Zhichun Li
Abstract
Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures (a.k.a data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue.
This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures.
- 1998 DARPA Intrusion Detection Evaluation Data Set. www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html.Google Scholar
- Conficker. http://en.wikipedia.org/wiki/Conficker.Google Scholar
- DAG card. http://www.endace.com/dag-8.1sx.html.Google Scholar
- NetShield Website. http://www.nshield.org.Google Scholar
- PRX Traffic Manager. http://www.ipoque.com/products/prx-traffic-manager.Google Scholar
- F. Baboescu and G. Varghese. Scalable packet classification. In proc. of ACM SIGCOMM, 2001. Google ScholarDigital Library
- M. Becchi and P. Crowley. A hybrid finite automaton for practical deep packet inspection. In Proc. of ACM CoNEXT, 2007. Google ScholarDigital Library
- M. Becchi and P. Crowley. Efficient regular expression evaluation: Theory to practice. In Proc. of IEEE/ACM ANCS, 2008. Google ScholarDigital Library
- N. Borisov, D. J. Brumley, H. J. Wang, J. Dunagan, P. Joshi, and C. Guo. A generic application-level protocol analyzer and its language. In proc. of NDSS, 2007.Google Scholar
- D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proc. of IEEE Security and Privacy Symposium, 2006. Google ScholarDigital Library
- B. Chazelle. Lower bounds for orthogonal range searching. ii: The arithmetic model. Journal of the ACM, 37(3):439--463, July 1990. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of ACM SOSP, 2005. Google ScholarDigital Library
- W. Cui, M. Peinado, H. J. Wang, and M. Locasto. Shieldgen: Automated data patch generation for unknown vulnerabilities with informed probing. In proc. of IEEE Security and Privacy, 2007. Google ScholarDigital Library
- S. Dharmapurikar and V. Paxson. Robust tcp stream reassembly in the presence of adversaries. In Proc. USENIX Security Symposium, 2005. Google ScholarDigital Library
- P. Gupta and N. McKeown. Packet classification on multiple fields. In proc. of ACM SIGCOMM, 1999. Google ScholarDigital Library
- P. Gupta and N. McKeown. Classification using hierarchical intelligent cuttings. IEEE Micro, 20(1):34--41, Jan 2000. Google ScholarDigital Library
- S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner. Algorithms to accelerate multiple regular expression matching for deep packet inspection. In Proc. of ACM SIGCOMM, 2006. Google ScholarDigital Library
- T. V. Lakshman and D. Stiliadis. High-speed policy-based packet forwarding using efficient multi-dimensional range matching. In proc. of ACM SIGCOMM, 1998. Google ScholarDigital Library
- Z. Li, X. Gao, Y. Chen, and B. Liu. Netshield: Matching with a large vulnerability signature ruleset for high performance network defense. Technical Report NWU-EECS-08-07, Northwestern University, 2009.Google Scholar
- R. Pang, V. Paxson, R. Sommer, and L. Peterson. binpac: A yacc for writing application protocol parsers. In proc. Of ACM IMC, 2006. Google ScholarDigital Library
- V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31, 1999. Google ScholarDigital Library
- N. Schear, D. Albrecht, and N. Borisov. High-speed matching of vulnerability signatures. In Proc. of RAID, 2008. Google ScholarDigital Library
- U. Shankar and V. Paxson. Active mapping: Resisting NIDS evasion without altering traffic. In Proc. of IEEE Security and Privacy, 2003. Google ScholarDigital Library
- S. Singh, F. Baboescu, G. Varghese, and J. Wang. Packet classification using multidimensional cutting. In proc. of ACM SIGCOMM, 2003. Google ScholarDigital Library
- R. Smith, C. Estan, and S. Jha. XFA: Faster signature matching with extended automata. In Proc. of IEEE Security and Privacy, 2008. Google ScholarDigital Library
- R. Smith, C. Estan, S. Jha, and S. Kong. Deflating the big bang: Fast and scalable deep packet inspection with extended finite automata. In Proc. of ACM SIGCOMM, 2008. Google ScholarDigital Library
- V. Srinivasan, S. Suri, and G. Varghese. Packet classification using tuple space search. In proc. of ACM SIGCOMM, 1999. Google ScholarDigital Library
- D. E. Taylor. Survey and taxonomy of packet classification techniques. ACM Comput. Surv., 37(3):238--275, 2005. Google ScholarDigital Library
- H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proc. of ACM SIGCOMM, 2004. Google ScholarDigital Library
- F. Yu, Z. Chen, Y. Diao, T. V. Lakshman, and R. H. Katz. Fast and memory-efficient regular expression matching for deep packet inspection. In Proc. of ANCS, 2006. Google ScholarDigital Library
Index Terms
- NetShield: massive semantics-based vulnerability signature matching for high-speed networks
Recommendations
NetShield: massive semantics-based vulnerability signature matching for high-speed networks
SIGCOMM '10: Proceedings of the ACM SIGCOMM 2010 conferenceAccuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability ...
Towards vulnerability-based intrusion detection with event processing
DEBS '11: Proceedings of the 5th ACM international conference on Distributed event-based systemComputer systems continue to be breached despite substantial investments in defense mechanisms to stop attacks from propagating. The accuracy of current intrusion detection systems (IDSes) is hindered by the limited capability of regular expressions (...
Characterization and Solution to a Stateful IDS Evasion
ICDCS '09: Proceedings of the 2009 29th IEEE International Conference on Distributed Computing SystemsWe identify a new type of stateful IDS evasion, named signature evasion. We formalize the signature evasion on those Stateful IDSs whose state can be modeled using Deterministic Finite State Automata (DFAs). We develop an efficient algorithm which ...
Comments