Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.

Similar presentations

Presentation on theme: "Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David."— Presentation transcript:

1 Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David Hay (HUJI)

2 Deepness Lab was founded in November 2010
Our mission: Deep Packet Inspection (DPI) for Next Generation Network devices Funding: 5 years ERC Starting Grant (1M Euro) 3 years Kabarnit, a Magnet program ($70K/year) A gift from Cisco ($75K) Main Industry Collaborations: Commtouch, Radware, Verint

3 People Faculty: Anat Bremler-Barr (IDC Herzliya), David Hay(The Hebrew University of Jerusalem) Postdoc : Shimrit Tzur-David, Yaron Koral Ph.D. Students Liron Schiff (Tel Aviv University), Yotam Harchol (The Hebrew University of Jerusalem) Collaborators: Yehuda Afek (Tel Aviv University), Isaac Keslassy (Technion),Shir Landau-Feibish (Tel Aviv University) Past Students Victor Zigdon, M.Sc. (IDC Herzliya),Adam Mor, M.Sc. (IDC Herzliya)

4 People Dr. Anat Bremler-Barr - Ph.D. with distinction, Tel-Aviv University, Israel (2001). Founder and chief scientist of Riverhead Networks (focused on distributed denial of service solution, and was acquired by Cisco). Senior lecturer (assistant professor) with tenure at IDC. Dr. David Hay - Ph.D. from the Technion (2007). Post-doc at Columbia University, NY, USA and Politecnico di Torino. Previously, also at IBM Research and Cisco San Jose. Senior lecturer (assistant professor) at the Hebrew U.

5 Deep Packet Inspection (DPI)
DPI - Identifying signatures (patterns or regular expressions) in the packets’ payload DPI is the main action taken to inspect traffic and therefore it is a critical component in next generation networks: security, content filtering, traffic monitoring, load balancing, lawful interception, targeted advertising, data leakage prevention, application-aware routing …. High-speed DPI is challenging and quickly becomes the bottleneck of the entire packet inspection process. resulting in security holes and/or limited/ineffective functionalities.

6 Impact 66% of network network equipment vendors define DPI as “a must have” technology today [Heavy Reading Survey, 2011] DPI market on 2011 estimated at $550 million, growth of 20%/year [Qosmos report, Heavy Reading, Dec. 2012]

7 Major Challenges Scalability: Compressed traffic
Rate - greater than 10 or even 100 Gbps Memory - handling thousands of signatures Power - educing the high power consumption Compressed traffic Security of the NIDS itself: Current solutions are vulnerable to Denial of Service attack DPI in Software Defined Networks Signatures Extraction SDN – needs to determine flows, DPI can help, will play a significant role…

8 Classical Algorithms

9 Aho-Corasick Algorithm
B E C D C E D B A Build a Deterministic Finite Automaton Traverse the DFA, byte by byte Accepting state  pattern found Example: {E, BE, BD, BCD, CDBCAB, BCAA} s2 s5 s6 s9 B s10 The standard algorithm for exact string matching in DPI is Aho-Corasick Its idea is to build a Deterministic Finite Automaton that when traversing it we recognize patterns Each state corresponds to the longest prefix, that is the suffix of the current input To build the automaton one builds a trie over the alphabet and it should contain all possible transitions Usually, the automaton remains in the higher levels, under real-life traffic (about 10% of the states, 85% of the time) s11 s12 BCDBCAB

10 Aho-Corasick Algorithm
B C D E S0 2 7 1 S1 S2 5 4 3 S3 S4 S5 13 6 S6 9 S7 8 S8 : Naïve implementation: Represent the transition function in a table of |Σ|×|S| entries Σ: alphabet S: set of states Lookup time: one memory access per input symbol Space: In reality: 70MB to gigabytes… Snort has 77K states, ClamAV over 1M One way to represent this automaton is a table with (alphabet size) multiplied by (number of states) entries It looks like the lookup time of this method is constant and so it will give a constant throughput

11 Alternative Implementation
s0 s7 s12 s1 s2 s3 s5 s4 s14 s13 s6 s8 s9 s10 s11 s0 Forward Transition Failure Transition B E C D C E D B A s1 s7 Failure transition goes to the state that matches the longest suffix of the input so far Lookup time: at most two memory accesses per input symbol (via amortized analysis) Space: at most, # of symbols in pattern set, depends on implementation s5 s10 Let's take away the extra transitions that make the automaton so big We'll add, instead, different transitions, call them "failure transitions". They point where we should go if we did not find a matching forward transition. Without consuming an input symbol. (Failure transition points to the state with the longest common suffix of current state's label) Why two memory accesses? Because failure transitions always go up the tree, so we will at most go up what we went down before.

