Distributed Data Parallel Techniques for Content-Matching Intrusion Detection Systems

Content matching is a necessary component of any signature-based network Intrusion Detection System (IDS). These packet inspections typically require considerable delay often consuming more than 70% of the IDS processing time. Unfortunately, this delay becomes more significant as security policies and network speeds continue to increase. This paper introduces a new parallel IDS content matching technique that provides initial packet inspections with less delay. The technique distributes portions of a packet payload across an array of n processors, each responsible for scanning a smaller amount of original payload. Given this design, each processor has less data to inspect thus reducing the overall delay. Unlike similar parallel approaches, our technique ensures that security is maintained (no false negatives). Furthermore, the proposed parallel technique is shown to result in an initial match speed-up of approximately 1.25n using Snort (an open source IDS), actual IDS policies, and traffic traces - a significant improvement over current parallel techniques.