Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
|
|
- Jasmin Mathews
- 5 years ago
- Views:
Transcription
1 Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade that impact to all of the aspect from to the internet banking. In today s internet, worms and viruses cause service disruptions with enormous economic impact. Current attack prevention mechanisms rely on enduser cooperation to install new system patches (Windows Update) or upgrade security software (anti virus update), yielding slow reaction time. However, malicious attacks spread much faster than users can respond, making effective attack prevention difficult. Network-based mechanisms, by avoiding end-user coordination, can respond rapidly to new attacks. Such mechanisms require the network to inspect the packet payload at line rates to detect and filter those packets containing worm signatures. Network Intrusion Detection System is well suited for this purpose. Today Intrusion Detection System (IDS) techniques are usually classified as either signature detection or anomaly detection. In this project we only focus on signature detection. Signature detection is based on matching events to signatures of known attacks. IDS can monitor packet in the network traffic for security purposes by scanning the packet payload to detect malicious intrusions or attack signatures. Currently, most IDSs are software based running on a general purpose processor. SNORT is a popular open source IDS has thousands of rules in which the rules refer to the header as well as to the packet payload. A sample Snort rule is shown below, Alert tcp $BAD 80 -> $GOOD 90 (content: perl.exe ; msg: detected perl.exe ;) The rule examines the protocol, source and destination IP address, source and destination TCP port. The content option indicates that the packet payload is to be matched against the string enclosed in double quotes, in this example is perl.exe. The continued growth in both network traffic and intrusion signature database makes the IDS increasingly difficult for software running on general purpose processor to keep up with increasing network speeds that approach 10Gbps. There needs to be a new form of intrusion detection system that can handle this type of speed and load. In this project we will study and implement Aho-Corasick, the famous string matching algorithm for searching multiple strings in one pass using a trie with backpointers. This algorithm needs a lot of space in memory to hold the trie data structure that contains the rule and also the back pointers. We will modify the data structure of the algorithm using the bitmap in order to reduce the space for this algorithm and finally this system can put in the faster memory (instead of a general purpose processor) that can make the searching become faster. 2. Previous work String matching algorithm is one of the well studied classical problems and has been extensively studied for many years. Most known IDS implementations use a general purpose string matching algorithms, such as Boyer-Moore, Aho-Corasick and Bloom Filter. In this chapter we would like to explain the basic idea of several string matching algorithms.
2 2.1. Boyer-Moore The algorithm of Boyer and Moore [2] is widely used algorithm for string matching. The algorithm compares the pattern with the text from right to left. The idea is reduce the large number of comparison the string. It has two heuristic are triggered when mismatching occurred. The basic idea as follow, if the text symbol that is compared with the rightmost pattern symbol does not occur in the pattern at all, then the pattern can be shifted by m positions behind this text symbol where m is the length of the pattern. The following example illustrates this situation. a b b a d a b a c b a b a b a c b a b a c The first comparison d-c at position 4 produces a mismatch. The text symbol d does not occur in the pattern. Therefore, the pattern cannot match at any of the positions 0,..., 4, since all corresponding windows contain a d. The pattern can be shifted to position 5. The best case for the Boyer-Moore algorithm is attained if at each attempt the first compared text symbol does not occur in the pattern. Then the algorithm requires only O(n/m) comparisons. Bad character heuristics This method is called bad character heuristics. It can also be applied if the bad character, i.e. the text symbol that causes a mismatch, occurs somewhere else in the pattern. Then the pattern can be shifted so that it is aligned to this text symbol. The next example illustrates this situation. a b b a b a b a c b a b a b a c b a b a c Comparison b-c causes a mismatch. Text symbol b occurs in the pattern at positions 0 and 2. The pattern can be shifted so that the rightmost b in the pattern is aligned to text symbol b. Good suffix heuristics Sometimes the bad character heuristics fails. In the following situation the comparison a-b causes a mismatch. An alignment of the rightmost occurrence of the pattern symbol a with the text symbol a would produce a negative shift. Instead, a shift by 1 would be possible. However, in this case it is better to derive the maximum possible shift distance from the structure of the pattern. This method is called good suffix heuristics.
