Approximate reduction of finite automata for high-speed network intrusion detection

We consider the problem ofapproximate reduction of non-deterministic automatathat appear in hardware-accelerated network intrusion detection systems (NIDSes). We define an errordistanceof a reduced automaton from the original one as the probability of packets being incorrectly classified by the reduced automaton (wrt the probabilistic distribution of packets in the network traffic). We use this notion to design anapproximate reduction procedurethat achieves a great size reduction (much beyond the state-of-the-art language-preserving techniques) with a controlled and small error. We have implemented our approach and evaluated it on use cases fromSnort, a popular NIDS. Our results provide experimental evidence that the method can be highly efficient in practice, allowing NIDSes to follow the rapid growth in the speed of networks.