Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2009.16-C.4.449

An Improved Signature Hashing Algorithm for High Performance Network Intrusion Prevention System  

Ko, Joong-Sik (숭실대학교 정보통신전자공학부)
Kwak, Hu-Keun (숭실대학교 정보통신전자공학부)
Wang, Jeong-Seok (숭실대학교 정보통신전자공학부)
Kwon, Hui-Ung (숭실대학교 정보통신전자공학부)
Chung, Kyu-Sik (숭실대학교 정보통신전자공학부)
Publication Information
The KIPS Transactions:PartC / v.16C, no.4, 2009 , pp. 449-460 More about this Journal
Abstract
The signature hashing algorithm[9] provides the fast pattern matching speed for network IPS(Intrusion Prevention System) using the hash table. It selects 2 bytes from all signature rules and links to the hash table by the hash value. It has an advantage of performance improvement because it reduces the number of inspecting rules in the pattern matching. However it has a disadvantage of performance drop if the number of rules with the same hash value increases when the number of rules are large and the corelation among rules is strong. In this paper, we propose a method to make all rules distributed evenly to the hash table independent of the number of rules and corelation among rules for overcoming the disadvantage of the signature hashing algorithm. In the proposed method, it checks whether or not there is an already assigned rule linked to the same hash value before a new rule is linked to a hash value in the hash table. If there is no assigned rule, the new rule is linked to the hash value. Otherwise, the proposed method recalculate a hash value to put it in other position. We implemented the proposed method in a PC with a Linux module and performed experiments using Iperf as a network performance measurement tool. The signature hashing method shows performance drop if the number of rules with the same hash value increases when the number of rules are large and the corelation among rules is strong, but the proposed method shows no performance drop independent of the number of rules and corelation among rules.
Keywords
IPS(Intrusion Prevention System); Signature hashing; Pattern matching Algorithm; Hash table;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Knuth DE, Morris JH and Pratt VB, 'Fast pattern matching in strings', SIAM Journal of Computing 1977   DOI
2 왕정석, 곽후근, 정윤재, 귄희웅, 정규식, '시그니처 해싱 기반 고성능 침입방지 알고리즘 설계 및 구현', 정보처리학회논문지, June, 2007   과학기술학회마을   DOI   ScienceOn
3 Sarang Dharmapurikar and John W. Lockwood, 'Fast and Scalable Pattern Matching for Network Intrusion Detection Systems', IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL.24, NO.10, OCTOBER, 2006   DOI   ScienceOn
4 A. Aho, M. Corasick, 'Efficient string matching: an aid to biliographic search', Comm. ACM. 18:333-40, 1975   DOI   ScienceOn
5 Ristic and Ivan, 'Apache Security', Oreilly & Associates
6 X. Zhang, C.Li, and W.Zheng, 'Intrusion Prevention System Design', Proceedings of the Fourth International Conference on Computer and Information Technology, Sep., 2004
7 Boyer RS and Moore JS, 'A Fast String Searching Algorithm', Communications of the ACM 1977   DOI   ScienceOn
8 정보흠, 김정녀, 손승원, '침입방지시스템 기술 현황 및 전망', 주간기술동향 통권 1098호, June, 2003
9 J. Lockwood, 'Fast and Scalable Pattern Matching for Content Filtering', Architectures for Networking and Communication System(ANCS), Oct., 2005   DOI
10 ModsSecurity, http://www.modsecurity.org
11 S.Wu and U. Manber. 'A fast algorithm for multi-pattern searching.', Technical Report TR-94-17, Department of Computer Science, University of Arizona, 1994.
12 전용희, '침입방지시스템(IPS)의 기술 분석 및 성능평가 방안', 정보보호학회지, 제15권, 제2호, Apr., 2005   과학기술학회마을
13 Snort. http://www.snort.org/
14 Christoph M. Hoffmann and Michael J. O'Donnel, 'Pattern Matching in Trees', Journalo f the Assoclallonf or ComputingM achinery,Vol.29, No.I, January, 1982   DOI   ScienceOn
15 S. Dharmapurikar, P.Krishnamurthy, T.Sproull, and J.W.Lockwood, 'Deep Packet Inspection Using Parallel Bloom Filters', The International Symposium on High Performance Interconnects (HotI), Aug., 2003   DOI   ScienceOn
16 고중식, 곽후근, 김정길, 정규식, '규칙과 페이로드에 따른 Snort의 성능 분석', 한국정보보호학회 춘계학술대회, pp. 325-328, 2008