Abstract :
With the exponential growth in devices and services being added to networks, we are also witnessing an increase in the volume and complexity of threats, urging an increased efficiency in network intrusion detection systems which primarily rely on pattern matching to identify malicious activity on the network. In this literary review of pattern matching techniques in network intrusion detection, we explore the limitations and the research carried out in both signature-based and anomaly-based intrusion detection systems to overcome them. It focuses on the performance improvements in signature-based intrusion detection systems achieved through methodologies and technologies like regular expressions, Hyperscan, RE2, Flashtext, a generalized Aho-Corasick algorithm, usage of Bloom filters and payload sampling. It also covers the usage of machine learning techniques, including genetic algorithms, Support Vector Machines (SVM) and Improved Self-Adaptive Bayesian Algorithm (ISABA), which are used to detect anomalous behavior and identify potential threats in a network in anomaly-based network intrusion detection to assist the security analysts carry out their job functions. Additionally, this review explores the integration of the MITRE ATT&CK framework and Security Information and Event Management (SIEM) systems in network intrusion detection as this framework provides a structured and standardized approach for analyzing the tactics and techniques used by attackers to classify them, while SIEM systems enable the correlation of threat activity across multiple sources, allowing for a more comprehensive and accurate view of the network security. Overall, this literary review provides insights into the state-of-the-art techniques and frameworks used in Network Intrusion Detection based on Pattern Matching, highlighting the significant improvements in performance and detection capabilities.
Keywords :
Intrusion Detection, Machine learning, Network Security, Pattern Matching, Regular Expressions.References :
- Alfred V. Aho and Margaret J. Corasick. 1975. Efficient string matching: an aid to bibliographic search. Commun. ACM 18, 6 (June 1975), 333–340. https://doi.org/10.1145/360825.360855.
- V. Singh, ‘Replace or Retrieve Keywords In Documents at Scale’, arXiv [cs.DS]. 2017.
- T. -H. Lee, “Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications,” 2007 16th International
- Conference on Computer Communications and Networks, Honolulu, HI, USA, 2007, pp. 792-797, doi: 10.1109/ICCCN.2007.4317914.
- V. Dimopoulos, I. Papaefstathiou and D. Pnevmatikatos, “A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems,” 2007 International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation, Samos, Greece, 2007, pp. 186-193, doi: 10.1109/ICSAMOS.2007.4285750.
- S. Dharmapurikar and J. W. Lockwood, “Fast and Scalable Pattern Matching for Network Intrusion Detection Systems,” in IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp.1781-1792, Oct. 2006, doi: 10.1109/JSAC.2006.877131.
- D. Ficara, G. Antichi, A. Di Pietro, S. Giordano, G. Procissi and F. Vitucci, “Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems,” 2010 IEEE International Conference on Communications, Cape Town, South Africa, 2010, pp. 1-5, doi: 10.1109/ICC.2010.5501751.
- Russ Cox, “Regular Expression Matching in the Wild”, 2010 (available at https://swtch.com/~rsc/regexp/regexp3.html).
- Xiang Wang, Yang Hong, Harry Chang, KyoungSoo Park, Geoff Langdale, Jiayu Hu, and Heqing Zhu. 2019. Hyperscan: a fast multi-pattern regex matcher for modern CPUs. In Proceedings of the 16th USENIX Conference on Networked Systems Design and Implementation (NSDI’19). USENIX Association, USA, 631–648.
- C. Sinclair, L. Pierce and S. Matzner, “An application of machine learning to network intrusion detection,” Proceedings 15th Annual Computer Security Applications Conference (ACSAC’99), Phoenix, AZ, USA, 1999, pp. 371-377, doi: 10.1109/CSAC.1999.816048.
- X. Bao, T. Xu and H. Hou, “Network Intrusion Detection Based on Support Vector Machine,” 2009 International Conference on Management and Service Science, Beijing, China, 2009, pp. 1-4, doi: 10.1109/ICMSS.2009.5304051.
- Farid, Dewan & Zahidur Rahman, Mohammad. (2010). Anomaly Network Intrusion Detection Based on Improved Self Adaptive Bayesian Algorithm. Journal of Computers. 5. 10.4304/jcp.5.1.23-31.
- Amarudin, R. Ferdiana and Widyawan, “A Systematic Literature Review of Intrusion Detection System for Network Security: Research Trends, Datasets and Methods,” 2020 4th International Conference on Informatics and Computational Sciences (ICICoS), Semarang, Indonesia, 2020, pp. 1-6, doi: 10.1109/ICICoS51170.2020.9299068.
- J. Lee, J. Kim, I. Kim and K. Han, “Cyber Threat Detection Based on Artificial Neural Networks Using Event Profiles,” in IEEE Access, vol. 7, pp. 165607-165626, 2019, doi: 10.1109/ACCESS.2019.2953095.
- N. A. S. Mirza, H. Abbas, F. A. Khan and J. Al Muhtadi, “Anticipating Advanced Persistent Threat (APT) countermeasures using collaborative security mechanisms,” 2014 International Symposium on Biometrics and Security Technologies (ISBAST), Kuala Lumpur, Malaysia, 2014, pp. 129-132, doi: 10.1109/ISBAST.2014.7013108.
- MITRE ATT&CK. (2020). Design and Philosophy. (available at https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf ).