1. Field
The present disclosure generally relates to computer software, and more particularly to electronic security.
2. Description of the Related Art
The rapid development of electronic devices, the Internet, World Wide Web and E-commerce has made it increasingly important to be able to monitor the traffic going into and coming out of an electronic device. Monitoring such traffic, such as in a computer network, allows for the discovery of abnormal traffic that may be an indication of attacks from hackers or misuse of resources.
For computer networks, various network and computer security software, such as firewalls, Intrusion Detection Systems (IDS), network monitors, and vulnerability assessment tools, have been developed to protect a network or host computer from abuse and hacking. IDSs are used to spot, alert, and stop intrusions. Typically running on dedicated computers connected to the network, IDS systems actively monitor network traffic for suspicious activities.
IDS generally implement a signature-based approach in which attacks are detected by analyzing an incoming event (e.g., activity on the network or in the host) against every rule in a predefined set of rules (“rule set”) that generally describe the IDS-specific set of network features (e.g., destination port, payload content) or system events (e.g., privileged file access, login time) and deploying a response action in case the event matches the description set in a predefined rule. The size of rule sets continues to increase according to the increasing use of computer systems. Although the time it takes to determine if an incoming event matches a rule in the rule set (“event matching”) increases proportionately to the increase in size of the rule set, there remains a demand for near real-time event matching.