Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department."— Presentation transcript:

1 Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department of Computer Science and Engineering, University of California, San Diego Department of Computer Science, University of California, Santa Barbara

2 Abstract IDSs : Intrusion Detection Systems Space and time efficient string matching algorithms Providing worst-case performance –Amenable to H/W implementation Aho-Corasick –Memory, performance

3 Introduction (i) Combating attacks at every level Automatically monitoring network traffic IDS uses a set of rules –Apply to matching packets Edge and core routers –Stringent worst-case performance bounds –Tight constraints on memory

4 Introduction (ii) At the heart of IDSs is a string matching algorithm –In Snort, 70% of total execution time and 80% of instructions executed Contributions of this paper –Characterization –New Algorithms –Evaluation

5 String matching for intrusion detection

6 Quantifying the Use of String Matching (i) Snort-An intrusion detection system –The rules are generated manually Extract relevant content strings from the payload and header of known attacks –The action can include logging, alerting, ignoring, …… –Rules are usually added as new vulnerabilities are discovered

7 Quantifying the Use of String Matching (ii) Scalability of the intrusion detection system database –Beneficial to avoid that has run-time proportional to the length of the rules in the database –New rules are being added to detect or combat new attacks

8

9

10 Quantifying the Use of String Matching (iii) Linearly searching through the of rules is becoming increasingly infeasible The database is growing at a rate that is well within Moore ’ s Law Need a technique with run-time performance

11 State of the Art in String Matching (i) Single-pattern string matching –Boyer-Moore, …… Multi-pattern string matching –Aho-Corasick, Wu-Manber, …… Imprecise string matching –Using hashing and signature-based –Be reverified using a precise string matching

12 State of the Art in String Matching (ii) Bad Character Heuristics –Easily exploitable by attackers Aho-Corasick –Use unoptimized data structure for space optimizations SFKSearch –Worst-case performance is quite poor Wu-Manber –Memory access to the shift and hash table

13

14 Applying IP Lookup Techniques to String Matching (i) IP-lookup : a set of patterns to match, finding the longest possible match for a set of IP address that are streaming by String matching : a set of strings to match, finding all of the places in the input stream where there is a match

15 Applying IP Lookup Techniques to String Matching (ii) Unibit and Multibit Tries –Wastes space with pointer Lulea Algorithm –Use the concepts of leaf pushing and bitmaps to compress the database Eatherton Algorithm –Internal bitmap and external bitmap

16 Optimizations for string matching

17 Bitmap compression (i) With 32-bits pointers In Aho-Corasick has 256 next state pointers Now using a single pointer to the first valid next state, and maintain a 256 bit bitmap Summing all the bits prior that bit number and adding them to the base next node pointer

18

19 Bitmap compression (ii) Original optimized Aho-Corasick –1028 bytes each node Bitmapped version –Only 44 bytes each node Incurs two costs –Doubles the worst-case of work –Performing a sum up to 256 prior bits

20 Path Compression (i) Bitmap is largely wasted information at the bottom nodes Any path compressed nodes must be equal in size to bitmapped nodes Failure pointers must include an offset

21

22 Path Compression (ii) On a 32 bits pointer –A single path compressed node can contain data equivalent to 4 bitmap compressed nodes –In practice, achieve a 2.54:1 compression ratio

23

24 Results

25 Instruction Detection in Hardware The number of rules go up by over a factor of 2.5, whereas the size of memory for our algorithm only goes up by 30% Focus our attention on the worst- case performance

26

27 Intrusion Detection in Software Examine both average-case and worst-case performance Wu-Manber is the fastest in the average-case because of hash function

28

29

30 Summary (i) Current software IDSs largely rely on common-case optimizations to gain speed Aho-Corasick is only has deterministic worst-case lookup times and friendly enough to use for wire speed H/W matching

31 Summary (ii) Contribution of this paper –Apply bitmap node compression and path compression to Aho-Corasick –Gain both compact storage and worst- case performance

Download ppt "Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department."

Similar presentations

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
Data plane algorithms in routers

Data plane algorithms in routers
Spring 2006CS 685 Network Algorithmics1 Longest Prefix Matching Trie-based Techniques CS 685 Network Algorithmics Spring 2006.

Spring 2006CS 685 Network Algorithmics1 Longest Prefix Matching Trie-based Techniques CS 685 Network Algorithmics Spring 2006.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.

Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.

M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.
IP Routing Lookups Scalable High Speed IP Routing Lookups.

IP Routing Lookups Scalable High Speed IP Routing Lookups.
Tries Standard Tries Compressed Tries Suffix Tries.

Tries Standard Tries Compressed Tries Suffix Tries.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,

1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Similar presentations

Ads by Google