Open Access
ARTICLE
An Architecture-Aware Hybrid CPU–GPU Approach for WEMA-Based Fast Pattern Matching in Network Intrusion Detection Systems
Adnan Hnaif1,*, Hanadi Al-Shawabkah2, Ayman Alqafaan2, Mohammad Alia1
1 Department of Cybersecurity, Faculty of Science and Information Technology, Al-Zaytoonah University of Jordan, Amman, Jordan
2 Department of Computer Science, Faculty of Science and Information Technology, Al-Zaytoonah University of Jordan, Amman, Jordan
* Corresponding Author: Adnan Hnaif. Email: 
Computers, Materials & Continua https://doi.org/10.32604/cmc.2026.082998
Received 26 March 2026; Accepted 15 May 2026; Published online 11 June 2026
Abstract
Many fast pattern-matching mechanisms are used in NIDS (Network Intrusion Detection Systems) to filter higher volumes of network traffic prior to invoking expensive rule verification stages. This filtering phase in signature-based engines, such as Snort, needs to preserve exact matching semantics while being able to process at high throughput on commodity hardware. Here, we introduce a hybrid CPU–GPU architecture-aware framework for exact multi-pattern matching based on the Weighted Exact Matching Algorithm (WEMA). WEMA performs the most relevant matching based on deterministic ordered indexing of category units, which eliminates chaotic control flow (which occurs with automata learning) and also brings out more regular memory access. An extensive evaluation across CPU-only, GPU-only, and hybrid CPU–GPU execution models is performed to analyze how WEMA interacts with heterogeneous hardware architectures. Informed by these observations, we propose a hybrid design with CPU-based control-intensive tasks—rule parsing, index construction, batching, and rule verification—retained on the CPU while selective data-parallel payload scanning is off-loaded to the GPU. Experimental results show that CPU-only execution on a commodity multicore CPU and integrated GPU platform delivers stable performance across the entire range of payload sizes, while the hybrid model achieves modest but repeatable improvements for small and medium workloads. The architecture evaluated here offers a relatively small advantage for GPU-only execution. Given the very nature of NIDS alongside the results provided in this paper, it is clear that WEMA-based acceleration on NIDS highly depends on hardware features and workload size, while selective, architecture-aware GPU utilization is crucial to maintain deterministic run-time characteristics in security-critical applications.
Keywords
NIDS; WEMA; exact string-matching algorithms; hybrid CPU–GPU architecture; heterogeneous computing
Login
Register
Submit a Paper
Propose a Special lssue
Download PDF
Downloads
Citation Tools
