Network Intrusion Detection System in Latest DFA Compression Methods for Deep Packet Scruting

Network Intrusion Detection System in Latest DFA Compression Methods for Deep Packet Scruting

Vinoth Kumar K (New Horizon College of Engineering, India)
Copyright: © 2021 |Pages: 25
DOI: 10.4018/978-1-7998-6721-0.ch010
OnDemand PDF Download:
No Current Special Offers


The vast majority of the system security applications in today's systems depend on deep packet inspection. In recent years, regular expression matching was used as an important operator. It examines whether or not the packet's payload can be matched with a group of predefined regular expressions. Regular expressions are parsed using the deterministic finite automata representations. Conversely, to represent regular expression sets as DFA, the system needs a large amount of memory, an excessive amount of time, and an excessive amount of per flow state, limiting their practical applications. This chapter explores network intrusion detection systems.
Chapter Preview


Today, a computer network has become an essential part of our day by day life. Internet has a fast growth from the most recent decade with increasing requirement of society on it. Internet provides a wide range of benefits to society however it is infected by many security attacks that disrupt the functionality of networking and computing infrastructure. To enhance the security of the network a large number of devices are introduced. Network Intrusion Detection Systems (NIDS) are amongst the foremost broadly used for this purpose (Kumar, Turner, Crowley et al, 2007). Snort (Liu & Wu, 2013) and Bro (Roesch, 1999) are two open source NIDS examples that have been broadly used to safeguard the network.

Network Intrusion Detection Systems use Deep Packet Inspection (DPI) for a variety of applications that enhances security like spam, monitoring and detecting viruses, malevolent traffic, unauthorized access and attacks. The main role of deep packet inspection is to permit Network Intrusion Detection System to effectively match the details of the network packets with respect to signature attacks and thereby be aware of malicious traffic. Formerly, string matching algorithms were used to match the signature attacks. There is an increasing obstacle in network attacks that has possessed the society of research to investigate a best string matching or signature representation. In spite of this a large research community suggests the regular expression as a dominant signature representation. Regular expression consists of a character sets that identify a search pattern. Regular expressions are grammars that denote the regular language. Regular expression matching is a traditional problem of computer science and technology. The authors in (Becchi & Crowley, 2007; Thompson, 2006; Myers, 1992) have made productive developments to promote the research of regular expression in algorithms and theories. There are mainly two primary requirements that must be satisfied for any regular expression representations. They are time efficiency and space efficiency. Space efficiency specifies the size of the system representation and it must be less so that it guarantees that it fits inside the main memory of NIDS. Time efficiency specifies the amount of time that is required by the NIDS to process every byte of network traffic and it must be little so as to permit a large degree of traffic to match rapidly.

When compared with the simple string patterns regular expressions are considered to be very expressive and hence they are capable to represent an ample collection of payload signatures (Hopcroft, 1971). However to implement regular expressions need greater memory space and bandwidth. On the other hand the crucial task with these extremely fast regular expressions is to trim down the usage of memory and its bandwidth.

Regular expressions are usually evaluated by finite automaton which is a mathematical framework of a system that comprises of inputs and outputs. The system initially begins at the start state and it can be in any one of the finite states. Based on the previous input characters read the state of the system understands the systems behavior for the subsequent input string. The finite automata can be categorized into Non Deterministic Finite Automata (NFA) and Deterministic Finite Automata (DFA) depending on the prime technology and current resources. The foremost dissimilarity among NFA and DFA is that for each character that is read in packet payload NFA can have multiple state transitions while DFA can have only one state transition. Owing to this NFA has a time complexity of O(m) where m is the number of states while DFA requires a large amount of memory for the same packet payload.

Complete Chapter List

Search this Book: