Professional Documents
Culture Documents
ABSTRACT
String matching plays an important role in content inspection based applications such as
network intrusion detection/prevention and anti-virus. It is facing critical performance
challenges due to the rapid increase in network bandwidth and the expansion in pattern set
size. With multicore processors emerging as the dominant network processing platform,
traditional one-dimension workload distribution model via flow-based traffic parallel
processing can not fully exploit their computing power and cache hierarchy. In this paper, a
scalable string matching framework is proposed by introducing another workload
distribution dimension in pattern set. This framework distributes workloads in two
dimensions: the network traffic dimension and the pattern set dimension. A novel pattern
clustering mechanism named PCM is presented to optimize the pattern set partitioning.
Experimental results show that the proposed framework obtains a throughput speedup of
60% compared with the traditional one-dimension workload distribution mode on real-life
rule sets while the PCM pattern clustering mechanism further improves the overall
throughput by 15%~20%. The framework can adapt to various string matching algorithms
and the PCM scheme can be applied to different leap-based algorithms.
600 14%
300 3.5
Average Leap Value
Pkt4
Throughput(Mbps)
250 3.0
2.5
P4
200
2.0 P3
150
1.5
Core#3
100 P2
1.0
50 0.5 P1 Pattern
0 0.0 Flow-based Load Balancing Set
1000 2000 3000 4000 5000 1000 2000 3000 4000 5000
Number of Patterns Number of Patterns
Figure 3: One-dimension workload distribution model
(a) (b)
Figure 2: Throughput and average leap value of MRSI Pkt3 Pkt1
P2
Core#1
P1
large pattern sets are likely to induce high cache miss
ratios, and thus cause low searching speed. For Flow-based AC Engine
Short Pattern
Subset
instance the throughput with 1,992 patterns in Fig. 1-(a) Load Balancing
Pkt4 Pkt2
is only about one third of the throughput with less than
P2
100 patterns. Core#2
P1
Fig. 2-(a) shows the searching speed of MRSI on Short Pattern
the same core as used in testing AC. The patterns are AC Engine Subset
Pattern Set
by pattern set partitioning to exploit the best pattern packets distribution in the searching stage. Detailed
scattering in the pattern subsets, and then engages explanation of RMS is stated in Section Ⅲ.E.
flow-based load balancing in another dimension to
achieve high systemic throughput. 3.3 Pattern Set Partitioning
Fig. 4 illustrates a prototype of the two-dimension In the preprocessing stage, PSD is in charge of
workload distribution framework. In the first dividing the patterns into subsets for distributed
dimension, the entire pattern set is divided into two pattern matching in the SMEs. There are three steps for
categories, the short patterns P1~P2 and the long pattern set partitioning.
patterns P3~P6, and further, the long patterns are
divided into two subsets: P3 & P4 to be processed in In the first step, string matching algorithms are
Core#3 and P5 & P6 to be processed in Core#4. DFA- chosen for the SMEs. The selection of algorithms is
based and leap-based algorithms are employed to related to the characteristics of the pattern set. Take
process the short and long pattern subsets separately, Snort rule for example: Fig. 6 shows the length
where AC and MRSI are selected in this example. In distribution of Snort rules in March 2008, which
the second dimension, flow-based load balancing is contain 5,831 patterns. The rule set has 68 patterns
employed to distribute the incoming packets evenly to with l byte, and 1,421 patterns shorter than 6 bytes.
different cores. The packets need to be duplicated to Since leap-based algorithms cannot handle short
be dispatched into the pattern subsets simultaneously. patterns, DFA-based algorithms are required.
However, compared with the searching speed of the Meanwhile, since DFA-based algorithms suffer from
string matching engines, it is believed that the cache misses with large pattern sets, leap-based
duplicating and dispatching of the packets will not algorithms are required to complement DFA-based
become the bottleneck of the whole framework. algorithms. In this paper, AC is selected as the
representative of DFA-based algorithms to handle the
short patterns less than 6 bytes, while MRSI is selected
3.2 System Architecture as the representative of leap-based algorithms to
As shown in Fig. 5, the proposed framework handle the rest long patterns. It should be noticed that
mainly contains four components: a Flow Buffer, a the two-dimension framework is independent of the
Resource Manager & Scheduler (RMS), a Pattern Set algorithms. AC and MRSI are simply selected as an
Divider (PSD), and several String Matching Engines example to illustrate the advantage of the two-
(SMEs). dimension framework.
