Rule Hashing for Efficient Packet Classification in Network Intrusion Detection

Abstract

A rule-based intrusion detection system compares the incoming packets against rule set in order to detect intrusion. Unfortunately, it spends the majority of CPU time in packet classification to search for rules that match each packet. A common approach is to build a graph such as rule trees or finite automata for a given rule set, and traverse it using a packet as an input string. Because of the increasing number of security threats and vulnerabilities, the number of rules often exceeds thousands requiring more than hundreds of megabytes of memory. Exploring such a huge graph becomes a major bottleneck in high-speed networks since each packet incurs many memory accesses with little locality. In this paper, we propose rule hashing for fast packet classification in intrusion detection systems. The rule hashing, combined with hierarchical rule trees, saves memory and reduce the number of memory accesses by allowing the whole working set to be accommodated in a cache in most of the time, and thus improves response times in finding matching rules. We implement our algorithm in Snort, a popular open-source intrusion detection system. Experimental results show that our implementation is faster than original Snort to deal with the same real packet traces while consuming an order of magnitude less memory.