Hash - Based String Matching Algorithm For Network Intrusion Prevention systems ( NIPS ) VINOD

Network Intrusion Prevention Systems (NIPS) are employed in-line with the network segment that needs to be protected. As the packets within the network passes through the NIPS device, the packets are inspected for the presence of any attacks. Like viruses, most intruder activities have some kind of signatures, hence a NIPS device contains a pattern matching algorithm to match the virus signatures within the rule list with the incoming network packets. When an attack is identified, the NIPS blocks the infected data packet with a unusual signature pattern. The pattern-matching algorithm must be able to operate at network speeds, while simultaneously detecting the main bulk of intrusions. This paper proposes an alternative algorithm using a Hash Function which uses a SRAM that creates fingerprints of the packet payload which are then compared with the patterns signatures. The proposed hash based system consumes around 0.56 times or 56 percent less memory than the memory consumed by the RTCAM method. It can also be observed from the results that as the TCAM width doubles the initial width the memory consumption increases around 1000kb the initial memory consumption value in RTCAM method. But in the case of hash based method as the block size is doubled the memory consumption increases by a small value around 200kb only from the initial memory consumption value. Hence the proposed hash based method is efficient than the RTCAM method in terms of memory consumption. Furthermore, the system is fully compatible with Snort’s rules syntax, which is the basic standard followed for intrusion prevention systems. Index Terms Hash Algorithm, NIPS, Padding, RTCAM, Snort Rules, SRAM, TCAM