Flow Buffer is in charge of storing and In the second step, the pattern subset sizes should
reassembling the incoming packets, so that the packets be decided for the AC and MRSI engines. As known,
belonging to the same flow are stored sequentially in both of the algorithms suffer performance decline due
the same queue. PSD is responsible for pattern set to the expansion of pattern set sizes. For AC, as
partitioning and data structure optimization. It illustrated in Fig. 1-(a), it typically has an inflexion in
determines how to divide the patterns into subsets in performance due to the increase in data cache miss
the preprocessing stage, which will be further ratios. Furthermore, the inflexion is mainly determined
discussed in Section Ⅲ.C. SMEs denote the cores by the L1 cache size of the CPU. Hence, the proper
where string matching operations are performed. RMS pattern subset size for AC is determined by the
is responsible for allocating the computing resources hardware architecture of the multicore platforms.
(cores) in the preprocessing stage according to the When deployed on the platform in the case of Fig. 1,
expected overall performance. RMS also schedules the the proper size should be less than 512 patterns, for the
600
500
Number of Patterns
400
300
200
100
0
1
6
11
16
21
26
31
36
41
46
51
56
61
66
71
76
81
86
91
96
101
106
111
116
Pattern Length
Figure 6: Pattern length distribution of Snort rules Figure 7: Data structure of MRSI
performance decline accelerates at this point, which function. So m cost values are gotten as
makes it an inflexion. The pattern subset sizes for λ j (1 ≤ j ≤ m) .
MRSI engines should be determined by the 2) For each pi in the other n − m
performance expectation on single core. For example, patterns, calculate sum of cost values ∑ k λ j ,
as shown in Fig. 2-(a), if the single core matching
speed is expected to be larger than 300Mbps, the which denotes the total cost with pi joining the
pattern subset size should be less than 2,000 patterns. subset S k . If ∑ t λ j = min1≤k ≤m ∑ k λ j , then put pi
into the subset St . Thus, the initial subset-ids of
In the third step, the patterns are classified into all the patterns are set and the subsets get their
different subsets. For DFA-based algorithms like AC, initial cost values λ 0j (1 ≤ j ≤ m) .
the performance of each subset is primarily
3) Start pattern clustering iterations. In
determined by the number of patterns rather than the
scattering of the patterns in different subsets. However, the first iteration, for each pi , assuming its
pattern scattering can significantly influence the subset-id is t , change its subset-id from 1 to m
performance of leap-based algorithms like MRSI since and calculate the new sum of cost values ∑ 0k λ j ,
the leaps are determined by the distribution of the which denotes the total cost with pi joining the
characters in patterns. Consequently, pattern clustering subset S k . If ∑ 0v λ j = min1≤k ≤m ∑ 0k λ j , change the
for leap-based algorithms becomes an open issue, subset-id of pi from t to v . After all patterns
which motivates the design of the pattern clustering finish the first iteration, some patterns are set
mechanism in this paper. new subset-id and the subsets get new cost
values λ1j (1 ≤ j ≤ m) .
3.4 Pattern Clustering Mechanism (PCM) 4) Proceed the pattern clustering
Pattern scattering in the pattern subsets is of great iretations until the two consecutive total cost
significance to the searching speed of leap-based tolerance is smaller than a given positive value
algorithms. If the patterns in each subset are treated as ε . Thus, if (∑ rk λ j −∑ rk−1 λ j ) / ∑ rk λ j < ε , the
a cluster, the pattern scattering in the subsets can be iterations will be stopped at iteration r and the
seen as a pattern clustering problem. Mathematically, patterns get their final subset-ids.