3 a b a a b a b a c b a c a b a b c a b a b The suffix ab has matched. The pattern can be shifted until the next occurrence of ab in the pattern is aligned to the text symbols ab, i.e. to position 2. In the following situation the suffix ab has matched. There is no other occurrence of ab in the pattern. Therefore, the pattern can be shifted behind ab, i.e. to position 5. a b c a b a b a c b a c b a a b c b a a b In the following situation the suffix bab has matched. There is no other occurrence of bab in the pattern. But in this case the pattern cannot be shifted to position 5 as before, but only to position 3, since a prefix of the pattern (ab) matches the end of bab. We refer to this situation as case 2 of the good suffix heuristics. a a b a b a b a c b a a b b a b a b b a b The pattern is shifted by the longer of the two distances that are given by the bad character and the good suffix heuristics Aho-Corasick Aho-Corasick (AC) [1] is a multi-string matching algorithm, meaning it matches the input against multiple strings at the same time. Multi-string matching algorithms generally preprocess the set of strings, and then search all of them together over the input text. The algorithm consists of two parts. The first part is the building of the tree from keywords you want to search for, and the second part is searching the text for the keywords using the previously built tree (state machine). Searching for a keyword is very efficient, because it only moves through the states in the state machine. If a character is matching, it follows goto function otherwise it follows fail function. The root node is used only as a place holder and contains links to other letters. Links created in this first step represents the goto function, which returns the next state when a character is matching. To construct goto function, we shall construct goto graph. We begin with a graph consisting of one vertex which represents the state 0. We then enter each keyword y into the graph, by adding a directed path to the graph that begins at the start state. New vertices and edges are added to the graph so that there will be, starting at the start state, a path in the graph that spells out the keyword y. The keyword y is added to the output function of the state at which the path terminates. We add new edges to the graph only when necessary. For example, suppose {he, she,
4 his, hers} is the set of keywords. Adding the first keyword to the graph and continue will obtain the graph like shown below in the keyword tree. During the second phase, the fail and output functions are found. The fail function is used when a character is not matching and the output function returns the found keywords for each reached state. For example, in the text "SHIS", the failure function is used to exit from the "SHE" branch to "HIS" branch after the first two characters (because the third character is not matching). Figure 1. The keyword tree Figure 2. The tree with the fail function 2.3. Bloom Filter Dharmapurikar et al. proposed a multiple-pattern matching solution using parallel bloom filters [3]. Their approach can handle thousands of patterns. The proposed scheme builds a bloom filter for each possible pattern length. A Bloom filter is a data structure that stores a set of signatures compactly by computing multiple hash functions on each member of the set. This technique queries a database of strings to check for the membership of a particular string. The answer to this query can be false positive but never a false negative. An important property of this data structure is that the computation time involved in performing the query is independent of the number of strings in the database provided the memory used by the data structure scales linearly with the number of strings stored in it. Furthermore, the amount of storage required by the Bloom filter for each string is independent of its length. Each Bloom filter scans the streaming data and checks the strings of corresponding length. Whenever a Bloom filter detects a suspicious string, an analyzer probes this string to decide whether it indeed belongs to the given set of strings or is a false positive. Based on the analyzer s determination, the system can take appropriate action (either drop, forward, or log) for the string s associated packet. Let the signature lengths range from Lmin to Lmax. The Bloom filter engine reads as input a data stream that arrives at the rate of one byte per clock cycle. It monitors a window of Lmax bytes, as shown in Figure 3. When this window is full, it contains Lmax Lmin substrings, which are potential matches for signatures. The system verifies the membership of each substring, using the appropriate Bloom filter. Each hardware Bloom filter gives one query result per clock cycle. In this way, the system can verify the memberships of all the Lmax Lmin strings in a single clock cycle. If none of the substrings match a signature, the data stream can advance by a byte. Monitoring a window in this way eventually scans all the possible strings of length from Lmin bytes to Lmax bytes in every packet. In the case of multiple substrings matching within a single window, the longest substring becomes the string of interest, a policy called longest substring first (LSF). Thus, in the case of multiple matches at the same time in the array of Bloom filters, the analyzer probes the substrings, from longest to shortest. The search stops as soon as the analyzer
5 first confirms the match of a substring. After the search is over, the window advances by a byte, and the system repeats the same procedure. Figure 3. Window of streaming data containing strings of lengths from Lmin=3 to Lmax=W. [4] From those three string matching algorithm we can summarize as follow [5] Idea Computation Storage Problem Boyer-Moore Skip O(m*n) worst 0.1 MB (10K Rules) Aho-Corasick Trie O(n) worst 50 MB (1500 Rules) Bloom Filter Approximate O(n) 0.1 MB searching (10K Rules) Shift table needed Storage False Positive Base on this study, the Aho-Corasick has a good performance in the worst case but the problem is the storage, it needs 50 MB to hold 1500 rules. So in this project we would like to decrease the storage for Aho-Corasick using methodology that will explain in the next chapter. 3. Methodology The previous section discussed the previous approaches to string matching algorithms. We will now discuss the Deterministic Memory-Efficient String Matching Algorithm for Intrusion Detection [4]. First we will build the tree data structure that will create the state machine; this will be done with next pointer function or goto function. This is the most important part in this project. We will modified the next state pointer that has 256 next state pointer in Aho-Corasick algorithm become only use one pointer and encoded the 256 next state pointers using a bitmap compression
6 scheme. This will greatly reduce the memory space but the on other hand will a produce a slight increase the execution time. The pseudo code Bitmap Data Structure is shown below, struct bitmap_state { struct bitmap_state * next_state; bitmap next_state_valid : 256; struct bitmap_state * failure_state; struct rule * rule_list; }; Figure 4. Pseudo code bitmap data structure The diagram of the state node is shown in figure 5. The next pointer points to the bar of the children node. In this figure we have an example if the next character id D, then we transition from the current state by first checking to see if the fourth bit from the left in the bitmap is set and we assume an alphabet where A=1, B=2,... Z=26. Finding that it is, we know that there is a valid transition at some offset from the next pointer. We then count all the set bits prior to bit four in the bitmap, and find that there is only one of them and therefore our offset from the next pointer is one. We add the size of one node to our next state pointer, jump to that data structure which is the correct node for our D transition, and examine the next character in our packet. If on the other hand, our next character was C, we would look in the bitmap and see that C was disabled. We would then follow the failure pointer and repeat the check with C on whatever node it pointed to. Figure 5. Diagram Bitmap Data Structure We also construct the rule pointer that will point to the rule file that content the string that would to match. This rule pointer will construct from each final state of the state engine. The last pointer that we construct is the fail pointer. To construct fail pointer we will using pseudo code in figure 6 below. The failure function is constructed from the next pointer function. Let us define the depth of a state s in the next pointer graph as the length of the shortest path from the start state to s. Thus in Figure 7, the start state is of depth 0, states 1 and 3 are of depth 1, and states 2, 4, and 6 are of depth 2, and so on. We shall compute the failure function for all states of depth 1, then for all states of depth 2, and so on, until the failure function has been computed for all states (except state 0 for which the failure function is not defined).
