Reviewer: Manfred Georg
Date: 12-8-2005
How would you rate this paper, relative to others we have read? top 50%, but not top 25%
How would you rate your knowledge of the topic of this paper? novice
What problem or issue does the paper address? Why is it important?
This paper considers intrusion detection systems. There is a high demand very fast, robust intrusion detection systems. Furthermore, current systems may have trouble scaling to even faster links.
What are the main contributions of the paper and why are they important?
This paper considers how a new algorithm which splits each incoming byte into its constituent bits and sends them to separate modules which run the Aho-Corasick algorithm. Results are gathered from all the modules which themselves are split into smaller subsystems.
How significant are these contributions relative to previous work?
Being largely unfamiliar with the area it is difficult for me to assess the significance of this contribution. On the one hand it seems that most of what they are proposing is not new. For example, implementations of Aho-Corasick have been studied extensively. However the splitting of the string into individual bits and computing on those individual bits seems to me significant.
Give detailed comments justifying your view of the paper.
The addition of multi-bit trie's to the modules pieces seems counter-intuitive. Why is it better to split the string into individual bits and then recombine those bits? Wouldn't it be better to not split the string on such a fine grain in the first place?
Why is it necessary to analyze exactly which string matched? Can't a copy of the "rare" attack be sent to a processing system which can then run the string match again to determine exactly which one matched, if that is necessary.
Why do they only consider packets? Shouldn't they consider the logical TCP stream in most cases? In this case state must be maintained between packets of a single flow and the problem becomes much more difficult.
Are they using an ASIC? Wouldn't this account for the many-fold increase in all metrics that they repeatedly boast about?