pattern clustering is an optimization problem of The design of cost function has crucial influence
seeking the optimal mapping function f : P → S to on the practical performance of MRSI engines, for it
minimize the sum of cost values ∑ λ j (1 ≤ j ≤ m) , where determines how the patterns are clustered. Fig. 7
P is the pattern set P = { pi |1 ≤ i ≤ n} and S stands for shows the data structure of MRSI [6], in which the
the m subsets S = {S j |1 ≤ j ≤ m} . three Block Leap Tables (BLTs) stores the longest
leaps that can be generated according to the three two-
In this paper, a novel pattern clustering mechanism character blocks and the Potential Match Table (PMT)
named the PCM scheme is devised to optimize the stores the possible matching patterns when the leap
pattern partitioning for leap-based algorithms. Herein, value in BLT#1 equals to zero. The last two characters
MSRI is taken as the representative of leap-based are used as hash indexes in PMT. The matching
algorithms to illustrate the details of the PCM scheme, process of MRSI is:
which can easily adapt to other leap-based algorithms
with slight modification in the cost functions. The a) Use the three two-character blocks of the input
procedure of the PCM scheme for MRSI includes: text to index the BLTs and get three leap values;
1) Given the number of clusters m, b) Denote the maximum of the three leap values as
Lmax . If Lmax > 0 , then shift the input text by Lmax ;
randomly select m patterns and place each of
them into one subset. A cost value is calculated c) If Lmax = 0 , use the last two-character block of
for each subset according to a prescribed cost the input text as the index to search PMT, and match
the potential patterns one by one to find out the exact the overall performance requirement. The aim is that
matches. the scanning speed on the subsets should be balanced
to ensure high utilization of hardware resources. Thus,
According to the searching procedure of MRSI, it given an overall expected throughput, assign enough
is observed that the leap values in the three BLTs and cores to each subset. Otherwise, if the number of cores
the lengths of the hash lists in PMT are the key factors is not enough, the cores should be allocated
that impact string matching speed. Obviously, MRSI proportionally based on the searching speed on each
performs better if the leap values are larger or the hash subset to achieve a possibly maximum throughput,
list lengths are shorter. Thus, a good pattern clustering assuming the single core searching speed on each
mechanism should aim at obtaining the longest subset is prior knowledge with specific string
average leap value of the entries in the three BLTs and matching algorithms. A simple resource management
obtaining the shortest average length of the hash lists algorithm is proposed here:
in PMT.
Assume PSD has divided the patterns into m
The leap values in the three BLTs can be denoted subsets S1 , S2 , ... , S m , and the single core searching
as Lki (0 ≤ i ≤ 65535, 1 ≤ k ≤ 3) , and so the average leap throughputs on the subsets are denoted as T1 , T2 , ... , Tm .
value will be L = mean( Lki ) . The hash list lengths can Given the expected throughput E and the number of
be designated as H i (0 ≤ i ≤ 65535) , and so the average cores C, the number of cores needed for subset
hash list length will be H = mean( H i ) . It should be S k (1 ≤ k ≤ m) should be ⎢⎡ E / Tk ⎥⎤ (1 ≤ k ≤ m) . Denote
noticed that, if there is a potential match, MRSI needs Esum = ∑ k =1 ⎢⎡ E / Tk ⎥⎤ . If C ≥ Esum , the number of cores
m
In the traditional one-dimension workload Snort 192 Mbps 316 Mbps 377 Mbps
distribution model, the entire pattern set is applied in ClamAV 142 Mbps 234 Mbps 274 Mbps
all the string matching engines (SMEs). Since leap-
based algorithms cannot handle short patterns, AC
becomes the only choice for the string matching Besides, the throughput with the ClamAV rule set
algorithm in the SMEs. As shown in Fig. 3, each SME is slightly lower than that with the Snort rule set. This
handle the whole pattern set with AC algorithm. When is due to the larger number of patterns and longer
tested on the AMD Opteron multicore platform, each average pattern lengths in the ClamAV rule set, which
of the four cores runs a SME with AC algorithm, while will cause performance decline in AC string matching
the incoming traffic is distributed to the four cores engines.
with flow-level load balancing. The overall throughput
is the average value of three times of tests with each 4.3 Evalution of the PCM Scheme
pattern set and its corresponding trace.
The PCM scheme is the kernel algorithm in
When testing the two-dimension workload Pattern Set Divider (PSD). It determines the scattering
distribution framework, short patterns with less than 6 of long patterns in the MRSI subsets, which can
bytes are handled by AC while the long patterns are significantly influence the overall performance of the
handled by MRSI. As shown in Fig. 4, two cores of two-dimension framework.
the AMD Opteron multicore platform are selected as
To evaluate the performance of the PCM scheme,
AC string matching engines, and flow-level load
experiments were conducted on the real-life DEFCON
balancing is applied. The long patterns are split into
trace along with the long patterns of the Snort rule set,
two subsets either with random clustering mechanism
which includes totally 4,410 patterns with no less than
(RCM) or with the PCM scheme, and the other two
6 bytes. Since there is no any prior pattern clustering
cores run MRSI string matching engines with the two
mechanism in the literature, performance comparison
subsets separately. Every incoming packet is
is done between the PCM scheme and the random
duplicated and sent into the two MRSI engines to scan
clustering mechanism (RCM), which randomly
simultaneously. The overall throughput is a total value
partitions the patterns into the subsets and ensures
of the two AC engines and the two MRSI engines, and
every subset having the same number of patterns.
