An intrusion detection system (IDS) or intrusion protection system (IPS) monitors network or host traffic looking for anomalies, intrusive activity or misuse. One method of detection is rule-based. For this method, the IDS/IPS compares network traffic to individual rules in a database of rules that define known attack styles (also referred to as signatures), vulnerabilities, and the like. When the IDS/IPS finds a match in the network traffic to a “signature” in its database of rules, it can take any designated action.
SNORT® is an example of a network intrusion prevention and detection system, and utilizes a rule-driven language based on known attack signatures. SNORT uses a state machine and fast pattern matcher to check whether information in network traffic match certain patterns. When a pattern end-state matches, each rule in a set of rules relevant to the matched pattern is applied to the network traffic. When SNORT detects an attack based on one of the rules, it performs the action designated in the rule.
The number of possible attacks, and hence the number of rules or signatures are increasing exponentially. Consequently, the amount of space for storing rules, and the amount of time for processing rules, is increasing enormously and threatens to become unmanageable.