7 begin queue ~ empty for each a such that g(o, a) = s ;~ 0 do begin queue ~ queue LI {s } f(s) ~ 0 end while queue ~ empty do begin let r be the next state in queue queue ~-- queue - {r} for each a such that g(r, a) = s fail do begin queue ~ queue t2 {s } state ~ f(r) while g (state, a) = fail do state ~ f ( s t a t e ) f(s) ~ g(state, a) output(s) ~ output(s) U o u t p u t ( f ( s ) ) end end end Figure 6. Failure function Figure 7. Pattern matching machine for the set of keyword {he, she, his, hers} The algorithm to compute the failure function f at a state is conceptually quite simple. We make f(s) --0 for all states s of depth 1. Now suppose f has been computed for all states of depth less than d. The failure function for the states of depth d is computed from the failure function for the states of depth less than d. The states of depth d can be determined from the non fail values of the next pointer function of the states of depth d- 1. Specifically, to compute the failure function for the states of depth d, we consider each state r of depth d 1 and perform the following actions. 1. l f g ( r, a) =failfor all a, do nothing. 2. Otherwise, for each symbol a such that g(r, a) -- s, do the following: (a) Set state = f(r).
8 (b) Execute the statement s t a t e ' - f ( s t a t e ) zero or more times, until a value for state is obtained such that g ( s t a t e, a ) # f a i l. (Note that since g(o, a) # fail for all a, such a state will always be found.) (c) Setf(s) --g(state, a). For example, to compute the failure function from Figure 7, we would first set f(1 ) = f(3) = 0 since 1 and 3 are the states of depth 1. We then compute the failure function for 2, 6, and 4, the states of depth 2. To compute f(2), we set state = f(1 ) = 0; and since g(0, e) = 0, we find that f(2) = 0. To compute f(6), we set state =f(1 ) = 0; and since g(0, i) = 0, we find that f(6) = 0. To compute f(4), we set state = f(3) = 0; and since g(0, h) = 1, we find that f(4) = 1. During the computation of the failure function we also update the output function. When we determine f(s) = s', we merge the outputs of state s with the outputs of state s'. For example, from Figure 7. we determine f(5) = 2. At this point we merge the output set of state 2, namely {he}, with the output set of state 5 to derive the new output set {he, she}. 4. Expected Results With the implementation of the Aho-Corasick algorithm the size of the rule set for the Snort Sensor IDS is expected to decrease significantly. According to the preliminary results shown in the material the memory should be reduced by a factor on the order of 20. This reduction will depend upon the rule set implemented. Our goal is to implement the Snort IDS with the Aho-Corasick algorithm as well as the modified Aho-Corasick algorithm and test the memory changes with multiple rule set sizes. A plot of the number of rules to the size of the rule set for the modified and unmodified Aho-Corasick algorithm will be created. In addition to the graphic results, the speed of the modified algorithm will be tested and compared to the base Aho-Corasick algorithm. These results will be plotted against the size of the rule set and the amount of traffic processed by each algorithm. 5. Project Summary The first task is the implementation of the modified Aho-Corasick algorithm in the Snort Sensor software. After this programming is complete the benchmarking of the software can begin. Ideally the results will show that the rule set can be reduce to a size that would be small enough to implement on a network based IDS. This would require the rule set to be very small. The rule set will need to be on the order of 1MB so that the rules can be stored in a fast SRAM. The implementation of the system on a generic system will allow ease of implementation without having to re-write the entire Snort package for a network processor. This will also allow the Snort package to be tested very ruinously without worrying about the SRAM vs. DRAM and having to simulate multiple memory configurations. The goal is to just test the changes to the Aho-Corasick algorithm. The implementation of the Snort sensor on a generic processor will allow testing of the speed of the algorithm in addition to its memory usage. This data will allow predictions as to the amount of additional overhead that is necessary for the bitmap calculations. These results can be further used to make predictions to the fesablility as well as the areas of the Aho-Corasick algorithm that need further improvement.
