Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accelerating Multipattern Matching on Compressed HTTP Traffic Published in : IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 3, JUNE 2012 Authors : Bremler-Barr,

Published byDrusilla Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Accelerating Multipattern Matching on Compressed HTTP Traffic Published in : IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 3, JUNE 2012 Authors : Bremler-Barr,"— Presentation transcript:

1 Accelerating Multipattern Matching on Compressed HTTP Traffic Published in : IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 3, JUNE 2012 Authors : Bremler-Barr, A. ; Interdiscipl. Center, Efi Arazi Sch. of Comput. Sci., Herzlia, Israel ; Koral, Y. 1

2 Introduction At the heart of almost every modern security tool is a pattern-matching algorithm. Multipattern matching on compressed traffic requires two time-consuming phases, namely traffic decompression and pattern matching. Most current security tools either ignore scanning compressed traffic or disable the option for compressed traffic. 2

3 LZ77 Algorithm The LZ77 algorithm compresses data that has already appeared in the past (a sliding window of the last 32 kB of data) by encoding it with a pair (distance, length), where distance is a number in [1, 32768] length is a number in [3, 258] 3

4 Examples abcdefabcd abcdef(6, 4) Test Test</[6;12] Blah blah blah blah blah! Blah b[D=5, L=18]! 4

5 Aho–Corasick (AC) algorithm The basic AC algorithm constructs a deterministic finite automaton (DFA) for detecting all occurrences of given patterns by processing the input in a single pass. 5

6 AC DFA for patterns “abcd”, “nba”, “nbc” 6

7 AC DFA for patterns “arrows”, “row”, “sun”, “under” 7

8 Failure Function 8

9 Example: arrowsunderows 9

10 AC DFA for patterns “WOMAN”, “MAN”, “MEAT”, “ANIMAL” 10

11 Transition Table of Automata 11

12 Failure Function 12

13 Failure Function Table 13

14 The AC algorithm requires significantly more time than decompression. Decompression is based on consecutive memory reading from the sliding window, hence it has low read-per-byte cost. The AC algorithm employs a very large DFA that is accessed with random memory reads, which typically does not fit in cache, thus requiring main memory accesses. 14

15 Aho–Corasick-based algorithm on Compressed HTTP (ACCH) The basic observation is that if the referred string does not completely contain matched patterns, then the pointer also contains none. The algorithm may skip scanning bytes in the uncompressed data where the pointer occurs. 15

16 Three Special Cases 1.The pattern starts prior to the pointer, and only its suffix is in the pointer. 2.The pointer contains a pattern prefix, and its remaining bytes occur after. 16

17 In order to detect those patterns, we need to scan a few bytes within the pointer starting and ending points denoted by pointer left boundary and right boundary scan areas, respectively. If no matches occurred within the referred string, the algorithm skips the remaining bytes between the pointer boundaries denoted by internal area. 17

18 18

19 3.A pattern ends within the referred string. 19

20 Left Boundary (First Case) The algorithm should continue scanning the pointer bytes (in the uncompressed data) as long as the number of bytes scanned within the pointer is smaller than the current DFA state’s depth. 20

21 21

22 Right Boundary (Second Case) If the depth of the corresponding byte is below some constant CDepth, this byte is marked with a status of Uncheck; otherwise the byte is marked Check. The algorithm locates the last occurrence of an Uncheck status position within the referred string. Let unchkPos be the corresponding position within the pointer. The scan is resumed from unchkPos – CDepth + 2 bytes prior to the pointer end, and the DFA state is set to start state. 22

23 Internal Area (Third Case) A byte with a Match status means that a pattern (or more) ends at its location. Let matchPos be the position within the pointer, corresponding to the position of the Match status within the referred string. Using the status information, we could detect whether an entire pattern was referred to by the pointer by scanning a few bytes prior to the matchPos in the same manner as in the case of the right boundary. 23

24 24

25 Experimental Results Two data sources: traffic that was captured by a corporate firewall for 15 min and a list of the most popular Web pages taken from the Alexa Web site. Two signature data sets: one of ModSecurity, an open-source Web application firewall, and the other of Snort, an open-source network intrusion prevention and detection system. 25

