XFA: Faster Signature Matching with Extended Automata

S
SP
2008
2008 IEEE Symposium on Security and Privacy (sp 2008)
Abstract - XFA: Faster Signature Matching with Extended Automata

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Randy Smith Articles by Cristian Estan Articles by Somesh Jha

2008 IEEE Symposium on Security and Privacy (sp 2008)

May 18-May 21

ISBN: 978-0-7695-3168-7

	ASCII Text	x
	Randy Smith, Cristian Estan, Somesh Jha, "XFA: Faster Signature Matching with Extended Automata," Security and Privacy, IEEE Symposium on, pp. 187-201, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008.

	BibTex	x
	@article{ 10.1109/SP.2008.14, author = {Randy Smith and Cristian Estan and Somesh Jha}, title = {XFA: Faster Signature Matching with Extended Automata}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {2008}, isbn = {978-0-7695-3168-7}, pages = {187-201}, doi = {http://doi.ieeecomputersociety.org/10.1109/SP.2008.14}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Security and Privacy, IEEE Symposium on TI - XFA: Faster Signature Matching with Extended Automata SN - 978-0-7695-3168-7 SP187 EP201 A1 - Randy Smith, A1 - Cristian Estan, A1 - Somesh Jha, PY - 2008 KW - signature matching KW - intrusion detection KW - finite automata KW - regular expressions VL - 0 JA - Security and Privacy, IEEE Symposium on ER -

Randy Smith

Cristian Estan

Somesh Jha

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2008.14

Automata-based representations and related algorithms have been applied to address several problems in information security, and often the automata had to be augmented with additional information. For example, extended finite-state automata (EFSA) augment finite-state automata (FSA) with variables to track dependencies between arguments of system calls. In this paper, we introduce extended finite automata (XFAs) which augment FSAs with finite scratch memory and instructions to manipulate this memory. Our primary motivation for introducing XFAs is signature matching inNetwork Intrusion Detection Systems (NIDS). Representing NIDS signatures as deterministic finite-state automata (DFAs) results in very fast signature matching but for several classes of signatures DFAs can blowup in space. Using nondeterministic finite-state automata (NFA) to represent NIDS signatures results in a succinct representation but at the expense of higher time complexity for signature matching. In other words, DFAs are time-efficient but space-inefficient, and NFAs are space-efficient but time-inefficient. In our experiments we have noticed that for a large class of NIDS signatures XFAs have time complexity similar to DFAs and space complexity similar to NFAs. For our test set, XFAs use 10 timesless memory than a DFA-based solution, yet achieve 20 times higher matching speeds.

Index Terms:

signature matching, intrusion detection, finite automata, regular expressions

Citation:

Randy Smith, Cristian Estan, Somesh Jha, "XFA: Faster Signature Matching with Extended Automata," sp, pp.187-201, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.