Referenced Items are not available for this document.
Current security tools, using “signature-based” detection, do not handle compressed traffic, whose market-share is constantly increasing. This paper focuses on compressed HTTP traffic. HTTP uses GZIP compression and requires some kind of decompression phase before performing a string matching. We present a novel algorithm, Aho-Corasick-based algorithm for Compressed HTTP (ACCH), that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho-Corasick pattern-matching algorithm. By analyzing real HTTP traffic and real Web application firewall signatures, we show that up to 84% of the data can be skipped in its scan. Surprisingly, we show that it is faster to perform pattern matching on the compressed data, with the penalty of decompression, than on regular traffic. As far as we know, we are the first paper that analyzes the problem of “on-the-fly” multipattern matching on compressed HTTP traffic and suggest a solution.
Published in:
Networking, IEEE/ACM Transactions on
(Volume:20
,
Issue:
3
)
Date of Publication: June 2012
- Page(s):
- 970 - 983
- ISSN :
- 1063-6692
- INSPEC Accession Number:
- 12786491
- Digital Object Identifier :
- 10.1109/TNET.2011.2172456
- Product Type:
- Journals & Magazines
- Date of Publication :
- 27 October 2011
- Date of Current Version :
- 12 June 2012
- Issue Date :
- June 2012
- Sponsored by :
- Association for Computing Machinery
About IEEE Xplore | Contact | Help | Terms of Use | Nondiscrimination Policy | Site Map | Privacy & Opting Out of Cookies
A not-for-profit organization, IEEE is the world's largest professional association for the advancement of technology.
© Copyright 2013 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.
