Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.

Published byElfrieda Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs."— Presentation transcript:

1 Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs

2 Signature matching in IDS Find instances of network packets that match attack signatures 2 signatures Sig: /.*evil.*/ innocent 12evil34

3 Matching regular expressions Signatures represented as regular expressions (RE) Finite Automata –Represent and operate regular expressions Time Efficiency –Throughput must cope with Gbps link speeds Space Efficiency –Must fit in main memory of NIDS 3 Time-Space Tradeoff in Finite Automata

4 Time/Space tradeoff 4 DFAs NFAs Processing time NFA-OBDD Space efficient DFA >= 4 orders of magnitude DFA : Deterministic Finite Automaton NFA : Non- Deterministic Finite Automaton IDEAL

5 Contributions of our paper NFA-OBDD: New data structure that offers fast regular expression matching with space consumption comparable to that of NFAs –Up to 1645x faster than NFAs with comparable memory consumption –Speed is competitive with DFA variants DFA runs out of memory for our signature sets –Outperforms or is competitive with PCRE 5 Key Idea: Boolean encoding of NFA operation

6 Trends and challenges 6 Signature set size increased 5x in the last 5 years Challenge Perform fast matching with low memory consumption

7 Combining DFAs 7 /.*ab.*cd//.*ef.*gh//.*ab.*cd |.*ef.*gh/ Picture courtesy : [Smith et al. Oakland’08] Multiplicative increase in number of states

8 Combining NFAs 8 M N /.*ab.*cd//.*ef.*gh//.*ab.*cd |.*ef.*gh/ Additive increase in number of states

9 NFAs more compact than DFAs 9 Real Snort signatures have large counter values Signature /.*1[0|1] {3} / NFA DFA

10 10 Signature 1: /.*ab.*.{15}cd/ Signature 2: /.*ef.*.{10}gh/ DFA NFA

11 Outline  Problem Definition  Our Contribution  NFA-OBDD model and operation  Implementation  Evaluation  Related Work  Conclusion 11

12 NFA-OBDDs: Main idea Why are NFAs slow? –NFA frontiers may contain multiple states –Each frontier state must be processed for each symbol in the input. Idea: Represent and operate NFA frontiers symbolically using Boolean functions –Entire frontier can be modified using a single Boolean formula –Use ordered binary decision diagrams (OBDDs) to represent Boolean formulae

13 Encoding NFA transition functions An NFA for (0|1)*1, ∑ = {0,1} Transition function 13 xiyf(x,i,y) 000 001 010 011 100 101 110 111 0 1 1 1 1 0 0 1 Frontier: Set of current states Size: O(n); n= # of states Set membership function -Disjunction of binary values of member states

14 Determine new frontier after processing input: Next set of states = Checking acceptance: NFA operation 14 SAT(Set_of_ Accept_States(x) Frontier(x)) Transition_Function(x,i,y) Frontier(x) Input_Symbol(i) Map y→x Ǝ x,i ) (

15 Ordered binary Decision Diagram (OBDD) [Bryant 86] Compact representation of Boolean function 15 The BDD of f(x,i,y) with order i < x < y xiyf(x,i,y) 0001 0010 0101 0111 1001 1010 1100 1111

16 NFA-OBDD NFA-OBDD: NFA representation and operation using OBDDs OBDD Representation of –Transitions –Frontiers Current set of states –Input symbols –Set of accepting states –Set of start states 16

17 Space efficiency of NFA-OBDDs NFA-OBDD construction: –Uses same combination algorithm as NFAs –OBDD data structure itself utilizes the redundancy of the binary function table 17 Rapid growth of signature set has little impact on NFA-OBDD space consumption (unlike DFAs)

18 Outline  Problem Definition  Our Contribution  NFA-OBDD model and operation  Implementation  Evaluation  Related Work  Conclusion 18

19 Experimental apparatus 19 C++ and CUDD package for OBDDs

20 Regular expression sets Snort HTTP signature set –1503 regular expressions from March 2007 –2612 regular expressions from October 2009 Snort FTP signature set –98 regular expressions from October 2009 Extracted regular expressions from pcre and uricontent fields of signatures 20

21 Traffic traces HTTP traces –33 traces –Size: 5.1MB –1.24 GB –One week period in Aug 2009 from Web server of the CS department at Rutgers FTP Traces –2 FTP traces –Size: 19.4MB, 24.7 MB –Two week period in March 2010 from FTP server of the CS department at Rutgers 21

22 Experimental results For 1503 REs from HTTP Signatures 22 *Intel Core2 Duo E7500, 2.93GHz; Linux-2.6; 2GB RAM* 1645x 9-26x 10x

