Jeong Seok Wang , Hu Keun Kwak , Yun Jae Jung , Hui Ng Kwon , Kyu Sik Chung

The KIPS Transactions:PartC, Vol. 14, No. 3, pp. 209-220, Jun. 2007
10.3745/KIPSTC.2007.14.3.209,   PDF Download:

Abstract

IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance IPS working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

Statistics
Cite this article