Abstract
We consider the problem of approximate reduction of non-deterministic automata that appear in hardware-accelerated network intrusion detection systems (NIDSes). We define an error distance of a reduced automaton from the original one as the probability of packets being incorrectly classified by the reduced automaton (wrt the probabilistic distribution of packets in the network traffic). We use this notion to design an approximate reduction procedure that achieves a great size reduction (much beyond the state-of-the-art language-preserving techniques) with a controlled and small error. We have implemented our approach and evaluated it on use cases from Snort, a popular NIDS. Our results provide experimental evidence that the method can be highly efficient in practice, allowing NIDSes to follow the rapid growth in the speed of networks.
Highlights
The recent years have seen a boom in the number of security incidents in computer networks
The conditions may take into consideration, among others, network addresses, ports, or Perl compatible regular expressions (PCREs) that the packet payload should match
In the caption of every table, we provide the name of the input file with the selection of Snort regexes used in the particular experiment, together with the type of the reduction
Summary
The recent years have seen a boom in the number of security incidents in computer networks. Various language-preserving automata reduction approaches exist, mainly based on computing (bi)simulation relations on automata states (cf the related work) The reductions they offer, do not satisfy the needs of high-speed hardware-accelerated NIDSes. Our answer to the problem is approximate reduction of NFAs, allowing for a trade-off between the achieved reduction and the precision of the regex matching. A DFA with a given maximum number of states is constructed in [23], minimizing the error defined either by (i) counting prefixes of misjudged words up to some length, or (ii) the sum of the probabilities of the misjudged words wrt the Poisson distribution over Σ∗ Neither of these approaches considers reduction of NFAs nor allows to control the expected error with respect to the real traffic. Our approach is capable of a much better reduction for the price of a small change of the accepted language
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