23 Experimental results For 2612 REs from HTTP signatures 23 MDFA ran out of memory for 2612 REs

24 Experimental results For 98 RE from FTP signatures 24 MDFA ran out of memory for 98 REs

25 Multibyte matching Matches k>1 input symbol in a single step Also possible with NFA-OBDDs –Use OBDDs to represent k-step transitive closure of NFA transition function –See paper for details. Brief summary of experimental results –2-stride NFA-OBDD doubles the throughput –Outperforms 2-stride NFA by 3 orders of magnitude 25

26 Related work Multiple DFAs [Yu et al., ANCS’06] Extended finite automata [Smith et al., Oakland’08, SIGCOMM’08] D 2 FA [Kumar et al., SIGCOMM’06] Hybrid finite automata [Becchi et al., ANCS’08] Multibyte speculative matching [Luchaup et al., RAID’09] Many more – see paper for details 26

27 Conclusion NFA-OBDDs –Outperform NFAs by three orders of magnitude Up to 1645× in the best case Retain space efficiency of NFAs –Outperform or competitive with the PCRE package –Competitive with variants of DFAs but drastically less memory-intensive 27

28 Improving Signature Matching using Binary Decision Diagrams Thank You Liu Yang-lyangru@cs.rutgers.edu Rezwana Karim-rkarim@cs.rutgers.edu Vinod Ganapathy-vinodg@cs.rutgers.edu Randy Smith-ransmit@sandia.gov

29 BDD var ordering 29

30 30

31 NFA-OBDD vs NFA NFA-OBDD Time Efficient –Process a set of states in one step Space Efficient –Use the same combination algorithm 31

32 NFA-OBDD operation Temp] = OBDD[Transition Function] OBDD[Frontier] OBDD[Input Symbol] OBDD[Next Set of States] = Map x→y ( Ǝ x,i OBDD[Temp]) Checking Acceptance : OBDD[Set of Accept States] OBDD[Frontier] 32

33 Solution for Mutibyte Matching 33

34 Experimental results 2 Stride 1400 HTTP 34

35 Experimental results 2 Stride 1400 HTTP signatures zoomed 35

36 Experimental Results 2 stride ftp 95 signatures 36

37 37

38 Matching multiple input symbol 38

39 39 accept sig

40 accept sig

41 NFA is compact 41 Recent signatures have large counter with value up to 500 Signature /.*1[0|1] {3}/

Download ppt "Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Fast Submatch Extraction using OBDDs Liu Yang 1, Pratyusa Manadhata 2, William Horne 2, Prasad Rao 2, Vinod Ganapathy 1 Rutgers University 1 HP Laboratories.

Fast Submatch Extraction using OBDDs Liu Yang 1, Pratyusa Manadhata 2, William Horne 2, Prasad Rao 2, Vinod Ganapathy 1 Rutgers University 1 HP Laboratories.
CS 44 – Aug. 29 Regular operations –Union construction Section 1.2 - Nondeterminism –2 kinds of FAs –How to trace input –NFA design makes “union” operation.

CS 44 – Aug. 29 Regular operations –Union construction Section Nondeterminism –2 kinds of FAs –How to trace input –NFA design makes “union” operation.
4b Lexical analysis Finite Automata

4b Lexical analysis Finite Automata
CSC 361NFA vs. DFA1. CSC 361NFA vs. DFA2 NFAs vs. DFAs NFAs can be constructed from DFAs using transitions: Called NFA- Suppose M 1 accepts L 1, M 2 accepts.

CSC 361NFA vs. DFA1. CSC 361NFA vs. DFA2 NFAs vs. DFAs NFAs can be constructed from DFAs using transitions: Called NFA- Suppose M 1 accepts L 1, M 2 accepts.
Lecture 23UofH - COSC 3340 - Dr. Verma 1 COSC 3340: Introduction to Theory of Computation University of Houston Dr. Verma Lecture 23.

Lecture 23UofH - COSC Dr. Verma 1 COSC 3340: Introduction to Theory of Computation University of Houston Dr. Verma Lecture 23.
Complexity and Computability Theory I Lecture #4 Rina Zviel-Girshin Leah Epstein Winter 2002-2003.

Complexity and Computability Theory I Lecture #4 Rina Zviel-Girshin Leah Epstein Winter
DFA Minimization Jeremy Mange CS 6800 Summer 2009.

DFA Minimization Jeremy Mange CS 6800 Summer 2009.
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Compiler Construction

Compiler Construction
XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.
Courtesy Costas Busch - RPI1 Non Deterministic Automata.

Courtesy Costas Busch - RPI1 Non Deterministic Automata.
A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,

A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,
1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.

1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:

1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
1.Defs. a)Finite Automaton: A Finite Automaton ( FA ) has finite set of ‘states’ ( Q={q 0, q 1, q 2, ….. ) and its ‘control’ moves from state to state.

1.Defs. a)Finite Automaton: A Finite Automaton ( FA ) has finite set of ‘states’ ( Q={q 0, q 1, q 2, ….. ) and its ‘control’ moves from state to state.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Similar presentations

Ads by Google