Presentation is loading. Please wait.

Presentation is loading. Please wait.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh.

Published byAnna Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh."— Presentation transcript:

1 A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh Kumar Discussion Leader: Max Podlesny

2 2 - Sailesh Kumar - 9/19/2015 Overview n Overview of IDS/IPS systems »String matching and regular expression matching n String matching algorithms »Aho-Corasick algorithm n Overview of the proposed architecture n Analysis of the proposed architecture n Conclusion

3 3 - Sailesh Kumar - 9/19/2015 IDS Overview n Intrusion detection systems, IDS must be capable of distinguishing between normal (not security-critical) and abnormal user activities »However translating the user behaviors into a security-related decision is often not that easy n One approach is anomaly detection »Anomaly detectors construct profiles that represent normal usage »If profile of current data doesn’t match the normal profile => a possible attack »Typically results in high false positives and few negatives too »An intelligent intruder can train the system to behave otherwise NormalUnpredictableAbnormal

4 4 - Sailesh Kumar - 9/19/2015 IDS Overview n Another approach is some kind of signature detection n Misbehavior signatures fall into two categories: »Attack signatures – action patterns that may pose a security threat. Typically presented as a series of activities interleaved (may be) with neutral ones –E.g. sequence of flags set on some specific sequence of packets »Selected text strings – signatures to match text strings which look for suspicious action (e.g. – calling /etc/passwd). –Effective against attacks that exploits programming flaws. n Effective but not immune to novel attacks »Difficulties in updating information on new types of attacks »Still most widely used

5 5 - Sailesh Kumar - 9/19/2015 IDS Overview n At the heart of most signature based IDS systems, lies a string (regular expression) matching engine »Since this engine has to scan every byte of data, it might become the throughput bottleneck n This paper presents a high throughput string matching architecture n Advantages of proposed scheme: »Claimed to be space efficient –Entire rule set can be stored on-chip »Claimed to be able to achieve high throughput n Limitations (will cover later) »New systems do regex matching, FSM is typically too large to fit on chip, even with the proposed scheme. »Simple FSM compression schemes may beat the proposed idea

6 6 - Sailesh Kumar - 9/19/2015 String Matching Algorithm (Aho-Corasick) n For a set P of patterns, it builds a DFA, which accepts all patterns in P.

7 7 - Sailesh Kumar - 9/19/2015 String Matching Algorithm (Aho-Corasick) n Lets say, P is {he, she, his, hers} 0 1 h 2 9 8 6 3 4 57 e s i h s ers Initial State Accepting State State Transition Function h S h h h h h S S S S S S i h r h Example from Lin Tan et. al.

8 8 - Sailesh Kumar - 9/19/2015 Properties of DFA created by Aho-Corasick n Consumes one character per state traversal »A modified automaton is also used in many systems, which rescans a character if there is no outgoing edge for it (fail ptr) –Reduces the DFA size tremendously 0 1 h 2 9 8 6 3 4 57 e s i h s ers h S h h h h h S S S S S S i h r h 0 1 h 2 9 8 6 3 4 57 e s i h s ers Example from Lin Tan et. al.

9 9 - Sailesh Kumar - 9/19/2015 How to implement efficiently on-chip n Problem: Size too big to be on-chip »~ 10,000 nodes for SNORT rule set with ~1000 strings »256 out edges per node »Requires 10,000*256*14 = ~5MB n Solution: partition each state machine into small state machines such that »Each machine handles a subset of strings only »Also, each machine has few outgoing edges only

10 10 - Sailesh Kumar - 9/19/2015 Bit-Splitting Algorithm Overview n Bit-Split String Matching Algorithm »Reduces out edges from 256 to 2. n Partition the rule set P into smaller sets P 0 to P n n Build AC state-machine for each subset P i n For each P i, rip its DFA apart into 8 tiny state- machines, B i0 through B i7 n Each binary FSM operates on 1 bit of the 8 bit input characters »A match is announced only if all 8 machines finds a match

11 11 - Sailesh Kumar - 9/19/2015 Bit-splitting String Matching Architecture n Lets say we have 4 strings in P {he, she, his, hers} n Consider FSM 3 »It looks at 3 rd bit of the input char and makes state transitions based upon whether it is 0 or 1 n Example, lets say our input stream is hxhe Example from Lin Tan et. al.

