@Article{cmc.2026.082998,
AUTHOR = {Adnan Hnaif, Hanadi Al-Shawabkah, Ayman Alqafaan, Mohammad Alia},
TITLE = {An Architecture-Aware Hybrid CPU–GPU Approach for WEMA-Based Fast Pattern Matching in Network Intrusion Detection Systems},
JOURNAL = {Computers, Materials \& Continua},
VOLUME = {},
YEAR = {},
NUMBER = {},
PAGES = {{pages}},
URL = {http://www.techscience.com/cmc/online/detail/27165},
ISSN = {1546-2226},
ABSTRACT = {Many fast pattern-matching mechanisms are used in NIDS (Network Intrusion Detection Systems) to filter higher volumes of network traffic prior to invoking expensive rule verification stages. This filtering phase in signature-based engines, such as Snort, needs to preserve exact matching semantics while being able to process at high throughput on commodity hardware. Here, we introduce a hybrid CPU–GPU architecture-aware framework for exact multi-pattern matching based on the Weighted Exact Matching Algorithm (WEMA). WEMA performs the most relevant matching based on deterministic ordered indexing of category units, which eliminates chaotic control flow (which occurs with automata learning) and also brings out more regular memory access. An extensive evaluation across CPU-only, GPU-only, and hybrid CPU–GPU execution models is performed to analyze how WEMA interacts with heterogeneous hardware architectures. Informed by these observations, we propose a hybrid design with CPU-based control-intensive tasks—rule parsing, index construction, batching, and rule verification—retained on the CPU while selective data-parallel payload scanning is off-loaded to the GPU. Experimental results show that CPU-only execution on a commodity multicore CPU and integrated GPU platform delivers stable performance across the entire range of payload sizes, while the hybrid model achieves modest but repeatable improvements for small and medium workloads. The architecture evaluated here offers a relatively small advantage for GPU-only execution. Given the very nature of NIDS alongside the results provided in this paper, it is clear that WEMA-based acceleration on NIDS highly depends on hardware features and workload size, while selective, architecture-aware GPU utilization is crucial to maintain deterministic run-time characteristics in security-critical applications.},
DOI = {10.32604/cmc.2026.082998}
}