1 / 24

ECE 526 – Network Processing Systems Design

ECE 526 – Network Processing Systems Design. Network Security:  string matching algorithm Chapter 17: George Varghese. Goal. Gain basic knowledge to improve network security from network processing system design perspective. Outline. Signature-based IDSs String matching algorithms

alaina
Download Presentation

ECE 526 – Network Processing Systems Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECE 526 – Network Processing Systems Design Network Security:  string matching algorithm Chapter 17: George Varghese

  2. Goal • Gain basic knowledge to improve network security from network processing system design perspective ECE 526

  3. Outline • Signature-based IDSs • String matching algorithms • Boyer-Moore • Aho-Corasic • Bloom Filter • Approximated Searching • Approximated Searching Based on Bloom Filters • Summary ECE 526

  4. Internet Security • Internet lacking of security • Example? • What is Internet Security • Confidentiality: data keeping private • Integrity: protected from modification or destruction • Availability: data or service accessible • What are current approaches • Engineering? • non-engineering? • Intrusion Detection Systems (IDSs) ECE 526

  5. Intrusion Detection Systems • Two types of Intrusion Detection Systems (IDSs) • Signature detection: based on matching events to the signatures of known attacks • Anomaly detection: based on statistical or learning theory to identify aberrant events • Three important tasks • String matching: searching suspicious strings in packet payloads • Traceback: to detect intruder who uses forged source address • Detect onset of new worm without prior knowledge • The problems of current IDSs • Very slow • Have a high false-positive rate • false positive: answering membership query positively when member is not in the set ECE 526

  6. Snort Rule Example • Snort: • one of lightweight detection system, open source • www.snort.org • Snort rule example: Alert tcp $BAD 80 -> $GOOD 90 \ (content: “perl.exe”; msg: “detected perl.exe”;) • Looking for string “perl.exe” contained in TCP packet from IP: $BAD, Port: 80 to IP: $GOOD, Port: 90 • Upon detection, generating alert with “detected perl.exe” • Question: a packet coming, how to check it? • Question: how about multiple rules? • String matching is bottleneck ECE 526

  7. String Searching: brute force • Arbitrary string can be anywhere in the packet • Naive approach Input: String size: m; packet size: n (assuming n >m) For i:=0 to n-m do For j:=0 to m-1 do Compare string[j] with packet[i+j] If not equal exit the inner loop • Complexity: • worst case O(m*n) • Best case O(n) • Can we do better? ECE 526

  8. Boyer-Moore: example • Improving by skipping over a larger number of character and by comparing last character first • How to build the ship table? ECE 526

  9. Boyer Moore: skip table • How far to skip when the last character does not match. • For example • pattern: CAB • Skip: 1 * 2 3 3… • Last A B C D E • Care is needed with repeated letters • For example • pattern: ABBA • Skip: * 1 4 4 4… • Last: A B C D E … • Skip[c] = distance of last occurrence of c from end in pattern ECE 526

  10. Boyer Moore: algorithm Input: pattern with size m; packet with size n i: =0 While i<=n-m do If pattern[m-1] = packet[i+m-1] then //last character first For j:=0 to m – 1 do Compare pattern[j] with packet[i+j] //one by one sequentially i:=i+1 Else i:=i+skip[packet[i+m-1] //skip • Complexity: • best case O(n/m) • worst case still O(nm) ECE 526

  11. Aho-Corasic • Failure pointer • Prevent restarting at top of trie when failure occurring • New attempt made by shifting • How about multiple strings? BABAR ECE 526

  12. Initial State h e s S Transition Function h S State h s h r e i h S Accepting State h i S h s S h h S 7 4 3 6 8 2 1 0 5 9 r h S Multiple String Trie Construction Example: P = {he, she, his, hers} ECE 526

  13. h e s 0 S h S r s e h h i h S h i S s h S h h S 3 5 4 1 7 9 8 6 2 r h S Aho-Corasick: Searching Matching String Input stream: • Scanning input stream only once • Complexity: linear time • . h x h e r s ECE 526

  14. Aho-Corasick: summary • Pros: • Computation complexity: worst case O(n) • Can scan once and output all matches • Cons: • Constructing a finite state machine • Failure pointers needed • Too big to be on chip • Each node has maximum 256 pointers ECE 526

  15. Hashing • One efficient set membership query mechanism • Programming trivial • Query complexity: O(n) best case (n: size of packet) • Query accuracy: possible false positive • However, to handle collision • Each hash entry containing a list of IDs of all elements share the hash value • Storage minimal requirement: O(n*w) n: number of elements, w: minimal width of each element • Question: can we trade accuracy for storage requirement using hashing idea? ECE 526

  16. Bloom Filter • Data structured proposed by Burton Bloom • Randomized data structure • Strings stored using multiple hash functions (programming) • Check string’s presence based on multiple bits (querying) • Membership queries result in false positives • Powerful tools for • Content networks • Route trace back • Network measurements • Intrusion Detection ECE 526

  17. Bloom Filter Programming • Instead using one hash function, k independent hash functions • Instead requiring n*w bit storage; m-bit vector required • Initially all bit are cleared • Programming set bit based on each hashing function • bit remaining set if two elements hashed to same position ECE 526

  18. Bloom Filter Querying • Procedure: String x is computed by k hashing functions Each hashing function pinpointing one bit in m-bit vector All value in m-bit vector are ANDed If match ==0, x is not a member else x is positive member ECE 526

  19. Bloom Filter: false positive rate • n: number of strings to be stored • k: number of hash functions • m: the size of bit array • The false positive probability • f = (1/2)k • Optimal value hash functions k • K = ln2 * m/n = 0.693*m/n • False positive rate decreases exponentially with number of hash functions & memory ECE 526

  20. Counting Bloom Filters • Member deletion • Deletion of a member requiring clearing all the related bits • A bit once set in the bit vector can not be deleted easily • the bit can be set by multiple members • Solution • Assuming member deletion rare case • Counting bloom filter • Updating counter when element added or deleted • Bit reset in m-bit vector when counter value is 0 ECE 526

  21. Approximate String Searching • Using Bloom filter ECE 526

  22. Approximate String Searching John W. Lockwood and etc. “DEEP PACKET INSPECTION USING PARALLEL BLOOM FILTERS” ECE 526

  23. Summary ECE 526

  24. For Next Class • Read Comer: chapter 6 and 9 • Final Project (option 1) • Project group finalized • 9/19/07: group leader: email me your group members . • each group no more than 3 members. • Project topic finalized. • 9/28/07: Group leader: email me your topic. • Paper presentation + Final exam (Option 2) • 9/19/07: group leader: email me your group members . • each group no more than 2 members. • based on assigned one or two papers (<20 min) ECE 526

More Related