Approximate Reduction of Finite Automata for High-Speed Network Intrusion Detection (Technical Report)

TL;DR

This paper introduces an approximate automaton reduction method for network intrusion detection systems that significantly reduces automaton size while maintaining low error rates, enabling high-speed network traffic analysis.

Contribution

It proposes a probabilistic error-based reduction technique for non-deterministic automata in NIDS, surpassing existing language-preserving methods in size reduction.

Findings

Achieves substantial automaton size reduction with controlled error

Demonstrates high efficiency on Snort NIDS use cases

Enables NIDS to handle faster network speeds

Abstract

We consider the problem of approximate reduction of non-deterministic automata that appear in hardware-accelerated network intrusion detection systems (NIDSes). We define an error distance of a reduced automaton from the original one as the probability of packets being incorrectly classified by the reduced automaton (wrt the probabilistic distribution of packets in the network traffic). We use this notion to design an approximate reduction procedure that achieves a great size reduction (much beyond the state-of-the-art language-preserving techniques) with a controlled and small error. We have implemented our approach and evaluated it on use cases from Snort, a popular NIDS. Our results provide experimental evidence that the method can be highly efficient in practice, allowing NIDSes to follow the rapid growth in the speed of networks.