1 / 30

Presented by: Sailesh Kumar Discussion Leader: Max Podlesny

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005. Presented by: Sailesh Kumar Discussion Leader: Max Podlesny. Overview. Overview of IDS/IPS systems String matching and regular expression matching

regis
Download Presentation

Presented by: Sailesh Kumar Discussion Leader: Max Podlesny

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A High Throughput String Matching Architecture for Intrusion Detection and PreventionLin Tan, Timothy SherwoodAppeared in ISCA 2005 Presented by: Sailesh Kumar Discussion Leader: Max Podlesny

  2. Overview • Overview of IDS/IPS systems • String matching and regular expression matching • String matching algorithms • Aho-Corasick algorithm • Overview of the proposed architecture • Analysis of the proposed architecture • Conclusion

  3. Normal Unpredictable Abnormal IDS Overview • Intrusion detection systems, IDS must be capable of distinguishing between normal (not security-critical) and abnormal user activities • However translating the user behaviors into a security-related decision is often not that easy • One approach is anomaly detection • Anomaly detectors construct profiles that represent normal usage • If profile of current data doesn’t match the normal profile => a possible attack • Typically results in high false positives and few negatives too • An intelligent intruder can train the system to behave otherwise

  4. IDS Overview • Another approach is some kind of signature detection • Misbehavior signatures fall into two categories: • Attack signatures – action patterns that may pose a security threat. Typically presented as a series of activities interleaved (may be) with neutral ones • E.g. sequence of flags set on some specific sequence of packets • Selected text strings – signatures to match text strings which look for suspicious action (e.g. – calling  /etc/passwd). • Effective against attacks that exploits programming flaws. • Effective but not immune to novel attacks • Difficulties in updating information on new types of attacks • Still most widely used

  5. IDS Overview • At the heart of most signature based IDS systems, lies a string (regular expression) matching engine • Since this engine has to scan every byte of data, it might become the throughput bottleneck • This paper presents a high throughput string matching architecture • Advantages of proposed scheme: • Claimed to be space efficient • Entire rule set can be stored on-chip • Claimed to be able to achieve high throughput • Limitations (will cover later) • New systems do regex matching, FSM is typically too large to fit on chip, even with the proposed scheme. • Simple FSM compression schemes may beat the proposed idea

  6. String Matching Algorithm (Aho-Corasick) • For a set P of patterns, it builds a DFA, which accepts all patterns in P.

  7. Initial State h e s S Transition Function h S State h r h s e i h S Accepting State h i S h s S h h S 5 0 4 3 6 9 2 7 1 8 r h S String Matching Algorithm (Aho-Corasick) • Lets say, P is {he, she, his, hers} Example from Lin Tan et. al.

  8. e h h e s s r h h s s r e e i i s s 6 8 9 0 1 0 3 2 4 5 1 2 9 8 6 3 4 5 7 7 Properties of DFA created by Aho-Corasick • Consumes one character per state traversal • A modified automaton is also used in many systems, which rescans a character if there is no outgoing edge for it (fail ptr) • Reduces the DFA size tremendously S h S h h S h i S h S h h S r h S Example from Lin Tan et. al.

  9. How to implement efficiently on-chip • Problem: Size too big to be on-chip • ~ 10,000 nodes for SNORT rule set with ~1000 strings • 256 out edges per node • Requires 10,000*256*14 = ~5MB • Solution: partition each state machine into small state machines such that • Each machine handles a subset of strings only • Also, each machine has few outgoing edges only

  10. Bit-Splitting Algorithm Overview • Bit-Split String Matching Algorithm • Reduces out edges from 256 to 2. • Partition the rule set P into smaller sets P0 to Pn • Build AC state-machine for each subset Pi • For each Pi, rip its DFA apart into 8 tiny state-machines, Bi0 through Bi7 • Each binary FSM operates on 1 bit of the 8 bit input characters • A match is announced only if all 8 machines finds a match

  11. Bit-splitting String Matching Architecture • Lets say we have 4 strings in P {he, she, his, hers} • Consider FSM 3 • It looks at 3rd bit of the input char and makes state transitions based upon whether it is 0 or 1 • Example, lets say our input stream is hxhe Example from Lin Tan et. al.

  12. 0000 0000 0001 0000 0000 0001 0 h 0 e 1 s 1 0110 1000 0111 0011 s r e h i { } { } 0 s 7 1 2 9 8 3 4 5 6 Bit FSM Construction • Use subset construction algorithm to build bit FSMs B3 P b0 {0} 1 1 1 1 0 b1 { } 0 ,1 b2 { } 0 ,3 S h 0 S 1 h b3 0,1,2,6 0,3 b4{0,1,4} h S h i S 0 0 h 0 S b6{0,1,2,5,6} 1 h h S 0 b3{0,1,2,6} 1 r 0 1 b5{0,3,7,8} h S 1 b7{0,3,9} Example from Lin Tan et. al.

