1 / 19

Automated Parser Generation for High-Speed NIDS

Hongyu Gao Clint Sbisa. Automated Parser Generation for High-Speed NIDS. Motivation. Processing speed is crucial concern for NIDS/NIPS Limited by rate of parsing packets Inefficient parsing leads to slow speeds and bottlenecks. Current Solutions. Binpac Declarative language and compiler

ramona
Download Presentation

Automated Parser Generation for High-Speed NIDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hongyu Gao Clint Sbisa Automated Parser Generation for High-Speed NIDS

  2. Motivation • Processing speed is crucial concern for NIDS/NIPS • Limited by rate of parsing packets • Inefficient parsing leads to slow speeds and bottlenecks

  3. Current Solutions • Binpac • Declarative language and compiler • Designed to simplify task of constructing complex protocol parsers • Constructs a full parsing tree

  4. Current Solutions • Netshield • Integrate high-speed protocol parser to provide fast parsing speed • Parsers are manually written, which is tedious work and error-prone

  5. Proposed Solution • A protocol parser generator • Read the protocol specification • Output the parser for the specific protocol • The parser is aware of matching • The parser focuses on the fields needed by matching and skip unnecessary fields

  6. Proposed Solutions

  7. Design Principles • The parsing process should avoid recursive calls • Parse trees are not used in parsing phase • Skip unneeded information • After parsing one field, the parser should be able to quickly jump to the next necessary field

  8. Detailed design • The parser consists of three parts • A pair of buffer pointers • A field table ( key data structure) • A table pointer

  9. Detailed design on field table

  10. Detailed Design on Parser

  11. Implementation • Basic approach: • Fixed driver • Fixed data structure • Protocol-specific table content

  12. Related files

  13. How to realize the system • Determine the size of field table • Start with one root node in protocol parse tree • Iteratively substitute complex field with multiple simpler fields • Determine the FieldLength function • Retrieve the information from Type class • Type::attr_length_expr_, • Type::attr_oneline_, • etc.

  14. How to realize the system Determine the GarbageLength function Before compression, GarbageLength returns “0” for every field Compress the table Look forward for consequent fields Merge the length of unused fields into garbage fields of the field that precedes them

  15. Snapshot for generated code

  16. Snapshot for generated code, cont’d

  17. Snapshot for generated code, cont’d

  18. Demo

  19. Questions? Suggestions?

More Related