9 6. References [1] A.V. Aho and M. J. Corasick. Efficient string matching: An aid to bibliographic search. [2] R. S. Boyer and J. S. Moore. A fast string searching algorithm. [3] S. Dharmapurikar, et al., Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware. [4] G. Varghese, T. Sherwood, N. Tuck and Brad Calder. "Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection [5] Class Notes
Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationHash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS)
Hash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS) VINOD. O & B. M. SAGAR ISE Department, R.V.College of Engineering, Bangalore-560059, INDIA Email Id :vinod.goutham@gmail.com,sagar.bm@gmail.com
More informationPacket Inspection on Programmable Hardware
Abstract Packet Inspection on Programmable Hardware Benfano Soewito Information Technology Department, Bakrie University, Jakarta, Indonesia E-mail: benfano.soewito@bakrie.ac.id In the network security
More informationDesign and Implementation of DPI Mechanism for NIDS on FPGA
Design and Implementation of DPI Mechanism for NIDS on FPGA Veena M P 1, Divya Prabha 2, Dr. M Z Kurian 3 M.Tech [Digital electronics], Sri Siddhartha Institute of Technology, Tumkur, Karnataka, India
More informationAdvanced Pattern Based Virus Detection Algorithm for Network Security
National Conference on Emerging Trends in VLSI, Embedded and Communication Systems-2013 37 Advanced Pattern Based Virus Detection Algorithm for Network Security T.B. Binroy and B. Lakshmanan Abstract---
More informationExscind: A Faster Pattern Matching For Intrusion Detection Using Exclusion and Inclusion Filters
Exscind: A Faster Pattern Matching For Intrusion Detection Using Exclusion and Inclusion Filters 1 Monther Aldwairi and Duaa Alansari Seventh International Conference on Next Generation Web Services Practices
More informationA New Platform NIDS Based On WEMA
I.J. Information Technology and Computer Science, 2015, 06, 52-58 Published Online May 2015 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijitcs.2015.06.07 A New Platform NIDS Based On WEMA Adnan A.
More informationIndexing and Searching
Indexing and Searching Introduction How to retrieval information? A simple alternative is to search the whole text sequentially Another option is to build data structures over the text (called indices)
More informationBit-Reduced Automaton Inspection for Cloud Security
Bit-Reduced Automaton Inspection for Cloud Security Haiqiang Wang l Kuo-Kun Tseng l* Shu-Chuan Chu 2 John F. Roddick 2 Dachao Li 1 l Department of Computer Science and Technology, Harbin Institute of Technology,
More informationFPGA Implementation of Token-Based Clam AV Regex Virus Signatures with Early Detection
IOSR Journal of Electronics and Communication Engineering (IOSR-JECE) e-issn: 2278-2834,p- ISSN: 2278-8735 PP 54-61 www.iosrjournals.org FPGA Implementation of Token-Based Clam AV Regex Virus Signatures
More informationAdvanced Pattern Based Virus Detection Algorithm for Network Security
Advanced Pattern Based Virus Detection Algorithm for Network Security Binroy T.B. M.E. Communication Systems Department of Electronics and Communication Engineering RVS College of Engineering & Technology,
More informationAccelerating String Matching Algorithms on Multicore Processors Cheng-Hung Lin
Accelerating String Matching Algorithms on Multicore Processors Cheng-Hung Lin Department of Electrical Engineering, National Taiwan Normal University, Taipei, Taiwan Abstract String matching is the most
More informationAN EFFICIENT AND SYSTEMATIC VIRUS DETECTION PROCESSOR FOR EMBEDDED NETWORK SECURITY
AN EFFICIENT AND SYSTEMATIC VIRUS DETECTION PROCESSOR FOR EMBEDDED NETWORK SECURITY P.MUTHU KUMARAN 1, R.V.ASHOK PRATHAP 2 & D.MATHAVAN 3 1,2&3 Sasurie Academy of Engineering Email:muthukumaran23@gmail.com
More informationA NETWORK INTRUSION PREVENTION SYSTEM (NIPS)
A NETWORK INTRUSION PREVENTION SYSTEM (NIPS) FOR HIGH-SPEED NETWORKS A Thesis Submitted in fulfillment of the requirements for the degree of Master of Science by Shimrit Tzur-David Supervised by Prof.
