JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157.

E-ISSN: 2278179X

Journal of Environmental Science, Computer Science and

Engineering & Technology
An International Peer Review E-3 Journal of Sciences and Technology

Available online at www.jecet.org

Section B: Computer Science
Research Article

Intrusion Detection System Using Pattern Matching

Algorithms
P.Nagaraju
Asst. Professor, Department of Computer Science Engineering

GMR Institute of Technology, Rajam, Andhra Pradesh, India

Received: 5 March 2015; Revised: 21 March 2015; Accepted: 27 March 2015

Abstract: Intrusion detection system is device or software applications that monitor

network or system activities for malicious activities or policy violation. Two types of
Intrusion detection systems are network based and host based. This paper is only
discussed about network based intrusion system. Three methodologies are used for
detect intrusion on the Network, signature based, anomaly based and state-ful
protocol analysis. This paper is based on intrusion detection using pattern matching
algorithms. Brute force and Knuth-Morris-Pratt are two single keyword pattern
matching algorithms and detect the payload part intrusion. String matching consists in
finding one or more occurrences of a pattern in a text (input).
Keywords: Intrusion Detection System(IDS), Network Based IDS, state-ful protocol,
IDPS, Pattern Matching.
INTRODUCTION
sAn intrusion can be termed as an unauthorized entry to anothers property or area, but in terms of
computer science, it is the activities to compromise the basic computer network security goals viz.
confidentiality, integrity, and privacy. Intrusion Detection is the process of monitoring the events
occurring in a computer system or network and analysing them for signs of possible incidents of
threats and violations of computer security practices, acceptable use policies or standard security
policies. Intrusion Detection System (IDS) is a software or hardware component that automates the
intrusion detection process. It is designed to monitor the events occurring in a computer system and
network and responds to events with signs of possible incidents of violations of security policies.
JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

149

Intrusion

P. Nagaraju et al

History and Development: Securing data has been a prominent issue ever since the inception of
computers and their enormous applications. The studies of Intrusion detection has been active field of
research for about more than three decades now. It started with the publication of John Andersons
Computer Security threat monitoring and surveillance in 1980, whichis oneof the earliest research
papers on this field. Dorothy Dennings seminal paper, An IntrusionDetection Model published in
1987 provided a methodological framework that inspired a number ofresearchers. After that, for
thepast two decades, despite of substantial research and huge commercialinvestments, Intrusion
Detection technology is immature and ineffective.In the early days of computers, hackers rarely used
automated tools to break into systems.They were intelligent with high level of expertise and followed
their own methodology to perform such actions. The recent scenario is quite different now. A wide
number of intrusion tools and applications are available now that can be used to exploit scripts that
capitalize on widely known vulnerabilities. Figure-1 depicts therelationship between the relative
sophistication of attackers and attackers from 1980 to present days.Before the development of modern
IDS, intrusion detection consisted of a manual search for anomalies. Due to the availability of
adequate processing speed it now became possible not only to look for attack patterns after the
eventhad occurred, but also to monitor in real-time and trigger alerts if intrusions were detected.

Figure 1:Attack Sophistication vs Intruder Technical Knowledge

Intrusion Detection: Intrusion Detection Systems help information systems prepare for, and deal
with attacks. They accomplish this by collecting information from a variety of systems and network
sources, and then analysing the information for possible security problems. Intrusion detection system

Monitoring and analysis of user and system activity.

Auditing of system configurations and vulnerabilities.
Assessing the integrity of critical system and data files.
Statistical analysis of activity patterns based on the matching to known attacks.
Abnormal activity analysis, Operating system audit.1

Methodologies of Ids: Intrusion detection system uses many methodologies to detect incidents. Most
Intrusion Detection and Prevention System (IDPS) technologies use multiple detection
methodologies, either separately or integrated, to provide more broad and accurate detection.

