AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets

Abstract

TCP and IP fragmentation can be used to evade signature detection at Intrusion Detection/Prevention System (IDS / IPS). Such fragments may arrive out-of-sequence to escape from being detected by the string matching algorithm of IDS / IPS. The common defense is buffering and reassembling packets. However, buffering of out-of-sequence packets can become impractical on high speed links due to limited fast memory capacity, especially when the concurrent flows are in large quantity, or extremely disordered in circumstances such as attacks. So such buffering strategy is vulnerable to memory exhausting denial of service (DoS). In this paper, AC-Suffix-Tree, a buffer free scheme for string matching is proposed, which detects patterns across out-of-sequence packets without buffering and reassembly. This novel algorithm associates the classical Aho-Corasick (AC) algorithm with a pattern suffix tree to search patterns with only the state numbers of AC automaton and suffix tree stored. It demands significantly less memory than buffering the packets themselves. Therefore the IDS can resist memory exhausting DoS attack. AC-Suffix-Tree consumes 1-2 orders of magnitude less memory than buffering the entire packet, and it has the same temporal complexity as AC algorithm when there are no out-of-sequence packets.