Scalable NIDS Via Negative Pattern Matching and Exclusive Pattern Matching

Date Added: May 2010
Format: PDF

In this paper, the authors identify the unique challenges in deploying parallelism on TCAM-based pattern matching for Network Intrusion Detection Systems (NIDSes). They resolve two critical issues when designing scalable parallelism specifically for pattern matching modules: how to enable fine-grained parallelism in pursuit of effective load balancing and desirable speedup simultaneously; and how to reconcile the tension between parallel processing speedup and prohibitive TCAM power consumption. To this end, they first propose the novel concept of Negative Pattern Matching to partition flows, by which the number of TCAM lookups can be significantly reduced, and the resulting (fine-grained) flow segments can be inspected in parallel without incurring false negatives.