsu.edu, msk@eecs.wsu.edu

Abstract

Intrusion detection systems spend the majority of CPU time on matching packets against rules. Hence, fast identification of matches is crucial. Previous approaches may result in poor performance under certain traffic conditions because they either do not respond to traffic pattern or require setup time to organize rules whenever traffic pattern changes. We propose a two-stage packet matching to reduce matching time with little overhead. The first stage applies a small number of most-frequently matched rules. Only a fraction of packets are passed to the second stage, experiencing longer processing time. Rules in the first stage are constantly updated as their frequencies change.

Published: 2010-05-16
Publisher: IEEE
Modified: 2010-05-16

: http://dx.doi.org/10.1109/BROADNETS.2007.4550445