Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Similar presentations


Presentation on theme: "Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1."— Presentation transcript:

1 Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1

2  Introduction  Related Work  Background  Proposed Algorithm : AC-Suffix-Tree Algorithm  Performance Analysis 2

3  TCP and IP fragmentation can be used to evade signature detection at IDS / IPS.  The common defense is buffering and reassembling packets. However, buffering of out-of-sequence packets can become impractical on high speed links due to limited fast memory capacity. 3

4  In this paper, AC-Suffix-Tree, a buffer free scheme for string matching is proposed, which detects patterns across out-of-sequence packets without buffering and reassembly.  This novel algorithm associates the classical AC (ACA) algorithm with a pattern suffix tree to search patterns with only the state numbers of AC automaton and suffix tree stored. 4

5  What is the current situation of packet reordering in Internet?  In 2005, Dharmapurikar found that packet reordering in TCP traffic only affects 2-3% of the overall traffic[6].  An older paper reports that 90% of the TCP packets were reordered in the trace of Dec and Jan [3], but Dharmapurikar claims it was because the older generation of router architecture. 5

6  Pattern Suffix Tree : Let X = {abaaba,ababab}, suffix set of X is {a,ba,aba,aaba,baaba,b,ab,bab,abab,babab} 6

7  The return value contains the stop state and a “fact” mark. Once the input string is not finished but there is no available next state, fact is false; and once the input string is finished but PST is not finished, fact is true. So fact = true means str is a proper factor of some patterns in X. 7

8  A simple situation of two packets’ reordering.  When packet y2 comes first, a pattern may exist between the two packets only if some prefix of y2 is one suffix of the patterns. 8

9  For example : y i =aaba, y j =abaa stop at s 6 append path(s 6 ) 9

10  What if the pattern x crosses more than two segments?  A information merging mechanism is used to merge the PST state records in successive blocks.  the return value “fact” of PST is used to identify the proper factor of x. fact = true means the entire segment is a proper factor of x, thus needs to merge the PST state with the predecessor segment. 10

11  Example : Pattern set X = {abaaba, ababab} Input Y = y 1 y 2 y 3 y 4, where y 1 = bbaa,y 2 = baba,y 3 = baab,y 4 = aabb 11 -> flow number -> sequence number -> length -> state of ACA -> state of PST

12  First input is y 3 : (baab) passing y 3 to both ACA & PST  Buffer contains (1,8,4,2,11,true) 12

13  Second input is y 1 : (bbaa) passing y 1 to both ACA & PST  Buffer contains (1,8,4,2,11,true), (1,0,4,2,11,false) 13

14  Third input is y 4 : (aabb) combine y 4 with its predecessor (1,8,4,2,11,true) ACA begin with s2,PST begin with s11  Buffer contains (1,0,4,1,8,false), (1,8,8,0,12,false) 14

15  Fourth input is y 2 : (baba) combine y 2 with (1,0,4,1,8,false) & (1,8,8,0,12,false) path(12) appended to y 2 ’s tail -> bababaaba ACA match with {abaaba,ababab}  Buffer clean all records with fid = 1. 15

16  Compression of Suffix Tree : idea - using a suffix array instead of a tree  Pre-processing time will be longer but not the focus 16

17  Pattern set is chosen from snort,released on 2010/07/22. no regular expressions included.  Use traces generated by their own program.  Running on PC Pentium 2-core CPU,4GB RAM,32- bit XP 17

18  Processing speed for different traces with long set 18

19  Memory usage of AC and suffix tree 19

20  1,3,2,4,5, 6,7,8,9,10  1,4,5,6,7 8,9,10,2,3  1,3,4,6,7 8,9,2,10,5 20


Download ppt "Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1."

Similar presentations


Ads by Google