Prospective backward Oracle matching algorithm for network intrusion detection system

Abstract

Pattern matching algorithms are the core component of most of the Network Intrusion Detection Systems (NIDS) search engines. With the rapid advancements in technology, there is an exponential growth in network speed. NIDS must inspect the packets in a faster manner without degrading performance during heavy traffic. Hence performance of NIDS mostly depends on the selection of pattern matching algorithms. Large number of patterns that are of different lengths and case insensitive, can be efficiently handled by multiple pattern matching methods. Several algorithms exist, but deciding performance of which pattern matching algorithm is best is not known. These algorithms allow NIDS detection engines to rapidly search for several patterns concurrently in traffic of network systems, but frequently consume lot of time. This paper provides a brief overview on major pattern matching algorithms and variations of Backward Oracle Matching (BOM) Algorithm, which is significantly faster than other algorithms. This paper proposes modifications to the BOM algorithm for better pattern matching that can be applied at several levels of the efficient NIDS architecture to achieve better results. Sample experimental evaluation of proposed BOM was done with Snort NIDS tool and performance shown graphically.