More informationString Matching Algorithms
String Matching Algorithms 1. Naïve String Matching The naïve approach simply test all the possible placement of Pattern P[1.. m] relative to text T[1.. n]. Specifically, we try shift s = 0, 1,..., n -
More informationNOISE ELIMINATION USING A BIT CAMS
International Journal of VLSI Design, 2(2), 2011, pp. 97-101 NOISE ELIMINATION USING A BIT CAMS Sundar Srinivas Kuchibhotla 1 & Naga Lakshmi Kalyani Movva 2 1 Department of Electronics & Communication
More informationA Framework for Rule Processing in Reconfigurable Network Systems
A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering
More informationMulti-pattern Signature Matching for Hardware Network Intrusion Detection Systems
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 5 proceedings. Multi-pattern Signature Matching for Hardware
More informationBloom Filters. References:
Bloom Filters References: Li Fan, Pei Cao, Jussara Almeida, Andrei Broder, Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol, IEEE/ACM Transactions on Networking, Vol. 8, No. 3, June 2000.
More informationKnuth-Morris-Pratt. Kranthi Kumar Mandumula Indiana State University Terre Haute IN, USA. December 16, 2011
Kranthi Kumar Mandumula Indiana State University Terre Haute IN, USA December 16, 2011 Abstract KMP is a string searching algorithm. The problem is to find the occurrence of P in S, where S is the given
More informationSelf-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine
Southern Illinois University Carbondale pensiuc Articles Department of Electrical and Computer Engineering 1-2009 Self-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine Benfano Soewito
More informationString Matching. Pedro Ribeiro 2016/2017 DCC/FCUP. Pedro Ribeiro (DCC/FCUP) String Matching 2016/ / 42
String Matching Pedro Ribeiro DCC/FCUP 2016/2017 Pedro Ribeiro (DCC/FCUP) String Matching 2016/2017 1 / 42 On this lecture The String Matching Problem Naive Algorithm Deterministic Finite Automata Knuth-Morris-Pratt
More informationCombinatorial Pattern Matching. CS 466 Saurabh Sinha
Combinatorial Pattern Matching CS 466 Saurabh Sinha Genomic Repeats Example of repeats: ATGGTCTAGGTCCTAGTGGTC Motivation to find them: Genomic rearrangements are often associated with repeats Trace evolutionary
More informationLecture 5: Suffix Trees
Longest Common Substring Problem Lecture 5: Suffix Trees Given a text T = GGAGCTTAGAACT and a string P = ATTCGCTTAGCCTA, how do we find the longest common substring between them? Here the longest common
More informationA New String Matching Algorithm Based on Logical Indexing
The 5th International Conference on Electrical Engineering and Informatics 2015 August 10-11, 2015, Bali, Indonesia A New String Matching Algorithm Based on Logical Indexing Daniar Heri Kurniawan Department
More informationTowards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort
Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort C. Jason Coit Silicon Defense jasonc@silicondefense.com Stuart Staniford Silicon Defense stuart@silicondefense.com
More informationAn Enhanced Bloom Filter for Longest Prefix Matching
An Enhanced Bloom Filter for Longest Prefix Matching Gahyun Park SUNY-Geneseo Email: park@geneseo.edu Minseok Kwon Rochester Institute of Technology Email: jmk@cs.rit.edu Abstract A Bloom filter is a succinct
More informationTwo Level State Machine Architecture for Content Inspection Engines
Two Level State Machine Architecture for Content Inspection Engines Mohammadreza Yazdani Wojciech Fraczak Feliks Welfeld Ioannis Lambadaris Department of Systems and Computer Engineering Carleton University,
More informationA MULTI-CHARACTER TRANSITION STRING MATCHING ARCHITECTURE BASED ON AHO-CORASICK ALGORITHM. Chien-Chi Chen and Sheng-De Wang
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1349-4198 Volume 8, Number 12, December 2012 pp. 8367 8386 A MULTI-CHARACTER TRANSITION STRING MATCHING
More informationMultiple Skip Multiple Pattern Matching Algorithm (MSMPMA)
Multiple Skip Multiple Pattern Matching (MSMPMA) Ziad A.A. Alqadi 1, Musbah Aqel 2, & Ibrahiem M. M. El Emary 3 1 Faculty Engineering, Al Balqa Applied University, Amman, Jordan E-mail:ntalia@yahoo.com
More informationSwitch and Router Design. Packet Processing Examples. Packet Processing Examples. Packet Processing Rate 12/14/2011
// Bottlenecks Memory, memory, 88 - Switch and Router Design Dr. David Hay Ross 8b dhay@cs.huji.ac.il Source: Nick Mckeown, Isaac Keslassy Packet Processing Examples Address Lookup (IP/Ethernet) Where
More informationConfigurable String Matching Hardware for Speeding up Intrusion Detection
Configurable String Matching Hardware for Speeding up Intrusion Detection Monther Aldwairi, Thomas Conte, Paul Franzon Dec 6, 2004 North Carolina State University {mmaldwai, conte, paulf}@ncsu.edu www.ece.ncsu.edu/erl
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationFigure 1. The Suffix Trie Representing "BANANAS".
