Two-Stage Decomposition of SNORT Rules Towards Efficient Hardware Implementation

Date Added: Aug 2009
Format: PDF

The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution is to close the performance gap through hardware implementation of security functions. However, continuously expanding signature databases have become a major impediment to achieving scalable hardware based pattern matching. Additionally, evolutionary rule databases have necessitated real time online updating for reconfigurable hardware implementations. Based on the observation that signature patterns are constructed from combinations of a limited number of primary patterns, the paper proposes to decompose the Snort signature patterns. These smaller primary pattern sets can be stored along with their associations to allow dynamic signature pattern reconstruction.