an average value of three times of tests with each
pattern set and its corresponding trace is taken as the For better comparing the performance of the PCM
final result. scheme and the RCM scheme, the long pattern rule set
is divided into 2, 4, 8, and 16 subsets to test the overall
Table 1 shows the performance of the one-
MRSI string matching performance on the AMD
dimension model and the two-dimension framework
Opteron multicore platform. Furthermore, since the
with the two real-life pattern sets and their
performance of MRSI is determined by the total
corresponding traces on the AMD Opteron multicore
memory access times, the average leap values, the
platform. With the DEFCON trace and the Snort
130% 6
120% 5
60% 0
0 2 4 6 8 10 12 14 16 18 0 2 4 6 8 10 12 14 16 18
Number of Subsets Number of Subsets
110% 120%
Number of Naïve Comparisons
110%
50% 50%
0 2 4 6 8 10 12 14 16 18 0 2 4 6 8 10 12 14 16 18
Number of Subsets Number of Subsets
Figure 10: MRSI naïve comparison percentage Figure 11: MRSI table indexing percentage
number of naïve comparisons, and the number of table partially contributes to the highest performance
indexing were observed on the two clustering schemes. improvement shown in Fig. 8.
Fig. 8 illustrates the MRSI performance gain with Fig. 11 shows the percentage of table indexing
the PCM scheme compared with the RCM scheme. It times needed by the MRSI algorithm with the PCM
shows that the PCM scheme outperforms RCM by scheme compared to the RCM scheme. The table
15%~25% when the number of subsets varies from 2 indexing means the memory accesses in the BLTs of
to 16, where PCM achieves its highest improvement MRSI’s data structures, which is part of the overhead
percentage when the number of pattern subsets equals in string matching. It is shown that PCM reduces the
to 4. One reason is that the AMD Opteron multicore times of table indexing by 15%~25% compared with
platform has 4 cores, which will get highest CPU RCM. Besides, the reducing percentage is relatively
utilization efficiency when the number of tasks equals stable in spite of different number of subsets.
to 4.
Fig. 9 depicts the average leap values of the MRSI 4.4 Convergence Speed of PCM
algorithm when the patterns are partitioned by the two Table 2 provides the times of iterations needed for
pattern clustering mechanisms. With a given number the PCM scheme with different number of subsets. It
of subsets, the overall average leap value is the mean is shown that the PCM scheme converges quite fast
of the average leap values on each subset. It is shown and the required times of iterations increase slowly
that the average leap value with PCM is visibly larger when the number of subsets grows.
than with RCM when the number of subsets varies Table 2: PCM convergence speed
from 2 to 16. Besides, when the number of subsets
increases, the average leap values with the two #Subsets 2 4 8 16
schemes keep increasing, since the number of patterns
in each subset is reduced. #Iterations 0 2 3 5
600
580
value does not equal to zero, the matching window can
be shifted by this value; otherwise naïve comparisons
560
will be adopted to verify the potential matching
540
patterns indicated by the prefix hash table. WM
520 consumes much less memory than AC, but it needs
500 time-consuming comparisons when no leap could be
0 1 2 3 4 5 6 7 8 9
Matching Rate(%)
generated. Moreover, when the pattern set grows large,
the probability of getting leaps and the average leap
Figure 12: MRSI performance with different matching rates in PCM value are inevitable to become smaller, which will
deeply impact the string matching speed.
in a period of time, one hour for example. Otherwise, There are many other software algorithms
the matching rate can be set a default value for proposed in recent years. Leap-based algorithms
expedience. including AC_BM [10], Setwise Boyer-Moore [11],
Fig. 12 gives the overall performance of MRSI E2xB [12], RSI [5], MRSI [6] are presented to
with different matching rate applied in the PCM cost leverage the characteristics in pattern sets for
function. In this test, the number of MRSI subsets is improving scanning performance. However, these
set 2 and the experiments are conducted on the AMD leap-based algorithms suffer from the same problem
Opteron multicore platform. Each subset is assigned with WM that the prospective leap value will become
with two cores and flow-level load balancing is smaller when the number of patterns increases.
engaged to distribute the incoming packets. It is shown Hardware algorithms mainly rely on the specially
that the overall performance varies between 580Mbps designed architectures to accelerate string matching.
