Name
Abstract | ||
|---|---|---|
One of the fundamental technique which is used today by network security tools to detect malicious activities is 'signature based' detection. Today, the performance of the security tools is dominated by the speed of the string-matching algorithms that detect these signatures. Currently these security tools do not deal with compressed traffic, which becomes more and more common in HTTP. HTTP protocol uses the GZIP compression, which first requires some kind of decompression phase before performing the multi-patterns matching task. Thus, there is a high performance penalty in pattern matching on compressed data. In this paper we present a novel algorithm, Aho-Corasick- based algorithm for Compressed HTTP (ACCH) that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho-Corasick pattern matching algorithm. We show by analyzing real HTTP traffic and real WAF signatures patterns, that we can skip scanning up to 75% of the data. Surprisingly, we show that in some situations, it is faster to do pattern matching on the compressed data, with the penalty of decompression, than doing pattern matching on regular traffic. As far as we know we are the first paper, that analyzes the problem of 'on-the-fly' multi-patterns matching algorithms on compressed HTTP traffic and suggest a solution. |
Year | DOI | Venue |
|---|---|---|
2009 | 10.1109/TNET.2011.2172456 | Networking, IEEE/ACM Transactions |
Keywords | Field | DocType |
Internet,authorisation,computer network security,data compression,hypermedia,string matching,telecommunication traffic,transport protocols,ACCH,Aho-Corasick-based algorithm for Compressed HTTP,GZIP compression,compressed HTTP traffic,data compression,decompression phase,market-share,multipattern matching acceleration,pattern matching,real Web application firewall signatures,security tools,signature-based detection,string matching,Compressed HTTP,computer security,intrusion detection,pattern matching | String searching algorithm,Web traffic,Algorithm design,Computer science,Network security,Computer network,Digital signature,Data compression,Intrusion detection system,Pattern matching | Conference |
Volume | Issue | ISSN |
20 | 3 | 1063-6692 |
Citations | PageRank | References |
14 | 0.62 | 21 |
Authors | ||
2 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Anat Bremler-Barr | 1 | 505 | 39.95 |
| Yaron Koral | 2 | 22 | 1.11 |