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

150

Intrusion

P. Nagaraju et al

A. Signature Based Detection:- A signature is a pattern that corresponds to a known threat. Signature
based detection is process of comparing signatures against observed events to identify possible
incidents. Signature based detection is very effective at detecting known threats but largely ineffective
at detecting previously unknown threats. Example: An email with the subject of free pictures and
attachment filename of freepics.exe, these characteristics are known form of malware. If attackers
modify the file name freepics.exe to freepics1.exe, signature based detection will not able to detect
this malware. Limitations: It cannot detect previously unknown threats.2
B. Anomaly Based Detection:- Anomaly baseddetection is a process of comparing definitions ofwhat
activities is considered normal againstobserved events to identify significant deviations.An IDPS
using anomaly based detection hasprofiles that represent the normal behaviour of suchthings as users,
hosts network connections orapplications. The profile is developed bymonitoring and characteristics
of typical activities,number of email send by user, number of failedlogin attempts for a host and the
level of processorusage for a host over a period of time. Anomaly based detection is very effective at
detecting previously unknown threats.Limitations:-Building profile is very challenging2.
C. State-ful Protocol Analysis:- State-ful protocol analysis is a process of comparing predetermined
profiles of generally accepted definitions of benign protocol activities for each protocol state against
observed events to identify deviations. State-ful protocol analysis relies on vender developed
universal profiles that specify how particular protocol should and should not be used. The state-ful in
state-ful protocol analysis means that the IDPS is capable of understanding and tracking the state of
network, transport and application protocols that have a notion of state. Limitations: It is limited to
examining a single request or response. Many attacks cannot be detected by looking at one request the attack may involve a series of requests2.
Types of Intrusion Detection System: There are many types of IDS technologies based on the type
of events that they monitor and the ways in which they are deployed. Here in this document wediscuss
the following four types

Network Based IDS.

Wireless IDS
Network Behaviour Anomaly Detection
Host Based IDS

Network Based Ids: Network based IDS (NIDS) monitors network traffic for a particular network
segment and analyses the network and application protocol activity to identify suspicious activity. It is
most commonly deployed at a boundary between networks such as in routers, firewalls, virtual private
networks etc. The main disadvantage of this type of IDS is that it has a single point of failure.
Moreover, it is weak against DoS attacks. It monitors the whole network and deployed at the
boundary of the network. But it is not suitable for securing each of the hosts within the network. If an
intruder can bypass it, all the systems within the network would be in trouble. Figure-2 depicts the
functioning of NIDS.

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

151

Intrusion

P. Nagaraju et al

Wireless Ids: A wireless local area network (WLAN) IDS is similar to NIDS in that it can analyse
network traffic. However, it will also analyse wireless-specific traffic, including scanning for external
users trying to connect to access points (AP), rogue APs, users outside the physical area of the
company, and WLAN IDSs built into APs. As networks increasingly support wireless technologies at
various points of a topology, WLAN IDS will play larger roles in security. Many previous NIDS tools
will include enhancements to support wireless traffic analysis.
Network Behaviour Anomaly Detection: Network behaviour anomaly detection (NBAD)views
traffic on network segments to determine if anomalies exist in the amount or type of traffic. Segments
that usually see very little traffic or segments that see only a particular type of traffic may transform
the amount or type of traffic if an unwanted event occurs. NBAD requires several sensors to create a
good snapshot of a network and requires benchmarking and base lining to determine the nominal
amount of a segments traffic.
Host Based Ids: In Host-based IDS (HIDS) technology, softwareagents are installed on each of the
computer hostsof the network to monitor the events occurringwithin that host only. HIDS analyse
network trafficand system-specific settings such as software calls,local security policy, local log
audits, and more. Itperforms log analysis, file integrity checking,policy monitoring, rootkit detection,
real-timealerting and active response. HIDS are mostcommonly deployed on critical hosts such
aspublicly accessible servers and servers containingsensitive information.HIDS overcome the
problems incurred in Network based IDS technology of securing individual hosts in the network. But
they cause a substantial overhead for the hosts running them.Figure-3 depicts the functioning of
HIDS.

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

152

Intrusion

P. Nagaraju et al

Architecture of Signature Based Network Idsm: SNORT is a signature based NIDS. SNORT can
be divided into five major components that are each critical to intrusion detection. The first is the
packet capturing mechanism. SNORT relies on an external packet capturing library (libpcap) to sniff
packets. After packets have been captured in a raw form, they are passed into the packet decoder. The
decoder is the first step into SNORT's own architecture. The packet decoder translates specific
protocol elements into an internal data structure3. After the initial preparatory packet capture and
decode is completed, traffic is handled by the pre-processors. Any numbers of pluggable preprocessors either examines or manipulate packets before handing them to the next component: the
detection engine. The detection engine performs simple tests on a single aspect of each packet to
detect intrusions. The last component is the output plugins, which generate alerts to present suspicious
activity to you4.