The problem Fast String Searching With Suffix Trees: Tutorial by Mark Nelson http://marknelson.us/1996/08/01/suffix-trees/ Matching string sequences is a problem that computer programmers face on a regular
More informationPolygraph: Automatically Generating Signatures for Polymorphic Worms
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome Brad Karp Dawn Song Presented by: Jeffrey Kirby Overview Motivation Polygraph Signature Generation Algorithm Evaluation
More informationCSCI S-Q Lecture #13 String Searching 8/3/98
CSCI S-Q Lecture #13 String Searching 8/3/98 Administrivia Final Exam - Wednesday 8/12, 6:15pm, SC102B Room for class next Monday Graduate Paper due Friday Tonight Precomputation Brute force string searching
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract
More informationA Malicious Pattern Detection Engine for Embedded Security Systems in the Internet of Things
Sensors 2014, 14, 24188-24211; doi:10.3390/s141224188 OPEN ACCESS sensors ISSN 1424-8220 www.mdpi.com/journal/sensors Article A Malicious Pattern Detection Engine for Embedded Security Systems in the Internet
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More information17 dicembre Luca Bortolussi SUFFIX TREES. From exact to approximate string matching.
17 dicembre 2003 Luca Bortolussi SUFFIX TREES From exact to approximate string matching. An introduction to string matching String matching is an important branch of algorithmica, and it has applications
More informationCSCI 104 Tries. Mark Redekopp David Kempe
1 CSCI 104 Tries Mark Redekopp David Kempe TRIES 2 3 Review of Set/Map Again Recall the operations a set or map performs Insert(key) Remove(key) find(key) : bool/iterator/pointer Get(key) : value [Map
More informationChapter 7. Space and Time Tradeoffs. Copyright 2007 Pearson Addison-Wesley. All rights reserved.
Chapter 7 Space and Time Tradeoffs Copyright 2007 Pearson Addison-Wesley. All rights reserved. Space-for-time tradeoffs Two varieties of space-for-time algorithms: input enhancement preprocess the input
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationHigh Performance Pattern Matching Algorithm for Network Security
IJCSNS International Journal of Computer Science and Network Security, VOL.6 No., October 6 83 High Performance Pattern Matching Algorithm for Network Security Yang Wang and Hidetsune Kobayashi Graduate
More informationData structures for string pattern matching: Suffix trees
Suffix trees Data structures for string pattern matching: Suffix trees Linear algorithms for exact string matching KMP Z-value algorithm What is suffix tree? A tree-like data structure for solving problems
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationCSC Design and Analysis of Algorithms. Lecture 9. Space-For-Time Tradeoffs. Space-for-time tradeoffs
CSC 8301- Design and Analysis of Algorithms Lecture 9 Space-For-Time Tradeoffs Space-for-time tradeoffs Two varieties of space-for-time algorithms: input enhancement -- preprocess input (or its part) to
More informationString matching algorithms تقديم الطالب: سليمان ضاهر اشراف المدرس: علي جنيدي
String matching algorithms تقديم الطالب: سليمان ضاهر اشراف المدرس: علي جنيدي للعام الدراسي: 2017/2016 The Introduction The introduction to information theory is quite simple. The invention of writing occurred
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationHomework 1 Solutions:
Homework 1 Solutions: If we expand the square in the statistic, we get three terms that have to be summed for each i: (ExpectedFrequency[i]), (2ObservedFrequency[i]) and (ObservedFrequency[i])2 / Expected
More informationA New Multiple-Pattern Matching Algorithm for the Network Intrusion Detection System
IACSIT International Journal of Engineering and Technology, Vol. 8, No. 2, April 2016 A New Multiple-Pattern Matching Algorithm for the Network Intrusion Detection System Nguyen Le Dang, Dac-Nhuong Le,
More informationNetwork Traffic Anomaly-Detection Framework Using GPUs
San Jose State University SJSU ScholarWorks Master's Theses Master's Theses and Graduate Research Spring 2017 Network Traffic Anomaly-Detection Framework Using GPUs Meera Ramesh San Jose State University
More informationCOS 226 Algorithms and Data Structures Spring Second Written Exam
COS 226 Algorithms and Data Structures Spring 2018 Second Written Exam This exam has 7 questions (including question 0) worth a total of 80 points. You have 80 minutes. This exam is preprocessed by a computer,
More informationGrowth of the Internet Network capacity: A scarce resource Good Service
IP Route Lookups 1 Introduction Growth of the Internet Network capacity: A scarce resource Good Service Large-bandwidth links -> Readily handled (Fiber optic links) High router data throughput -> Readily
More informationTriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection
Dept. of Electrical and Computer Eng. : Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection N. Sertac Artan and Jonathan H. Chao 8 May 27 26th Annual IEEE Conference on Computer Communications
More informationAccelerating String Matching Using Multi-threaded Algorithm
