Network Packet Filtering and Deep Packet Inspection Hybrid Mechanism for IDS Early Packet Matching

Abstract

Modern network packet processing applications such as Intrusion Detection System (IDS) perform packet filtering and deep packet inspection (DPI), also known as packet content inspection. Fundamentally, for packet filtering, these applications attempt to use the contents of some header fields of the network, transport and application layers of the packets. While for DPI, these applications use attack signature rules to search for predefined patterns in the packet application header fields or payload data. This paper discusses a hybrid mechanism based on the use of splay tree filters and pattern-matching algorithms to enhance IDS packet filtering and DPI performance, respectively. The proposed mechanism uses network traffic statistics to dynamically optimize the order of the splay tree filters, allowing early acceptance and rejection of network packets. In addition, DPI signature rules are reordered according to their matching frequencies, allowing early packets acceptance. We demonstrate the merit of our mechanism through simulations performed on Snort's string set.