Fig 4:SNORT Architecture

Single Keyword Pattern Matching Algorithm: Single keyword pattern matching algorithms are
detecting the payload intrusion. String matching is finding a substring (called a pattern) within another
string(called a text).Pattern and texts are strings built over a fixed and finite non empty alphabet. And
give the output of all occurrences of the pattern in the text.
Keyword/ pattern is denoted as x=x[0-- - - -m-1]
m = length of the pattern.
Text/input is denoted as y=y[0- - - --- - - - -n-1]
n=length of the input[10].
Brute Force Algorithm: Brute force algorithm is a very trivial string matching algorithm. It consists
in checking at each position from 0 to m-n of the text by employing a pattern of size m .This isdone
by comparing every character in the pattern with thecorresponding character in the text. If all the
characters match, then it is said to be a match or data is intruded1.
Algorithm 1 Brute Force Single-Keyword Matching Algorithm
1:procedure Brute_Force(x,m,y, n)
//Input:
//x=array of bytes representing the keyword.
//m =integer representing the keyword length

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

153

Intrusion

P. Nagaraju et al

// y= array of n bytes representing the text input

// n= integer representing the text length
2: for j = 0 to n m do //every character in y
3: i = 0
4: while i< m and x[i] = y[i + j] do
5: i = i + 1 // i = count of matching
6: end while
7: if i>= m then
8: output j
9: end if
10: end for
11:end procedure
Main points-Here we outline the main features of the above algorithm.

NO pre-processing phase.
Constant space required.No extra memory required other than memory storage required for
pattern and text.
Always shift the window by one position to the right.
Character comparison can be done in any order.
Searching phase is O(mn) is the time complexity.

Expected character comparison is 2n4.

Example:Input:- AAAAAAAAHAAAAAAAAAAAAAH
Pattern AAAAH
1)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 5 comparisons made
2)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 5 comparisons made
3) AAAAAAAAHAAAAAAAAAAAAAAAAH
AAAAH 5 comparisons made
4) AAAAAAAAHAAAAAAAAAAAAAAAAH
AAAAH 5 comparisons made
5) AAAAAAAAHAAAAAAAAAAAAAAAAH
AAAAH 5 comparisons made Pattern is
found that means input is intruded.
Knuth-Morris-Pratt Algorithm: Knuth have proposed a string matching algorithm that turns the
search string into a finite state machine, and then runs the machine with the string to be searched as
the input string. KMP is linear time algorithm for the string matching problem. A matching time of
O(n) is achieved by avoiding comparisons with elements of S that have previously been involved in
comparison with some element of the pattern p to be matched. i.e., backtracking on the string S
neveroccurs.
Components of KMP algorithm: The prefix function, for a pattern encapsulates knowledge about
how the pattern matches against shifts of itself. This information can be used to avoid useless shifts of
the patternp. In other words, this enables avoiding backtracking on the string S5.

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

154

Intrusion

P. Nagaraju et al

The KMP Matcher With string S, pattern p and prefix function as inputs, finds the
occurrence of p in S and returns the number of shifts of p after which occurrence is
found[4].The prefix function, pseudocode computes the prefix function, :
Compute-Prefix-Function(p):
m length[p] //p pattern to be matched
[1]0
k0
for q2 to m
do while k > 0 and p[k+1] != p[q]
dok [k]
If p[k+1] = p[q]
Then kk+1
[q]k
return [21]
The KMP Matcher:
The KMP Matcher, with pattern p, string S and prefixfunction as input, finds a match of p in
S. pseudocode computes the matching component of KMP algorithm:
KMP-Matcher(S,p)
1 n lengtg[s]
2 m length[p]
3 Compute-prefix-function(p)
4 q0 //number of characters matched
5 for i1 to n //scan S from left to right
6 do while q > 0 and p[q+1] != S[i]
7 do q[q]
8 if p[q+1] = S[i]
9then q q + 1 //next character matches
10 if q = m //is all of p matched?
11 then print Pattern occurs with shift 1 i m
12 q[q] // look for the next match6.
Main points- The main points of the Knuth-Morris-Pratt algorithm are outlined below
Performs the comparisons from left to right.
Pre-processing phase in (m) space and time complexity.
Searching phase in (n+m) time complexity.
Delay bounded by log(m)7.