  13. 0 h e 1 s r h e s i 0 s 7 5 1 2 9 8 6 4 3 Bit FSM Construction • Remove the non-accepting states from the small FSMs b0 { } Pruned B3 P 1 1 1 0 b1 { } b2 { } S h 0 S 1 h b4 { } h S h i S 0 0 h 0 S b6{2,5} 1 h h S 0 b3{2} 1 r 0 1 b5{7} h S 1 b7{9} Example from Lin Tan et. al.

  14. Bit-splitting String Matching Architecture • Build all bit FSMs Bi • Match announced, if all bit FSMs announce a match Example from Lin Tan et. al.

  15. b0 {} b0 {} 0 h e s 1 1 1 1 0 0 b1{} b1{} b2{} b2{} S 0 h 0 0 1 S 0 1 h r e s 1 h i 1 1 b3 {} b7 {} b4 {} 0 0 0 1 h 0 S 1 h i S b6{2,5} b5 {} 0 0 s 0 h 1 S b6{2,5} 1 0 h h S 1 7 5 4 3 6 8 9 2 1 1 0 0 1 b8{2,7} b3{2} b4{2} 1 r 1 0 h b5{7} 0 S b9{9} b7{9} An Example Matching h x h e 0 1 0 0 1 1 1 0 P0 B3 B4 2 Only if all the state machines agree, is there actually a match. Example from Lin Tan et. al.

  16. How to map it to hardware efficiently • Problem: • Every state in the bit-FSMs Bi might have up to S accepting states of the original FSM D. • Note that # accepting of states = # of strings = S • Even if we keep bit-vector to represent the accepting states of the original D, we will need S-bits per state of Bi. • S is typically >1000, so not practical • Solution: • Partition the rule set P into smaller subsets Pi each with g rules • Build FSM Di for each Pi and bit-splice Di into Bi0, … Bi7 • Now every state in Bij can have at most g accepting states, hence only g-bits are needed

  17. How to map it to hardware efficiently • Also note that any D FSM can be ripped into 2 or 4 bit-FSMs as well • When ripped into 4 different bit-FSM, each one consumes 2-bits of the input characters • When ripped into 2 different bit-FSM, each one consumes 4-bits

  18. Each State Machine Tile • g = 16 • # of states = 256 (8-bit state encoding) • D FSM is ripped into 4 FSMs (each accepts 2-bit I/P) Example from Lin Tan et. al.

  19. Hardware Implementation Example from Lin Tan et. al.

  20. Non Interrupting Update • Issues: • Must copy the state of every flip-flop of the affected module onto the replacement module • E.g. the current state pointer of the affected module must be copied into the replacement module • These issues are not mentioned in the paper

  21. Optimal partitioning • There are two types of partitions. • One is the partition of the set of strings • Another is the partitions of each D FSM into multiple bit FSMs • 8 binary partition is clearly easy to understand • However, it is possible to partition into 2 or 4 partitions, and each partition consumes 4 and 2 input bits of the input character respectively. • Terminology • S = total # of strings • g = # of strings per group (# of partition = S/g) • n = # of partitions of state machine (1, 2, 4, 8) • L = Average # of characters per string • How to choose g and n? • which consumes minimum area

  22. Optimal partitioning • Total number of bits needed is: # of partial match bits # of bits to encode state # of FSM partitions # of outgoing edges per state Total # of states in each bit-FSM Total # of modules (string set partition)

  23. Optimal partitioning • Plot from the review of Mike Wilson (1000 signatures, average length 12) • Typical optimal # of FSM partitions = 2, 4

  24. Partitioning String Sets • In the analysis presented in the paper, it is claimed that partitioning string sets always reduce space • Not quite right when there is overlap among the strings • With overlapping strings, fewer states are needed w/o partitioning

  25. Performance Results - Memory From Lin Tan et. al.

  26. Performance Results - Throughput From Lin Tan et. al.

  27. Strength of the Algorithm • Can be very effective for dense DFAs, when there are plenty of outgoing edges from every state • In this case, path compression will not help a lot • However, ripping apart the state machines into bit state machines will reduce the number of outgoing edges to 16 • (2 edges x 8 FSMs) or (4 edges x 4 FSMs) • For dense graphs, upto 16 times reduction in state space

  28. Some Issues • Tuck [30] used bitmap compression and path compression to reduce the amount of memory needed for SNORT rules to 1.1MB • Note that, Tuck didn’t do any string set partitioning • w/o any partitioning, bit-splitting will consume >2 MB From Lin Tan et. al.

  29. Conclusion • Novel Bit-Split String Matching Algorithm • Reduces out edges from 256 to 2 • Can be extremely effective for dense graphs • Performance/area beats the best techniques by a factor of 10 or more. • 0.4MB and 10Gbps for Snort rule set ( >10,000 characters)

  30. Thank you and Questions

More Related