Reducing payload scans for attack signature matching using rule classification

Sunghyun Kim, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

Original languageEnglish
Title of host publicationInformation Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings
PublisherSpringer Verlag
Number of pages11
ISBN (Print)3540699716, 9783540699712
Publication statusPublished - 2008
Event13th Australasian Conference on Information Security and Privacy, ACISP 2008 - Wollongong, NSW, Australia
Duration: 2008 Jul 72008 Jul 9

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5107 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other13th Australasian Conference on Information Security and Privacy, ACISP 2008
CityWollongong, NSW

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Reducing payload scans for attack signature matching using rule classification'. Together they form a unique fingerprint.

Cite this