Accelerating String Matching Using Multi-threaded Algorithm on GPU Cheng-Hung Lin*, Sheng-Yu Tsai**, Chen-Hsiung Liu**, Shih-Chieh Chang**, Jyuo-Min Shyu** *National Taiwan Normal University, Taiwan **National
More informationApplication of Boyer-Moore and Aho-Corasick Algorithm in Network Intrusion Detection System
Application of Boyer-Moore and Aho-Corasick Algorithm in Network Intrusion Detection System Kezia Suhendra / 135150631 Program Studi Teknik Informatika Sekolah Teknik Elektro dan Informatika Institut Teknologi
More informationHighly Compressed Aho-Corasick Automata For Efficient Intrusion Detection
Highly Compressed Aho-Corasick Automata For Efficient Intrusion Detection Xinyan Zha & Sartaj Sahni Computer and Information Science and Engineering University of Florida Gainesville, FL 32611 {xzha, sahni}@cise.ufl.edu
More informationGrAVity: A Massively Parallel Antivirus Engine
GrAVity: A Massively Parallel Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis Institute of Computer Science, Foundation for Research and Technology Hellas, N. Plastira 100, Vassilika Vouton,
More informationDesign of Deterministic Finite Automata using Pattern Matching Strategy
Design of Deterministic Finite Automata using Pattern Matching Strategy V. N. V Srinivasa Rao 1, Dr. M. S. S. Sai 2 Assistant Professor, 2 Professor, Department of Computer Science and Engineering KKR
More informationHardware Acceleration in Computer Networks. Jan Kořenek Conference IT4Innovations, Ostrava
Hardware Acceleration in Computer Networks Outline Motivation for hardware acceleration Longest prefix matching using FPGA Hardware acceleration of time critical operations Framework and applications Contracted
More informationDeep Packet Inspection of Next Generation Network Devices
Deep Packet Inspection of Next Generation Network Devices Prof. Anat Bremler-Barr IDC Herzliya, Israel www.deepness-lab.org This work was supported by European Research Council (ERC) Starting Grant no.
More informationExclusion-based Signature Matching for Intrusion Detection
Exclusion-based Signature Matching for Intrusion Detection Evangelos P. Markatos, Spyros Antonatos, Michalis Polychronakis, Kostas G. Anagnostakis Institute of Computer Science (ICS) Foundation for Research
More informationMemory Efficient String Matching Algorithm for Network Intrusion Management System *
TSINGHUA SCIENCE AND TECHNOLOGY ISSN 1007-0214 13/19 pp585-593 Volume 12, Number 5, October 2007 Memory Efficient String Matching Algorithm for Network Intrusion Management System * YU Jianming ( 余建明 )
More informationA Survey on using String Matching Algorithms for Network Security
A Survey on using String Matching Algorithms for Network Security Sudheer Chelluboina In this paper, we make a survey of String Matching Algorithms for network security. It gives the summary of String
More informationData Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi.
Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi Lecture 18 Tries Today we are going to be talking about another data
More informationOverview. Implementing Gigabit Routers with NetFPGA. Basic Architectural Components of an IP Router. Per-packet processing in an IP Router
Overview Implementing Gigabit Routers with NetFPGA Prof. Sasu Tarkoma The NetFPGA is a low-cost platform for teaching networking hardware and router design, and a tool for networking researchers. The NetFPGA
More informationString Matching Algorithms
String Matching Algorithms Georgy Gimel farb (with basic contributions from M. J. Dinneen, Wikipedia, and web materials by Ch. Charras and Thierry Lecroq, Russ Cox, David Eppstein, etc.) COMPSCI 369 Computational
More informationDynamic Pipelining: Making IP- Lookup Truly Scalable
Dynamic Pipelining: Making IP- Lookup Truly Scalable Jahangir Hasan T. N. Vijaykumar School of Electrical and Computer Engineering, Purdue University SIGCOMM 05 Rung-Bo-Su 10/26/05 1 0.Abstract IP-lookup
More informationString Algorithms. CITS3001 Algorithms, Agents and Artificial Intelligence. 2017, Semester 2. CLRS Chapter 32
String Algorithms CITS3001 Algorithms, Agents and Artificial Intelligence Tim French School of Computer Science and Software Engineering The University of Western Australia CLRS Chapter 32 2017, Semester
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks Computer Sciences Department University of Wisconsin, Madison Introduction Outline Background Example Attack Introduction to the Attack Basic Probe
More informationPERG-Rx: An FPGA-based Pattern-Matching Engine with Limited Regular Expression Support for Large Pattern Database. Johnny Ho
PERG-Rx: An FPGA-based Pattern-Matching Engine with Limited Regular Expression Support for Large Pattern Database Johnny Ho Supervisor: Guy Lemieux Date: September 11, 2009 University of British Columbia
More informationNetDefend Firewall UTM Services
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content
More information소프트웨어기반고성능침입탐지시스템설계및구현
소프트웨어기반고성능침입탐지시스템설계및구현 KyoungSoo Park Department of Electrical Engineering, KAIST M. Asim Jamshed *, Jihyung Lee*, Sangwoo Moon*, Insu Yun *, Deokjin Kim, Sungryoul Lee, Yung Yi* Department of Electrical
