Network intrusion detection using string matching

Abstract

Network intrusion detection system is a retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current open mode. The goal of a network intrusion detection system is to identify, preferably in real time,
unauthorized use, misuse and abuse of computer systems by insiders as well as from outside perpetrators.
At the heart of every network intrusion detection system is packet inspection which employs nothing but string matching. This string matching is the bottleneck of performance for the whole network intrusion detection system. Thus, the need to increase the performance of
string matching cannot be more exemplified.
In this project, we have studied some of the standard string matching algorithms and implemented them. We have then compared the performance of the various algorithms with
varying input sizes. The main focus of the project was the Aho-Corasick algorithm. In addition to using the default implementation of suffix trees, we have used a dense hash set and a sparse hash set implementation- which are libraries from the Google code repository-
and we show that the performance for these implementations are better. They give noticeable enhancement in performance when the input size increases.