1 / 20

AC-Suffix-Tree : Buffer Free String Matching on Out-of-Sequence Packets

AC-Suffix-Tree : Buffer Free String Matching on Out-of-Sequence Packets. Author : Xinming Chen ,Kailin Ge ,Zhen Chen and Jun Li Publisher : ANCS , 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14. Outline . Introduction Related Work Background

shima
Download Presentation

AC-Suffix-Tree : Buffer Free String Matching on Out-of-Sequence Packets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AC-Suffix-Tree:Buffer Free String Matching on Out-of-Sequence Packets Author: Xinming Chen ,Kailin Ge ,Zhen Chen and Jun Li Publisher: ANCS , 2011 Presenter: Tsung-Lin Hsieh Date: 2011/12/14

  2. Outline • Introduction • Related Work • Background • Proposed Algorithm:AC-Suffix-Tree Algorithm • Performance Analysis

  3. Introduction • TCP and IP fragmentation can be used to evade signature detection at IDS / IPS. • The common defense is buffering and reassembling packets. However, buffering of out-of-sequence packets can become impractical on high speed links due to limited fast memory capacity.

  4. Introduction • In this paper, AC-Suffix-Tree, a buffer free scheme for string matching is proposed, which detects patterns across out-of-sequence packets without buffering and reassembly. • This novel algorithm associates the classical AC (ACA) algorithm with a pattern suffix tree to search patterns with only the state numbers of AC automaton and suffix tree stored.

  5. Related Work • What is the current situation of packet reordering in Internet? • In 2005, Dharmapurikar found that packet reordering in TCP traffic only affects 2-3% of the overall traffic[6]. • An older paper reports that 90% of the TCP packets were reordered in the trace of Dec. 1997 and Jan. 1998 [3], but Dharmapurikar claims it was because the older generation of router architecture.

  6. Background • Pattern Suffix Tree: Let X = {abaaba ,ababab} , suffix set of X is {a,ba,aba,aaba,baaba,b,ab,bab,abab,babab}

  7. Background • The return value contains the stop state and a “fact” mark. Once the input string is not finished but there is no available next state, fact is false; and once the inputstring is finished but PST is not finished, fact is true. So fact = true means str is a proper factor of some patterns in X.

  8. AC-Suffix-Tree Algorithm • A simple situation of two packets’ reordering. • When packet y2 comes first, a pattern may exist between the two packets only if some prefix of y2 is one suffix of the patterns.

  9. AC-Suffix-Tree Algorithm • For example :yi=aaba , yj=abaa stop at s6 append path(s6)

  10. AC-Suffix-Tree Algorithm • What if the pattern x crosses more than two segments? • A information merging mechanism is used to merge the PST state records in successive blocks. • the return value “fact” of PST is used to identify the proper factorof x. fact = true means the entire segment is a properfactor of x, thus needs to merge the PST state with thepredecessor segment.

  11. AC-Suffix-Tree Algorithm • Example : Pattern set X = {abaaba, ababab} Input Y = y1y2y3y4 , where y1 = bbaa ,y2 = baba ,y3 = baab ,y4 = aabb -> flow number -> sequence number -> length -> state of ACA -> state of PST

  12. AC-Suffix-Tree Algorithm • First input is y3: (baab) passing y3 to both ACA & PST • Buffer contains (1,8,4,2,11,true)

  13. AC-Suffix-Tree Algorithm • Second input is y1: (bbaa) passing y1 to both ACA & PST • Buffer contains (1,8,4,2,11,true) , (1,0,4,2,11,false)

  14. AC-Suffix-Tree Algorithm • Third input is y4: (aabb) combine y4 with its predecessor (1,8,4,2,11,true) ACA begin with s2 ,PST begin with s11 • Buffer contains (1,0,4,1,8,false) , (1,8,8,0,12,false)

  15. AC-Suffix-Tree Algorithm • Fourth input is y2: (baba) combine y2 with (1,0,4,1,8,false) & (1,8,8,0,12,false) path(12) appended to y2’s tail -> bababaaba ACA match with {abaaba,ababab} • Buffer clean all records with fid = 1.

  16. AC-Suffix-Tree Algorithm • Compression of Suffix Tree: idea - using a suffix array instead of a tree • Pre-processing time will be longer but not the focus

  17. Performance Analysis • Pattern set is chosen from snort ,released on 2010/07/22. no regular expressions included. • Use traces generated by their own program. • Running on PC Pentium 2-core CPU ,4GB RAM ,32-bit XP

  18. Performance Analysis • Processing speed for different traces with long set

  19. Performance Analysis • Memory usage of AC and suffix tree

  20. Performance Analysis • 1,3,2,4,5, 6,7,8,9,10 • 1,4,5,6,7 8,9,10,2,3 • 1,3,4,6,7 8,9,2,10,5

More Related