12 Other Alternative: Compress the State Representation
symbol A B C D E forward: 13 6 symbol A D forward: 13 6 failure: 7 match: False failure: 7 match: False size: 2 Lookup Table s0 s7 s12 s1 s2 s3 s5 s4 C E D B s14 s13 s6 s8 s9 s10 A s11 s0 s7 s12 s1 s2 s3 s5 s4 C E D B s14 s13 s6 s8 s9 s10 A s11 Linear Encoded A B C D E 1 Bitmap: Can count bits using popcnt instruction Length=|Σ| How do we represent a state in this method? We want: smaller representation, to fit in cache, AND fast lookup These are the known methods. In bitmap – say "popcnt" Now – how can we make the automaton even smaller? forward: 13 6 failure: 7 match: False Bitmap Encoded

13 The Boyer-Moore (BM) Algorithm
Shift-based single-pattern search Main idea by example: Shifts of size m or close to it occur most of the times, leading to a very fast algorithm Shift Table otherwise t h g i r b Char 6 (m) 1 2 3 4 5 Shift

14 Compressed Traffic

15 Compressed HTTP 84.1% of the top 1,000 sites compress their traffic.
Data compression is done by adding references to repeated data. There are two types of compression: Intra-response compression – the references point to bytes within the response (Gzip/Deflate) Inter-responses/connections compression – the references point to bytes in a separate file, called dictionary (Google’s SDCH). 19% increase in 8 month! There is a paper the handles the intra-response infocome 2009 ref We exploit this repetitions to facilitate the dpi process

16 Challenges Current security tools do not deal with compressed traffic due to the great challenges in time and space

17 Compressed Traffic : Space Challenge
Thousands of concurrent sessions Compressed, Mem: 32KB/session Uncompressed Traffic DPI unzip Space Time 80% 40% Contribution: Improve

18 Compressed Traffic : Time Challenge
General belief: Our algorithms show how to accelerate the pattern matching using the compression information Decompression + pattern matching >> pattern matching Decompression + pattern matching < pattern matching 18

19 High-Level Idea Compression is done by compressing repeated sequences of bytes Store information about the pattern matching results  No need to fully perform again pattern matching on repeated sequences which were already scanned  x2-3 time reduction The buffers needed for decompression are not used most of the time, and therefore can be kept in compressed form most of time  x5 space reduction 19

20 General Idea: Keep “compressed” buffer
New Packet active session buffer Compressed Keep buffers in a “compressed” form Uncompress “active session” only unzip

21 Results Reduction of space by factor of 5!
Speedup by factor of 2 or 3 (in GZIP and SDCH)

22 Experimental Results: DPI +Packing
Unzip entire session. Avg. Size = 170KB SOP 1.39, 5.17KB SOP+ACCH 0.64, 6.19KB Naïve 1.1, 29KB ACCH 0.36, 37.4KB

23 The Other Side of the Coin: Acceleration by Identifying repetitions in uncompressed Traffic
There are repetitions in uncompressed HTTP traffic Entire files (e.g., images) Parts of the files (e.g., HTML tags, javascripts) We keep scanning again and again the same thing (and get the same scanning results..) Identify frequently repeated data Stored in a dictionary Perform DPI on the data once and remember the results DPI by pattern matching Aho-Corasick algorithm. Result is the state. When encountering a repetition, recover the state without re-scanning Delicate points need to be taken care of, so we won’t miss any pattern

24 Securing the NIDS Itself

25 Complexity DoS Attack Over NIDS
Easy to craft – very hard to process packets 2 Steps attack: Attacker 1. Kill IPS/FW Internet 2. Sneak into the network