12 12 - Sailesh Kumar - 9/19/2015 Bit FSM Construction n Use subset construction algorithm to build bit FSMs 0 1 h 2 9 8 6 3 4 57 e s i h s e rs h S h h h h h S S S S S S i h r h 0000 0000 0001 0110 1000 b0 {0} P B3B3 0 b1{ }0 1 b2{ },10,3 0001 0000 0111 0011 0 1 { } 0,3 { } 0,1,2,6 b3 1 b3{0,1,2,6} 0 1 b4{0,1,4} b6{0,1,2,5,6} b5{0,3,7,8} b7{0,3,9} 0 1 0 0 0 0 0 1 1 1 1 1 1 Example from Lin Tan et. al.

13 13 - Sailesh Kumar - 9/19/2015 Bit FSM Construction n Remove the non-accepting states from the small FSMs Example from Lin Tan et. al. 0 1 h 2 9 8 6 3 4 57 e s i h s e rs h S h h h h h S S S S S S i h r h b0 { } P Pruned B 3 0 b1{ } 1 b2{ } 1 b3{ 2 } 0 b4 { } b6{ 2,5 } b5{7} b7{9} 0 1 0 0 0 0 0 1 1 1 1 1 1

14 14 - Sailesh Kumar - 9/19/2015 Bit-splitting String Matching Architecture n Build all bit FSMs B i n Match announced, if all bit FSMs announce a match Example from Lin Tan et. al.

15 15 - Sailesh Kumar - 9/19/2015 An Example Matching Example from Lin Tan et. al. 0 1 h 2 9 8 6 3 4 57 e s i h s e r s h S h h h h h S S S S S S i h r h P0P0 B3B3 b0 {} b1{} b2{} b3{2} b4 {} b6{2,5} b5{7} b7{9} 0 1 1 0 0 1 1 0 0 0 1 1 1 0 0 1 B4B4 1 b8{2,7} b5 {} b0 {} b1{} b2{} b4{2} b3 {} b6{2,5} b9{9} 0 1 b7 {} 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 hxhe01001110 Only if all the state machines agree, is there actually a match. 2

16 16 - Sailesh Kumar - 9/19/2015 How to map it to hardware efficiently n Problem: »Every state in the bit-FSMs B i might have up to S accepting states of the original FSM D. –Note that # accepting of states = # of strings = S »Even if we keep bit-vector to represent the accepting states of the original D, we will need S-bits per state of B i. »S is typically >1000, so not practical n Solution: »Partition the rule set P into smaller subsets P i each with g rules –Build FSM D i for each P i and bit-splice D i into B i0, … B i7 »Now every state in B ij can have at most g accepting states, hence only g-bits are needed

17 17 - Sailesh Kumar - 9/19/2015 How to map it to hardware efficiently n Also note that any D FSM can be ripped into 2 or 4 bit-FSMs as well »When ripped into 4 different bit-FSM, each one consumes 2- bits of the input characters »When ripped into 2 different bit-FSM, each one consumes 4- bits

18 18 - Sailesh Kumar - 9/19/2015 Each State Machine Tile n g = 16 n # of states = 256 (8-bit state encoding) n D FSM is ripped into 4 FSMs (each accepts 2-bit I/P) Example from Lin Tan et. al.

19 19 - Sailesh Kumar - 9/19/2015 Hardware Implementation Example from Lin Tan et. al.

20 20 - Sailesh Kumar - 9/19/2015 Non Interrupting Update n Issues: »Must copy the state of every flip-flop of the affected module onto the replacement module –E.g. the current state pointer of the affected module must be copied into the replacement module –These issues are not mentioned in the paper

21 21 - Sailesh Kumar - 9/19/2015 Optimal partitioning n There are two types of partitions. »One is the partition of the set of strings »Another is the partitions of each D FSM into multiple bit FSMs –8 binary partition is clearly easy to understand –However, it is possible to partition into 2 or 4 partitions, and each partition consumes 4 and 2 input bits of the input character respectively. n Terminology »S = total # of strings »g = # of strings per group (# of partition = S/g) »n = # of partitions of state machine (1, 2, 4, 8) »L = Average # of characters per string n How to choose g and n? »which consumes minimum area

