ABSTRACT
The scale of the Internet has grown explosively to a giant open network. Unfortunately, network attacks require little effort and monetary investment to create, are difficult to trace, and can be launched from virtually anywhere in the globe [1]. A network intrusion detection system (NIDS) [2,3] is a critical network security facility that helps protect high-speed computer networks from malicious users. A NIDS examines network communications, identifies patterns of attacks, and then takes action either to terminate the connections or alert system administrators. While various techniques have been proposed for advanced NIDS, the most widely deployed is the signaturebased NIDS. A signature-based NIDS, such as Snort [3], employs thousands of rules that contain intrusion patterns. Each Snort rule is divided into two logical sections: the rule header and the rule options. The rule header contains the rule’s action and a classification filter that consists of five fixed fields: protocol, source IP address, source port, destination IP address, and destination port. The rule option contains alert messages and pattern information on how a packet payload should be inspected.
