TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems

TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems

Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE journal on selected areas in communications 2014-10, Vol.32 (10), p.1810-1821
Hauptverfasser: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song, Chao, H. Jonathan
Format: Artikel
Sprache:eng
Schlagworte:
Automata
Bandwidth
Complexity theory
Computer programming
Cybersecurity
Educational institutions
Encoding
Explosions
Memory management
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1821
container_issue 10
container_start_page 1810
container_title IEEE journal on selected areas in communications
container_volume 32
creator Yang Xu
Junchen Jiang
Rihua Wei
Yang Song
Chao, H. Jonathan
description Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called tunable finite automaton (TFA), to deal with the DFAs' state explosion problem and the NFAs' unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that, with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.
doi_str_mv 10.1109/JSAC.2014.2358856
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_crossref_primary_10_1109_JSAC_2014_2358856</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6905778</ieee_id><sourcerecordid>3512723041</sourcerecordid><originalsourceid>FETCH-LOGICAL-c293t-6727f3bfbf9406b77e4de18febff84978f03867b8f6a24cbd03bde86970ccd1f3</originalsourceid><addsrcrecordid>eNo9kEtLw0AUhQdRsFZ_gLgZcJ06r8zDXahWK_UBrSsXIZPc0dQ2qTMTpP_elBZX9yy-cy58CF1SMqKUmJuneTYeMULFiPFU61QeoQFNU50QQvQxGhDFeaIVlafoLIQl6Umh2QB9LCbZLc7womsKuwI8qZs6As662K6L2DbYtR6_FTGCb_BzEcuvuvnEdYNfIP62_htPm-i7UPfkHUQo4y7NtyHCOpyjE1esAlwc7hC9T-4X48dk9vowHWezpGSGx0Qqphy3zjojiLRKgaiAagfWOS2M0o5wLZXVThZMlLYi3FagpVGkLCvq-BBd73c3vv3pIMR82Xa-6V_mVDLDhNFC9BTdU6VvQ_Dg8o2v14Xf5pTkO4f5zmG-c5gfHPadq32nBoB_XhqSKqX5HxEAbag</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1629249844</pqid></control><display><type>article</type><title>TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems</title><source>IEEE Electronic Library (IEL)</source><creator>Yang Xu ; Junchen Jiang ; Rihua Wei ; Yang Song ; Chao, H. Jonathan</creator><creatorcontrib>Yang Xu ; Junchen Jiang ; Rihua Wei ; Yang Song ; Chao, H. Jonathan</creatorcontrib><description>Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called tunable finite automaton (TFA), to deal with the DFAs' state explosion problem and the NFAs' unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that, with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.</description><identifier>ISSN: 0733-8716</identifier><identifier>EISSN: 1558-0008</identifier><identifier>DOI: 10.1109/JSAC.2014.2358856</identifier><identifier>CODEN: ISACEM</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Automata ; Bandwidth ; Complexity theory ; Computer programming ; Cybersecurity ; Educational institutions ; Encoding ; Explosions ; Memory management</subject><ispartof>IEEE journal on selected areas in communications, 2014-10, Vol.32 (10), p.1810-1821</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Oct 2014</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c293t-6727f3bfbf9406b77e4de18febff84978f03867b8f6a24cbd03bde86970ccd1f3</citedby><cites>FETCH-LOGICAL-c293t-6727f3bfbf9406b77e4de18febff84978f03867b8f6a24cbd03bde86970ccd1f3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6905778$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6905778$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Yang Xu</creatorcontrib><creatorcontrib>Junchen Jiang</creatorcontrib><creatorcontrib>Rihua Wei</creatorcontrib><creatorcontrib>Yang Song</creatorcontrib><creatorcontrib>Chao, H. Jonathan</creatorcontrib><title>TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems</title><title>IEEE journal on selected areas in communications</title><addtitle>J-SAC</addtitle><description>Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called tunable finite automaton (TFA), to deal with the DFAs' state explosion problem and the NFAs' unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that, with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.