and 625Mbps and the throughput reaches its peak FPGA-based algorithms [13-20] and ASIC-based
value when the matching rate equals to 3.5%. In fact, algorithms [21-27] exploit the parallelism in circuits as
the total matching time is 12,633,581 and the precise well as the abundance of data channels to achieve
matching rate is 3.57%, given the trace of 353,799,850 gigabit-level throughput. However, the high cost, long
bytes in length. The results demonstrate that the PCM developing term, and poor flexibility encumber their
clustering scheme achieves the highest performance feasibility of wide deployment.
when the matching rate approaches the actual rate in
practice. In recent years, multicore processors have emerged
as a competitive candidate for high performance string
matching architectures. They are superior to general
5 RELATED WORKS purpose CPUs for their powerful computing capability
and rich memory banks. Besides, multicore platforms
Many string matching algorithms and architectures surpass hardware circuits by their high
have been proposed in recent years for content programmability, flexibility and portability. This paper
inspection. In summary, the previous works can be aims at exploring a scalable string matching
classified into two categories: one is hardware framework on multicore platforms for intrusion
solutions based on FPGA/ASIC; the other is software detection and deep inspection systems.
algorithms based on general purpose processors.
Furthermore, the software algorithms can be classified
into DFA-based algorithms and leap-based algorithms. 6 CONCLUSIONS
Aho-Corasick (AC) [3] is the most popular DFA- In this paper, a novel parallel processing
based software algorithm for multiple pattern string framework, called the two-dimension workload
matching. It employs a deterministic finite automaton distribution framework, is proposed to optimize the
(DFA) to organize the patterns and reveals matching multi-pattern string matching on modern multicore
results in one pass. The advantage of AC is that it only platforms. The innovations are motivated by the poor
needs search time on the order of O(n), regardless of scalability and performance of the traditional one-
the number of patterns, where n is the length of the dimension model, which dispatches the string
input text. However, AC suffers from two intrinsic matching workload only by flow-level traffic load
deficiencies. First, it does not exploit the heuristics in balancing. The proposed two-dimension workload
the pattern set to generate a leap for avoiding distribution framework improves the traditional model
unnecessary comparisons. Second, the memory by introducing a new dimension on pattern set
occupation of AC increases linearly with the growing partitioning to balance the workload distribution by
of the pattern set size, which will cause higher cache pattern clustering. It firstly partitions the patterns into
miss rates and correspondingly lower searching speeds. subsets according to the selected algorithms’
Wu-Manber (WM) [4] is the representative of characteristics in the first dimension, and then
leap-based algorithms that evade unnecessary dispatches the incoming packets via flow-level load
comparisons at some matching positions based on balancing in the second dimension. Furthermore, a
novel pattern clustering mechanism named PCM is [8] ClamAV Anti-virus, http://www.clamav.net/.
presented to optimize the performance on the long [9] R. Boyer and J. Moore: A Fast String Searching Algorithm,
pattern subsets in MRSI engines. Commun. ACM, vol. 20, no. 10, pp. 762-772 (1977).
[10] C. J. Coit, S. Staniford, and J. McAlerney: Towards Faster
The PCM scheme is devised based on the intrinsic Pattern Matching for Intrusion Detection, or Exceeding the
characteristics of the MRSI algorithm, and it can Speed of Snort, Proc. of the 2nd DARPA Information
easily be extended to support other leap-based Survivability Conference and Exposition (2002).
algorithms with slight modifications in the cost [11] M. Fisk and G. Varghese: Fast Content-based Packet
Handling for Intrusion Detection, UCSD Technical Report
function. In addition, the two-dimension workload CS2001-0670 (2001).
distribution framework can adapt to various string
[12] K. G. Anagnostakis, E. P. Markatos, S. Antonatos, and M.
matching algorithms besides AC and MRSI. The Polychronakis: E2xB: A Domain-pecific String Matching
framework provides a platform to split the pattern set Algorithm for Intrusion Detection, Proc. of the 18th IFIP
into subsets according to the characteristics of International Information Security Conference (2003).
different algorithms. It is believed that this scalable [13] B. L. Hutchings, R. Franklin, and D. Carver: Assisting
framework can support large pattern sets with more Network Intrusion Detection with Reconfigurable Hardware,
IEEE Symposium on Field-Programmable Custom
than 100K patterns, and the overall searching Computing Machines (2002).
performance can meet gigabyte level line speed
[14] J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos:
requirement with modest number of cores. Implementation of A Content-scanning Module for an
Internet Firewall, IEEE Symposium on Field-Programmable
Experimental results show that the proposed two- Custom Computing Machines (2003).
dimension workload distribution framework achieves
[15] C. R. Clark and D. E. Schimmel: Scalable Pattern Matching
a performance speedup of 60% with real-life rule sets, for High Speed Networks, IEEE Symposium on Field-
compared with the traditional one-dimension model. Programmable Custom Computing Machines (2004).
