Abstract
. One of the most important requirements in intrusion detection systems (IDSs) is a good pattern matching algorithm. EHMA by Tzu-Fang et al. is an efficient and cost-effective pattern detection algorithm for packet inspection. A few key assumptions in their work were given without enough justification. In this paper, we have tried to verify some key assumptions of this algorithm by testing it on a cluster with real network data. We also introduce some methods to improve the algorithm by choosing the input parameters appropriately. The results show that some assumptions may not correct in some cases, and by applying some changes to the existing algorithm, we can make the performance of the matching process much better.