</description><subject>Automata</subject><subject>Bandwidth</subject><subject>Complexity theory</subject><subject>Computer programming</subject><subject>Cybersecurity</subject><subject>Educational institutions</subject><subject>Encoding</subject><subject>Explosions</subject><subject>Memory management</subject><issn>0733-8716</issn><issn>1558-0008</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2014</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kEtLw0AUhQdRsFZ_gLgZcJ06r8zDXahWK_UBrSsXIZPc0dQ2qTMTpP_elBZX9yy-cy58CF1SMqKUmJuneTYeMULFiPFU61QeoQFNU50QQvQxGhDFeaIVlafoLIQl6Umh2QB9LCbZLc7womsKuwI8qZs6As662K6L2DbYtR6_FTGCb_BzEcuvuvnEdYNfIP62_htPm-i7UPfkHUQo4y7NtyHCOpyjE1esAlwc7hC9T-4X48dk9vowHWezpGSGx0Qqphy3zjojiLRKgaiAagfWOS2M0o5wLZXVThZMlLYi3FagpVGkLCvq-BBd73c3vv3pIMR82Xa-6V_mVDLDhNFC9BTdU6VvQ_Dg8o2v14Xf5pTkO4f5zmG-c5gfHPadq32nBoB_XhqSKqX5HxEAbag</recordid><startdate>201410</startdate><enddate>201410</enddate><creator>Yang Xu</creator><creator>Junchen Jiang</creator><creator>Rihua Wei</creator><creator>Yang Song</creator><creator>Chao, H. Jonathan</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SP</scope><scope>8FD</scope><scope>L7M</scope></search><sort><creationdate>201410</creationdate><title>TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems</title><author>Yang Xu ; Junchen Jiang ; Rihua Wei ; Yang Song ; Chao, H. Jonathan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c293t-6727f3bfbf9406b77e4de18febff84978f03867b8f6a24cbd03bde86970ccd1f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2014</creationdate><topic>Automata</topic><topic>Bandwidth</topic><topic>Complexity theory</topic><topic>Computer programming</topic><topic>Cybersecurity</topic><topic>Educational institutions</topic><topic>Encoding</topic><topic>Explosions</topic><topic>Memory management</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Yang Xu</creatorcontrib><creatorcontrib>Junchen Jiang</creatorcontrib><creatorcontrib>Rihua Wei</creatorcontrib><creatorcontrib>Yang Song</creatorcontrib><creatorcontrib>Chao, H. Jonathan</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Technology Research Database</collection><collection>Advanced Technologies Database with Aerospace</collection><jtitle>IEEE journal on selected areas in communications</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Yang Xu</au><au>Junchen Jiang</au><au>Rihua Wei</au><au>Yang Song</au><au>Chao, H. Jonathan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems</atitle><jtitle>IEEE journal on selected areas in communications</jtitle><stitle>J-SAC</stitle><date>2014-10</date><risdate>2014</risdate><volume>32</volume><issue>10</issue><spage>1810</spage><epage>1821</epage><pages>1810-1821</pages><issn>0733-8716</issn><eissn>1558-0008</eissn><coden>ISACEM</coden><abstract>Deterministic finite automatons (DFAs) and nondeterministic finite automatons (NFAs) are two typical automatons used in the network intrusion detection system. Although they both perform regular expression matching, they have quite different performance and memory usage properties. DFAs provide fast and deterministic matching performance but suffer from the well-known state explosion problem. NFAs are compact, but their matching performance is unpredictable and with no worst case guarantee. In this paper, we propose a new automaton representation of regular expressions, called tunable finite automaton (TFA), to deal with the DFAs' state explosion problem and the NFAs' unpredictable performance problem. Different from a DFA, which has only one active state, a TFA allows multiple concurrent active states. Thus, the total number of states required by the TFA to track the matching status is much smaller than that required by the DFA. Different from an NFA, a TFA guarantees that the number of concurrent active states is bounded by a bound factor b that can be tuned during the construction of the TFA according to the needs of the application for speed and storage. Simulation results based on regular expression rule sets from Snort and Bro show that, with only two concurrent active states, a TFA can achieve significant reductions in the number of states and memory usage, e.g., a 98% reduction in the number of states and a 95% reduction in memory space.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/JSAC.2014.2358856</doi><tpages>12</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 0733-8716
ispartof IEEE journal on selected areas in communications, 2014-10, Vol.32 (10), p.1810-1821
issn 0733-8716
1558-0008
language eng
recordid cdi_crossref_primary_10_1109_JSAC_2014_2358856
source IEEE Electronic Library (IEL)
subjects Automata
Bandwidth
Complexity theory
Computer programming
Cybersecurity
Educational institutions
Encoding
Explosions
Memory management
title TFA: A Tunable Finite Automaton for Pattern Matching in Network Intrusion Detection Systems
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-30T13%3A59%3A31IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=TFA:%20A%20Tunable%20Finite%20Automaton%20for%20Pattern%20Matching%20in%20Network%20Intrusion%20Detection%20Systems&rft.jtitle=IEEE%20journal%20on%20selected%20areas%20in%20communications&rft.au=Yang%20Xu&rft.date=2014-10&rft.volume=32&rft.issue=10&rft.spage=1810&rft.epage=1821&rft.pages=1810-1821&rft.issn=0733-8716&rft.eissn=1558-0008&rft.coden=ISACEM&rft_id=info:doi/10.1109/JSAC.2014.2358856&rft_dat=%3Cproquest_RIE%3E3512723041%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1629249844&rft_id=info:pmid/&rft_ieee_id=6905778&rfr_iscdi=true