Reviewer: Amy Freestone
Date: 12-8-2005
How would you rate this paper, relative to others we have read? top 50%, but not top 25%
How would you rate your knowledge of the topic of this paper? novice
What problem or issue does the paper address? Why is it important?
The paper addresses the issue of string matching for intrusion detection systems, which is made difficult because of the speed required and large number of rules against which strings must be matched. It is important because string matching is an important part in intrusion detection and prevention which is also the most computationally complex.
What are the main contributions of the paper and why are they important?
How significant are these contributions relative to previous work?
The authors claim a 10x improvement over previous techniques in terms of efficiency.
The technique presented by the paper allows for the update of the rules without interrupting the device's performance, an important improvement over previous techniques which would require a device to be stopped while new rules were compiled and transferred to it.
Give detailed comments justifying your view of the paper.
While efficiency is an important metric, it seems an odd one to claim as the key metric. Performance speed would seem to be a better choice. A smaller area is nice, but it would seem that an algorithm with an increase in performance speed, even at the cost of a reasonable increase in area, would be a better algorithm for the purposes to which this one is put. Throughput is given at the end, and while the paper produces a definite increase in throughput, it is not nearly as dramatic as the increase in efficiency.
I am concerned by the statement "Because throughput, not latency, is the primary concern of our design the boradcast has limited overhead because it can be deeply pipelined if necessary." Even though throughput is vastly more important, there is a limit to how much latency there can be before the design causes a noticeable delay in the system.