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

155

Intrusion

P. Nagaraju et al

Example
Input AAAAAAAAAHAAAAAAAAAAAAAH Pattern AAAAH
1)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 5 comparisons made
2)AAAAAAAAHAAAAAAAAAAAAAAAAH
AAAAH 1 comparison made
3)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 1 comparison made
4)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 1 comparison made
5)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 1 comparison made
6)AAAAAAAAAHAAAAAAAAAAAAAAAH
AAAAH 1 comparison made
Pattern is found after 10 comparisons which is less then brute force algorithm.
Comparison between BF and KMP Algorithms:
1) KMP Performs the comparisons from left toright and In BF Character comparisons can be done in
any order.
2) KMP performs pre-processing phase in O(m) space and time complexity. In BF Searching phase is
(mn) time complexity.
3) KMP searching phase are O(n+m) and BFcomparisons 2n.
4) Pre-processing phase can be done in KMP. Nopre-processing phase can be done in BF.
5) In BF, Constant space required. No extra memory required other than the memory storage for
pattern and text

KMP need extra space and time for pre-processing8-9. If the pattern is small (1 to 3 characters long) it
is better to use the naive algorithm otherwise alphabet size is large the Knuth-Morris-Pratt algorithm
is a good choice.

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

156

Intrusion

P. Nagaraju et al

CONCLUSION
Network based Intrusion detection system can detect small attacks or stepping stone of big attack.
Signature based IDS play important role in NBIDS but With Time New Malicious data with New
Pattern may exist, Update of the signature pattern is very important and difficult otherwise it cannot
able to detect new attacks. Different algorithms are used for ID but fast and take less space in
matching is good algorithm. SNORT and SAX2 are mainly signature based IDS. AX2 is faster, GUI,
and packet dropping is lass.
REFERENCES
1. J.P. Anderson;Computer Security Threat Monitoring and Surveillance, tech. report; James
P. Anderson Co., Fort Washington, Pa; 1980.
2. D.E. Denning, An Intrusion Detection Model, IEEE Trans. Software Eng; Feb 1987, 13(2),
222232.
3. Martin Roesch, Snort lightweight Intrusion Detection for networks, Internet; 1999, 1 -11
4. James Kelly; An Examination of PatternMatching Algorithms for Intrusion Detection
Systems, Internet; august 2006,1 -208
5. B. Raju and B. Srinivas; Network Intrusion Detection System Using KMP Pattern Matching
Algorithm; January 2012, IJCST, 33-36,
6. C. U. Chauhan and V.A.Gulhane;Signature Based Rule Matching Technique in Network
Intrusion Detection System, internet; April 2012, 412-416
7. SIDDHARTH SAHA;Network Intrusion Detection System Using String Matching,
Internet; 2010, 1 -46
8. NimishaSingla, Deepak Garg; String Matching Algorithms and their Applicability in various
Applications , internet; Jaunuary 2012, 218-222
9. Faisal Mahmood; INTRUSION DEECTION SYSTEM using Sax 2.0 and wireshark 1.2.2,
Internet; 2009, 1 -19
10. Bhavanisunke; Research and Analysis of Network Intrusion Detectionsystems, Internet; 2008,
1 -88
11. David Geer;Behavior-Based NetworkSecurity Goes Mainstream,IEEE; March 2006,14-17
12. Different Types of Network Attacks and Security Threats and CounterMeasures, internet,1-5.
13. James Kelly;An Examination of Pattern Matching Algorithmsfor Intrusion Detection
Systems, Internet; August 2006,1 -208
14. J. Allen et al;State of the Practice of IntrusionDetection Technologies, Tech Report CMU/
SEI-99-TR-028, Carnegie Mellon Univ., Software Engineering Inst., Pittsburgh; 2000

Corresponding Author:P. Nagaraju

Asst. Professor, Department of Computer Science Engineering

GMR Institute of Technology, Rajam, Andhra Pradesh, India

JECET; March 2015-May 2015; Sec. B; Vol.4.No.2, 149-157

157