More informationCS 5520/ECE 5590NA: Network Architecture I Spring Lecture 13: UDP and TCP
CS 5520/ECE 5590NA: Network Architecture I Spring 2008 Lecture 13: UDP and TCP Most recent lectures discussed mechanisms to make better use of the IP address space, Internet control messages, and layering
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationImplementation of Pattern Matching Algorithm on Antivirus for Detecting Virus Signature
Implementation of Pattern Matching Algorithm on Antivirus for Detecting Virus Signature Yodi Pramudito (13511095) Program Studi Teknik Informatika Sekolah Teknik Elektro dan Informatika Institut Teknologi
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationSpace-Time Tradeoffs in Software-Based Deep Packet Inspection
Space-Time Tradeoffs in Software-ased eep Packet Inspection nat remler-arr I Herzliya, Israel Yotam Harchol avid Hay Hebrew University, Israel. OWSP Israel 2011 (Was also presented in I HPSR 2011) Parts
More informationCS419: Computer Networks. Lecture 6: March 7, 2005 Fast Address Lookup:
: Computer Networks Lecture 6: March 7, 2005 Fast Address Lookup: Forwarding/Routing Revisited Best-match Longest-prefix forwarding table lookup We looked at the semantics of bestmatch longest-prefix address
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationManaging SonicWall Gateway Anti Virus Service
Managing SonicWall Gateway Anti Virus Service SonicWall Gateway Anti-Virus (GAV) delivers real-time virus protection directly on the SonicWall security appliance by using SonicWall s IPS-Deep Packet Inspection
More informationTowards High-performance Flow-level level Packet Processing on Multi-core Network Processors
Towards High-performance Flow-level level Packet Processing on Multi-core Network Processors Yaxuan Qi (presenter), Bo Xu, Fei He, Baohua Yang, Jianming Yu and Jun Li ANCS 2007, Orlando, USA Outline Introduction
More informationSmall Subset Queries and Bloom Filters Using Ternary Associative Memories, with Applications
Small Subset Queries and Bloom Filters Using Ternary Associative Memories, with Applications Ashish Goel Stanford University Stanford, California ashishg@stanford.edu Pankaj Gupta Twitter, Inc. San Francisco,
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationSchool of Engineering and Mathematical Sciences. Packet Pattern Matching for Intrusion Detection
School of Engineering and Mathematical Sciences Packet Pattern Matching for Intrusion Detection by Alireza Shams Project for the Degree of MSc In Telecommunications and Networks Supervisor: Prof Tom Chen
More informationRule Hashing for Efficient Packet Classification in Network Intrusion Detection
Rule Hashing for Efficient Packet Classification in Network Intrusion Detection Atsushi Yoshioka, Shariful Hasan Shaikot, and Min Sik Kim School of Electrical Engineering and Computer Science Washington
More informationSuffix trees and applications. String Algorithms
Suffix trees and applications String Algorithms Tries a trie is a data structure for storing and retrieval of strings. Tries a trie is a data structure for storing and retrieval of strings. x 1 = a b x
More informationLast Lecture: Network Layer
Last Lecture: Network Layer 1. Design goals and issues 2. Basic Routing Algorithms & Protocols 3. Addressing, Fragmentation and reassembly 4. Internet Routing Protocols and Inter-networking 5. Router design
More informationAlgorithms and Data Structures
Algorithms and Data Structures Charles A. Wuethrich Bauhaus-University Weimar - CogVis/MMC May 11, 2017 Algorithms and Data Structures String searching algorithm 1/29 String searching algorithm Introduction
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationSORTING. Practical applications in computing require things to be in order. To consider: Runtime. Memory Space. Stability. In-place algorithms???
SORTING + STRING COMP 321 McGill University These slides are mainly compiled from the following resources. - Professor Jaehyun Park slides CS 97SI - Top-coder tutorials. - Programming Challenges book.
More informationEfficient Packet Pattern Matching for Gigabit Network Intrusion Detection using GPUs
2012 IEEE 14th International Conference on High Performance Computing and Communications Efficient Packet Pattern Matching for Gigabit Network Intrusion Detection using GPUs Che-Lun Hung Dept. of Computer
More informationA Performance Evaluation of the Preprocessing Phase of Multiple Keyword Matching Algorithms
A Performance Evaluation of the Preprocessing Phase of Multiple Keyword Matching Algorithms Charalampos S. Kouzinopoulos and Konstantinos G. Margaritis Parallel and Distributed Processing Laboratory Department
More informationDifferent attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT environment (e.g., Windows vs Linux) Levels of abstraction
More informationStatistical based Approach for Packet Classification
Statistical based Approach for Packet Classification Dr. Mrudul Dixit 1, Ankita Sanjay Moholkar 2, Sagarika Satish Limaye 2, Devashree Chandrashekhar Limaye 2 Cummins College of engineering for women,
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More information