26 26

27 27

28 Conclusion Surprisingly, it is faster to do pattern matching on compressed data, with the penalty of decompression, than doing pattern matching on uncompressed traffic. 28

29 Reference Dictionary Matching Automata The Aho- Corasick Algorithm Dictionary Matching Automata The Aho- Corasick Algorithm Importance of Aho-Corasick String Matching Algorithm in Real World Applications Importance of Aho-Corasick String Matching Algorithm in Real World Applications 演算法筆記 - String Matching 演算法筆記 - String Matching 29

Download ppt "Accelerating Multipattern Matching on Compressed HTTP Traffic Published in : IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 3, JUNE 2012 Authors : Bremler-Barr,"

Similar presentations

1 Average Case Analysis of an Exact String Matching Algorithm Advisor: Professor R. C. T. Lee Speaker: S. C. Chen.

1 Average Case Analysis of an Exact String Matching Algorithm Advisor: Professor R. C. T. Lee Speaker: S. C. Chen.
Shift-based Pattern Matching for Compressed Web Traffic Presented by Victor Zigdon 1* Joint work with: Dr. Anat Bremler-Barr 1* and Yaron Koral 2 The SPC.

Shift-based Pattern Matching for Compressed Web Traffic Presented by Victor Zigdon 1* Joint work with: Dr. Anat Bremler-Barr 1* and Yaron Koral 2 The SPC.
Multipattern String Matching On A GPU Author: Xinyan Zha, Sartaj Sahni Publisher: 16th IEEE Symposium on Computers and Communications Presenter: Ye-Zhi.

Multipattern String Matching On A GPU Author: Xinyan Zha, Sartaj Sahni Publisher: 16th IEEE Symposium on Computers and Communications Presenter: Ye-Zhi.
Space-Time Tradeoffs in Software-based Deep Packet Inspection Author: Anat Bremler-Barr, Yotam Harchol, and David Hay Published in Proc. IEEE HPSR 2011.

Space-Time Tradeoffs in Software-based Deep Packet Inspection Author: Anat Bremler-Barr, Yotam Harchol, and David Hay Published in Proc. IEEE HPSR 2011.
Two-dimensional pattern matching M.G.W.H. van de Rijdt 23 August 2005.

Two-dimensional pattern matching M.G.W.H. van de Rijdt 23 August 2005.
An On-Chip IP Address Lookup Algorithm Author: Xuehong Sun and Yiqiang Q. Zhao Publisher: IEEE TRANSACTIONS ON COMPUTERS, 2005 Presenter: Yu Hao, Tseng.

An On-Chip IP Address Lookup Algorithm Author: Xuehong Sun and Yiqiang Q. Zhao Publisher: IEEE TRANSACTIONS ON COMPUTERS, 2005 Presenter: Yu Hao, Tseng.
THE CHURCH-TURING T H E S I S “ TURING MACHINES” Pages 136 - 150 1 COMPUTABILITY THEORY.

THE CHURCH-TURING T H E S I S “ TURING MACHINES” Pages COMPUTABILITY THEORY.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.
15-853Page 1 15-853: Algorithms in the Real World Suffix Trees.

15-853Page : Algorithms in the Real World Suffix Trees.
296.3: Algorithms in the Real World

296.3: Algorithms in the Real World
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
1 Accelerating Multi-Patterns Matching on Compressed HTTP Traffic Authors: Anat Bremler-Barr, Yaron Koral Presenter: Chia-Ming,Chang Date: 2009.9.1 Publisher/Conf.

1 Accelerating Multi-Patterns Matching on Compressed HTTP Traffic Authors: Anat Bremler-Barr, Yaron Koral Presenter: Chia-Ming,Chang Date: Publisher/Conf.
1 Efficient String Matching : An Aid to Bibliographic Search Alfred V. Aho and Margaret J. Corasick Bell Laboratories.

1 Efficient String Matching : An Aid to Bibliographic Search Alfred V. Aho and Margaret J. Corasick Bell Laboratories.
1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.

1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.
An Efficient and Scalable Pattern Matching Scheme for Network Security Applications Department of Computer Science and Information Engineering National.

An Efficient and Scalable Pattern Matching Scheme for Network Security Applications Department of Computer Science and Information Engineering National.

Similar presentations

Ads by Google