Packet content inspection: Repetition-based methodologies and hardware implementation

Today's network intrusion detection systems (NIDS) are expected to thoroughly analyze packet contents to identify any traces of suspicious activities such as worms or viruses. Internet threats are either completely new and unknown, or previously known. In the former, we deal with identifying worm outbreaks never seen before, while the latter deals with scanning data packets to find traces of previously known or pre-defined worm signatures. In this dissertation, both cases are addressed. The main contribution of our work is twofold. First, we look for frequently repeated strings in a packet stream to detect worm outbreaks. A novel real-time worm outbreak detection system using two-phase hashing is proposed. We use the concept of shared counters to minimize the memory cost while efficiently sifting through packet contents to find suspicious strings. We have implemented our system on reconfigurable hardware and have tested it for various settings and packet stream sizes. Experimental results verify that our system can support line speed of gigabit-rates with negligible false positive and false negative. Second, we investigate a more efficient implementation of NIDS rules using regular expressions that represent suspicious or malicious character sequences in packet payloads. We introduce a new building block based on Non-deterministic Finite Automata (NFA) hardware implementation to support complex constraint repetitions in regular expressions. We report results of hardware implementation that verify the overall performance. In the final part of this dissertation, we investigate practical applications of the proposed algorithms, mainly biomedical signal classification and various networking applications that require some abnormality/irregularity detection.;Keywords: Network intrusion detection system, repeated strings, hashing, shared counters, false positive, false negative, worm outbreak, non-deterministic finite automata, regular expression, constraint repetition inspection, vehicle-area-networks, biomedical signal classification.