Besides, assisted by the PCM scheme, the two- [16] Z. K. Baker and V. K. Prasanna: Time and Area Efficient
dimension workload distribution framework obtains an Pattern Matching on FPGAs, IEEE Symposium on Field-
additional 15%~20% performance gain compared with Programmable Custom Computing Machines (2004).
the random clustering mechanism (RCM). Besides, [17] Z. K. Baker and V. K .Prasanna: Methodology for Synthesis
PCM is proved to converge at a locally optimal of Efficient Intrusion Detection Systems on FPGAs, IEEE
Symposium on Field-Programmable Custom Computing
solution and has a rapid convergence speed, which Machines (2004).
facilitates its employment in practice. [18] L. Bu and J. A. Chandy: FPGA Based Network Intrusion
Future work will be done on designing elaborate Detection Using Content Addressable Memories, Proc. of
IEEE International Conference on Field-Programmable
resource manager and scheduler to automatically Technology (2004).
allocate the computing resources on the pattern subsets, [19] I. Sourdis and D. Pnevmatikatos: Pre-decoded CAMs for
and to automatically balancing the overhead in the Efficient and High-speed NIDS Pattern Matching, IEEE
string matching engines. The final objective is to Symposium on Field-Programmable Custom Computing
devise an intelligent architecture that can Machines (2004).
automatically distribute workload on both pattern and [20] Z. K. Baker and V. K. Prasanna: High-throughput Linked-
traffic dimensions to form up a well-performed pattern Matching for Intrusion Detection Systems, Proc. of
Symposium on Architecture for Networking and
parallel processing system. Communications Systems (2005).
[21] F. Yu, R. H. Katz, and T. V. Lakshman: Gigabit Rate Packet
Pattern-matching Using TCAM, Proc. of the 12th IEEE
7 REFERENCES International Conference on Network Protocols (2004).
[22] J. Lockwood: Deep Packet Inspection Using Parallel Bloom
[1] M. Roesh: Snort – Lightweight Intrusion Detection for
Filters, IEEE Micro, vol. 24, pp. 52-61 (2004).
Network, Proc. of the 13th Systems Administration
Conference (1999). [23] N. Tuck, T. Sherwood, B. Calder, and G. Varghese:
Deterministic Memory-efficient String Matching Algorithms
[2] Bro intrusion detection system, http://www.bro-ids.org/.
for Intrusion Detection, Proc. of INFOCOM (2004).
[3] A. Aho and M. Corasick: Fast Pattern Matching: An Aid to
[24] L. Tan and T. Sherwood: A High Throughput String
Bibliographic Search, Commun. ACM, vol. 18, no. 6, pp.
Matching Architecture for Intrusion Detection and Prevention,
333-340 (1975).
Proc. of International Symposium on Computer Architecture
[4] S. Wu and U. Manber: A Fast Algorithm for Multi-pattern (2005).
Searching, Technical Report TR-94-17, Dept. Computer
[25] J. V. Lunteren: High-performance Pattern-matching Engine
Science, University of Arizona (1994).
for Intrusion Detection, Proc. of IEEE INFOCOM (2006).
[5] B. Xu, X. Zhou, and J. Li: Recursive Shift Indexing: A Fast
[26] S. Dharmapurikar and J. Lockwood: Fast and Scalable
Multi-Pattern String Matching Algorithm, Proc. of the 4th
Mattern Matching for Network Intrusion Detection Systems,
International Conference on Applied Cryptography and
IEEE Journal on Selected Areas in Communications, vol. 24,
Network Security (2006).
pp. 1781-1792 (2006).
[6] X. Zhou, B. Xu, Y. X. Qi, and J. Li: MRSI: A Fast Pattern
[27] H. Lu, K. Zheng, B. Liu, X. Zhang, and Y. Liu: A Memory-
Matching Algorithm for Anti-virus Applications, Proc. of the
efficient Parallel String Matching Architecture for High-speed
7th International Conference on Networking (2008).
Intrusion Detection, IEEE Journal on Selected Areas in
[7] MIT DARPA Intrusion Detection Data Sets, Communications, vol. 24, pp. 1793-1804 (2006).
http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.
html.