26 Attack on Security Elements
Combined Attack: DDoS on Security Element exposed the network – theft of customers’ information

27 Attack on Snort The most widely deployed IDS/IPS worldwide.
Heavy packets rate

28 OUR GOAL: A multi-core system architecture, which is robust against complexity DDoS attacks

29 System Throughput Over Time
Reaction time can be smaller

30 System Architecture Routine Mode: Load balance between cores
Detects heavy packets NIC Core #1 Q Core #2 Q Processor Chip Routine Mode: Load balance between cores Core #8 Q Core #9 Q Core #10 Q

31 System Architecture Alert Mode: Dedicated cores for heavy packets
Detects heavy packets NIC Core #1 Q Core #2 Q Processor Chip Alert Mode: Dedicated cores for heavy packets Others detect and move heavy to Dedicated. Core #8 Q Dedicated Core #9 B B Q B Dedicated Core #10 Q B

32 Cloud solution The different cores are different (virtual) machines.
Load balancing sends heavy packets to machines that run a special more efficient processing method. In SDN, this can be done even faster and easier.

33 DPI using TCAMs

34 TCAM – Ternary Content- Addressable Memory
Action 1 1 2 3 4 5 6 7 8 9 deny 1 2 3 4 6 5 7 8 9 ********1111 deny *******11111 *********011 accept deny ********************* 3 accept 1110********* ** Encoder deny ************ deny *************************001110 deny ****************** De-facto solution of packet classification. Core component of SDN switch log *** accept ******************************* Match lines TCAM SRAM Search Key 34 34

35 Some Challenges In Using TCAM
Reducing the number of entries  power consumption reduction Dealing with ranges (how to encode the range [1-6]?) How to correct errors? More about it in the next slide How to use it for non-traditional tasks Traditionally, TCAM is used for IP lookup and header classification (e.g., using 5-tuples)

36 Example: Error Correction in TCAM
In SRAM (or any regular memory) Input: address (entry number) Output: content of that address One can apply an error detection/correcting code on that content In TCAM Even if the content seems OK, we still have false miss or indirect false miss errors, TCAM EDC/ECC are harder

37 PEDS: Parallel Error Detection Scheme for TCAM Devices
Detecting all errors using the built-in parallel lookup of the TCAM The number of lookups is a function of the width of the TCAM word, and not the number of entries in the database. Which is 3 orders of magnitude larger Developed, patented in DEEPNESS lab

38 CompactDFA for DPI Using TCAM to represent a huge DFA in a compact manner. Reducing the problem of pattern matching to IP lookup (much easier problem) Each byte scan  one TCAM lookup Can be reduced using variable stride traversal Further performance boost with parallelism and pipelining 38

39 DFA  CompactDFA Longest Prefix Match Snort: 73MB  0.6MB
TCAM SRAM Next State Sym Current 0000 (s0) A 1 0110(s6) B 0000(s0) 2 1100 (s12) C 3 D 4 0001(s1) E 5 F 6 7 0010 (s2) 8 9 10 11 12 0010(s2) 13 0100 (s4) 14 0011 (s3) 15 16 0000 (s0) 1101 (s13) 84 Longest Prefix Match DFA  CompactDFA Snort: MB  0.6MB ClamAV: 1.5GB  26MB

40 Signature Extraction

41 Current DDoS Attack Armies of zombies  Many sources
Hard to identify behaviorally No known signatures Zombies on innocent computers Infrastructure-level DDoS attacks Server-level DDoS attacks Bandwidth-level DDoS attacks

42 Automated Extraction of Signatures for Zero-day Internet Attacks
Input: sample of attack traffic (high volume attack) sample of normal traffic Output: Automatically find signatures that appear frequently only during attack Where: Input collection: In mitigation apparatus (DDoS Guard/firewall/anti-DDoS etc.) In the cloud – collect data from several collectors. DDoS – power computation saving Signatures used by anti-DDoS devices and firewalls to stop attack Mitigation in minutes, good enough for these types of attacks

Download ppt "Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David."

Similar presentations

Ads by Google