22 22 - Sailesh Kumar - 9/19/2015 Optimal partitioning n Total number of bits needed is: Total # of states in each bit-FSM Total # of modules (string set partition) # of FSM partitions # of bits to encode state # of outgoing edges per state # of partial match bits

23 23 - Sailesh Kumar - 9/19/2015 Optimal partitioning n Plot from the review of Mike Wilson (1000 signatures, average length 12) »Typical optimal # of FSM partitions = 2, 4

24 24 - Sailesh Kumar - 9/19/2015 Partitioning String Sets n In the analysis presented in the paper, it is claimed that partitioning string sets always reduce space »Not quite right when there is overlap among the strings –With overlapping strings, fewer states are needed w/o partitioning

25 25 - Sailesh Kumar - 9/19/2015 Performance Results - Memory From Lin Tan et. al.

26 26 - Sailesh Kumar - 9/19/2015 Performance Results - Throughput From Lin Tan et. al.

27 27 - Sailesh Kumar - 9/19/2015 Strength of the Algorithm n Can be very effective for dense DFAs, when there are plenty of outgoing edges from every state n In this case, path compression will not help a lot n However, ripping apart the state machines into bit state machines will reduce the number of outgoing edges to 16 »(2 edges x 8 FSMs) or (4 edges x 4 FSMs) »For dense graphs, upto 16 times reduction in state space

28 28 - Sailesh Kumar - 9/19/2015 Some Issues n Tuck [30] used bitmap compression and path compression to reduce the amount of memory needed for SNORT rules to 1.1MB n Note that, Tuck didn’t do any string set partitioning »w/o any partitioning, bit-splitting will consume >2 MB From Lin Tan et. al.

29 29 - Sailesh Kumar - 9/19/2015 Conclusion n Novel Bit-Split String Matching Algorithm »Reduces out edges from 256 to 2 »Can be extremely effective for dense graphs n Performance/area beats the best techniques by a factor of 10 or more. n 0.4MB and 10Gbps for Snort rule set ( >10,000 characters)

30 30 - Sailesh Kumar - 9/19/2015 Thank you and Questions

Download ppt "A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.

Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
1 A Virus Scanning Engine Using a Parallel Finite-Input Memory Machine and MPUs Author: Hiroki Nakahara, Tsutomu Sasao, Munehiro Matsuura, and Yoshifumi.

1 A Virus Scanning Engine Using a Parallel Finite-Input Memory Machine and MPUs Author: Hiroki Nakahara, Tsutomu Sasao, Munehiro Matsuura, and Yoshifumi.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
1 Accelerating Multi-Patterns Matching on Compressed HTTP Traffic Authors: Anat Bremler-Barr, Yaron Koral Presenter: Chia-Ming,Chang Date: 2009.9.1 Publisher/Conf.

1 Accelerating Multi-Patterns Matching on Compressed HTTP Traffic Authors: Anat Bremler-Barr, Yaron Koral Presenter: Chia-Ming,Chang Date: Publisher/Conf.
1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.

1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.
Aho-Corasick String Matching An Efficient String Matching.

Aho-Corasick String Matching An Efficient String Matching.
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman
B + -Trees (Part 1). Motivation AVL tree with N nodes is an excellent data structure for searching, indexing, etc. –The Big-Oh analysis shows most operations.

B + -Trees (Part 1). Motivation AVL tree with N nodes is an excellent data structure for searching, indexing, etc. –The Big-Oh analysis shows most operations.
Artificial Immune Systems Our body’s immune system is a perfect example of a learning system. It is able to distinguish between good cells and potentially.

Artificial Immune Systems Our body’s immune system is a perfect example of a learning system. It is able to distinguish between good cells and potentially.
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
1 HEXA : Compact Data Structures for Faster Packet Processing Department of Computer Science and Information Engineering National Cheng Kung University,

1 HEXA : Compact Data Structures for Faster Packet Processing Department of Computer Science and Information Engineering National Cheng Kung University,
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Similar presentations

Ads by Google