Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author : Randy Smith & Cristian Estan & Somesh Jha Publisher : IEEE Symposium on Security & privacy,2008 Presenter : Wen-Tse Liang Date : 2010/10/27.

Published byEunice Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Author : Randy Smith & Cristian Estan & Somesh Jha Publisher : IEEE Symposium on Security & privacy,2008 Presenter : Wen-Tse Liang Date : 2010/10/27."— Presentation transcript:

1 Author : Randy Smith & Cristian Estan & Somesh Jha Publisher : IEEE Symposium on Security & privacy,2008 Presenter : Wen-Tse Liang Date : 2010/10/27

2  Introduction  Background  Technical Overview  Reducing state space with XFAs  Building XFAs from regular expressions  Combining XFAs  Performance

3  In this paper our primary goal is to improve the time and space efficiency of signature matching in network intrusion detection systems (NIDS)  To achieve our goal we introduce extended finite automata (XFAs) which augment traditional FSAs with a finite scratch memory used to remember various types of information relevant to the progress of signature matching  XFAs have time complexity similar to DFAs and space complexity similar to or better than NFAs.

4  String matching was important for early network intrusion detection systems as their signatures consisted of simple strings. The Aho-Corasick [1] algorithm builds a concise automaton (linear in the total size of the strings) that recognizes multiple such signatures in a single pass.  NFAs can compactly represent multiple signatures but may require large amounts of matching time, since the matching operation needs to explore multiple paths in the automaton to determine whether the input matches any signatures.

5  DFAs can be efficiently implemented in software, although the resulting state-space explosion often exceeds available memory.  Yu et al. [33] propose combining signatures into multiple DFAs instead of one DFA, using simple heuristics to determine which signatures should be grouped together.  The D 2 FA technique [14] performs edge compression to reduce the memory footprint of individual states. It stores only the difference between transitions in similar states, and in some sense, extends the string-based Aho-Corasick algorithm to DFAs.

6 .*S1.*S2 .{n}

7

8  Annotating regular expressions  We use the parallel concatenation operator to “break up” a regular expression, or parts of one, into string-like subexpressions that are individually suitable for string matching.  For example, we annotate.*S1.*S2, where S1 and S2 are strings, as.*S1#.*S2. Put another way, we add the ‘#’ operator right before subexpressions such as ‘.*’ and [ˆ\n]{300} that repeat characters from either the whole input alphabet or a large subset thereof.

9  Annotating regular expressions

10  Parsing the regular expression  building a non-deterministic automaton through a bottom-up traversal of the parse tree,  ε –elimination  Determinization  Minimization.

11  XFA is a 7-tuple ( Q, D, Σ, δ, U δ, ( q 0, d 0 ), F )  Q is the set of states, Σ is the set of inputs (inputalphabet), δ : Q×Σ → Q is the transition function  D is the finite set of values in the data domain,  U δ : Q×Σ×D → D is the per transition update functionwhich defines how the data value is updated on every transition  ( q 0, d 0 ) is the initial configuration which consists of an initial state q 0 and an initial data value d 0,  and F ⊆ Q×D is the set of accepting configurations.

12  NXFA is a 7-tuple ( Q, D, Σ, δ, U δ,QD 0, F )  Q is the set of states, Σ is the set of inputs (input alphabet), δ ⊆ Q×(Σ ∪ {ε })×Q is the nondeterministic relation describing the allowed transitions  D is the finite set of values in the data domain  U δ : δ → 2 D×D is the nondeterministic update function (or update relation) which defines how the data value is updated on every transition  QD0 ⊆ Q×D is the set of initial configurations of the NXFA  and F ⊆ Q×D is the set of accepting configurations.

13  From parse trees to NXFAs.

14  ε –elimination  It extends standard ε - elimination by composing update functions along chains of “collapsed” ε transitions from the original NXFA and places these new relations into the appropriate transition in the ε -free NXFA.

15  Determinization (transitions)  After consuming an input string, the matching lgorithm will know the exact automaton state it is in, but multiple data domain values may be possible

16  Determinization(transitions) .*ab[^a]{1}

17  Determinization (update relations)  Algorithm 3 determinizes the data domain of the NXFA produced by Algorithm 2, yielding a deterministic XFA.

18  Determinization(update relations)  Minimization

19  Finding efficient implementations.  The last step in the compilation process is to map abstract data domain operations to efficient, concrete instructions for manipulating data values.

20  Finding efficient implementations.  Combining XFAs

21  yielding 1556 signatures in total. We eliminated 106 signatures for reasons discussed below, giving us a signature set size of 1450.

22

Download ppt "Author : Randy Smith & Cristian Estan & Somesh Jha Publisher : IEEE Symposium on Security & privacy,2008 Presenter : Wen-Tse Liang Date : 2010/10/27."

Similar presentations

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Non-Deterministic Finite Automata

Non-Deterministic Finite Automata
CSE 311 Foundations of Computing I

CSE 311 Foundations of Computing I
4b Lexical analysis Finite Automata

4b Lexical analysis Finite Automata
Complexity and Computability Theory I Lecture #4 Rina Zviel-Girshin Leah Epstein Winter 2002-2003.

Complexity and Computability Theory I Lecture #4 Rina Zviel-Girshin Leah Epstein Winter
Nondeterministic Finite Automata CS 130: Theory of Computation HMU textbook, Chapter 2 (Sec 2.3 & 2.5)

Nondeterministic Finite Automata CS 130: Theory of Computation HMU textbook, Chapter 2 (Sec 2.3 & 2.5)
1 CD5560 FABER Formal Languages, Automata and Models of Computation Lecture 2 Mälardalen University 2005.

1 CD5560 FABER Formal Languages, Automata and Models of Computation Lecture 2 Mälardalen University 2005.
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Compiler Construction

Compiler Construction
XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.
CS21 Decidability and Tractability

CS21 Decidability and Tractability
Introduction to Computability Theory

Introduction to Computability Theory
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
1 Introduction to Computability Theory Lecture2: Non Deterministic Finite Automata Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture2: Non Deterministic Finite Automata Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
Finite Automata Finite-state machine with no output. FA consists of States, Transitions between states FA is a 5-tuple Example! A string x is recognized.

Finite Automata Finite-state machine with no output. FA consists of States, Transitions between states FA is a 5-tuple Example! A string x is recognized.
Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.

Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.
Aho-Corasick String Matching An Efficient String Matching.

Aho-Corasick String Matching An Efficient String Matching.
Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.

Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

Similar presentations

Ads by Google