Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date:

Published byJulie Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date:"— Presentation transcript:

1 Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date: 2009/10/14

2 Outline Introduction Analysis of Snort Header Rule Sets Algorithms and Architecture The Field-Split Bit Vector (FSBV) Algorithm Basic Architecture Supporting Snort Features Performance Evaluation 2

3 Introduction Traditional network applications such as firewall processing require reporting only the highest-priority matching rule, which we call best-match packet classification. In contrast, network intrusion detection systems ( NIDS) needs multi-match packet classification to find all rule headers that match a given packet. Our work focuses on the multi-match packet header classification in NIDS. 3

4 Analysis of Snort Header Rule Sets 4

5 Algorithms and Architecture 5

6 Algorithms and Architecture - The Field-Split Bit Vector (FSBV) Algorithm Applying the FSBV algorithm for matching the DP field of a packet against three rules. 6

7 Algorithms and Architecture - Basic Architecture 7

8 Algorithms and Architecture - Supporting Snort Features We examined the usage of those unique features provided by Snort rules, including the value list, the negation operator, and the range operator for port fields. The negation operator “!”. For example, ![60,80] indicates any port number except 60 and 80. The range operator. For example, 60:80 indicates port number from 60 to 80. 8

9 Algorithms and Architecture - Supporting Snort Features 9

10 10 Other File DP(4-bit)Rule R1 R2 R3 R4 … … … … 11*0 0101 110* 0111 、 100* Range 12 、 14 5 12 、 13 7~9 R1R2R3R4R’4 01010 10101 00001 11110 11101 10010 10101 01111 0 1 0 1 0 1 0 1 10101 11110 11101 10101 & & & 10100 DP of the input packet:1 1 0 0 Rule Set Build bit vectors Perform match 1010 OR

11 Algorithms and Architecture - Supporting Snort Features 11 In N rules, a field of the ith rule is specified as a list of M values, the ith bit of all bit vectors for this field is expanded to M bits. N+M-1 bits N bits N+M-1 bits

12 Algorithms and Architecture - Supporting Snort Features Most of port fields are specified as a single value. Over 85% of the unique values for SP/DP fields are specified as a single value, while only around 10% of port field values are specified as ranges. Current Snort rule set uses few value lists. 12

13 Performance Evaluation - Results on Synthetic Rules 13

14 Performance Evaluation - Results on Snort Rules 14

Download ppt "Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date:"

Similar presentations

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Author: Wenjun Li, Xianfeng Li Publisher: 2013 IEEE 21 st Annual Symposium.

HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Author: Wenjun Li, Xianfeng Li Publisher: 2013 IEEE 21 st Annual Symposium.
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
ClassBench: A Packet Classification Benchmark

ClassBench: A Packet Classification Benchmark
XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:

Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:
A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,

A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,
1 Fast Packet Classification using Group Bit Vector Author: Tong Liu, Huawei Li, Xiaowei Li, Yinhe Han Publisher: IEEE GLOBECOM 2006 Presenter: Hsin-Mao.

1 Fast Packet Classification using Group Bit Vector Author: Tong Liu, Huawei Li, Xiaowei Li, Yinhe Han Publisher: IEEE GLOBECOM 2006 Presenter: Hsin-Mao.
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:

1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)

Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)
11 FPGA based High speed and low area cost pattern matching Authors: Jian Huang, Zongkai Yang, Xu Du, and Wei Liu Publisher: Proceedings of IEEE Symposium.

11 FPGA based High speed and low area cost pattern matching Authors: Jian Huang, Zongkai Yang, Xu Du, and Wei Liu Publisher: Proceedings of IEEE Symposium.
1 Memory-Efficient 5D Packet Classification At 40 Gbps Authors: Ioannis Papaefstathiou, and Vassilis Papaefstathiou Publisher: IEEE INFOCOM 2007 Presenter:

1 Memory-Efficient 5D Packet Classification At 40 Gbps Authors: Ioannis Papaefstathiou, and Vassilis Papaefstathiou Publisher: IEEE INFOCOM 2007 Presenter:
1 FPGA-based ROM-free network intrusion detection using shift-OR circuit Department of Computer Science and Information Engineering National Cheng Kung.

1 FPGA-based ROM-free network intrusion detection using shift-OR circuit Department of Computer Science and Information Engineering National Cheng Kung.
Multi-Terabit IP Lookup Using Parallel Bidirectional Pipelines Author: Weirong Jiang, Viktor K. Prasanna Publisher: May 2008 CF '08: Proceedings of the.

Multi-Terabit IP Lookup Using Parallel Bidirectional Pipelines Author: Weirong Jiang, Viktor K. Prasanna Publisher: May 2008 CF '08: Proceedings of the.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Parallel IP Lookup using Multiple SRAM-based Pipelines Authors: Weirong Jiang and Viktor K. Prasanna Presenter: Yi-Sheng, Lin ( 林意勝 ) Date: 2008.12.10.

Parallel IP Lookup using Multiple SRAM-based Pipelines Authors: Weirong Jiang and Viktor K. Prasanna Presenter: Yi-Sheng, Lin ( 林意勝 ) Date:
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu

Similar presentations

Ads by Google