Please use this identifier to cite or link to this item:
標題: A Multiple Pattern Matching Method for Malicious Code Detection
作者: Huang, D.C.
Lo, H.C.
Lai, P.L.
Chen, W.M.
關鍵字: Ternary Content Addressable Memory (TCAM);Pattern matching;Intrusion;detection;Malicious code;algorithm
Project: Journal of Internet Technology
期刊/報告no:: Journal of Internet Technology, Volume 13, Issue 2, Page(s) 181-193.
To detect the malicious behaviors, an Intrusion Detection System (IDS) has been proposed in most security applications. A hardware-based IDS has been adopted popularly to increase the performance of detection such that the malicious activities can be detected and isolated as early as possible. This paper presents a two pass multiple pattern-matching method with Ternary Content Addressable Memory (TCAM) to improve the deficiency of software-based algorithm. At the first pass, we use TCAM to filter the input pattern of incoming packet quickly, and then apply Static Random Access Memory (SRAM) to store and fetch the intact pattern to perform re-compare at the second pass. Based on the two pass processes, we can handle pattern-matching problem fast and correct. Moreover, we add a specific queue between the two pass processes to ensure it can be performed in parallel to reach the best performance. By experimental results, we get that the matching probability of performing SRAM lookup is less than 0.523%. Therefore, the processing speeds of pattern matching mainly depend on the rate of TCAM lookup. In order to accelerate the processing speed of pattern matching, the store patterns in TCAM can be duplicated more times to make TCAM be able to carry out multiple positions at one lookup. If we use 266 MHz TCAM to deal with 2,082 Snort pattern, and each pattern is stored to duplicate four times in TCAM, then the method can achieve 8Gbps with total 48,677 bytes TCAM memory spaces.
ISSN: 1607-9264
Appears in Collections:期刊論文

Show full item record

Google ScholarTM


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.