New Pattern Matching Algorithms for Network Security Applications by Liu Yang

Slide Note
Embed
Share

Discusses new pattern matching algorithms for network security applications, focusing on intrusion detection systems (IDS) and the use of signatures and regular expressions to detect malicious patterns in network traffic. Explores the ideal and reality of pattern matching, time-space tradeoffs, and different types of patterns in the context of network security. Provides an overview of Liu Yang's thesis, which includes regular expressions, NFA-OBDD, submatch extraction, back references, and more.

zahr_450
zahr_450 Follow

Uploaded on Sep 23, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. New Pattern Matching Algorithms for Network Security Applications Liu Yang Department of Computer Science Rutgers University Liu Yang April 4th, 2013

  2. Intrusion Detection Systems (IDS) Intrusion detection Host-based Network-based Anomaly-based (statistics ) Signature-based (using patterns to describe malicious traffic) Example signature1: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS ; pcre: /username=[^&\x3b\r\n]{255}/si ; This is an example signature from Snort, an network-based intrusion detection system (NIDS) 2 Liu Yang

  3. Network-based Intrusion Detection Systems Pattern matching: detecting malicious traffic = { /.*evil.*/} patterns Network traffic NIDS ..evil.. innocent Alerts Network intrusion detection systems (NIDS) employ regular expressions to represent attack signatures. 3 Liu Yang

  4. Ideal of Pattern Matching Time efficient fast to keep up with network speed, e.g., Gbps Space efficient compact to fit into main memory 4 Liu Yang

  5. The Reality: Time-space Tradeoff Deterministic Finite Automata (DFAs) Fast in operation Consuming large space Nondeterministic Finite Automata (NFAs) Space efficient Slow in operation Recursive backtracking (implemented by PCRE, Java, etc) Fast in general Extremely slow for certain types of patterns 5 Liu Yang

  6. The Reality: Time-space Tradeoff Backtracking (under algorithmic complexity attacks) NFA (non-deterministic finite automaton) Time My contribution Backtracking (with benign patterns) DFA (deterministic finite automaton) Ideal Space 6 Liu Yang

  7. Overview of My Thesis Three types of patterns Regular expressions .*<embed[^>]*javascript ^file\x3a\x2f\x2f[^\n]{400} NFA-OBDD [RAID 10, COMNET 11] Regular expressions +submatch extraction Submatch-OBDD [ANCS 12] .*? address (\d+\.\d+\.\d+\.\d+), resolved by (\d+\.\d+\.\d+\.\d+) .*(NLSessionS[^=\s]*)\s*=\s*\x3 B.*\1\s*=[^\s\x3B] Regular expressions +back references NFA-backref [to submit] 7 Liu Yang

  8. Main Contribution Algorithms for time and space efficient pattern matching NFA-OBDD space efficient (60MB memory for 1500+ patterns) 1000x faster than NFAs Submatch-OBDD: space efficient 10x faster than PCRE and Google s RE2 NFA-backref: space efficient resisting known algorithmic attacks (1000x faster than PCRE for certain types of patterns) 8 Liu Yang

  9. Part I: NFA-OBDD: A Time and Space Efficient Data Structure for Regular Expression Matching Joint work with R. Karim, V. Ganapathy, and R. Smith [RAID 10, COMNET 11] 9 Liu Yang

  10. Finite Automata Regular expressions and finite automata are equally expressive Regular expressions NFAs DFAs 10 Liu Yang

  11. Why not DFA? Combining DFAs: Multiplicative increase in number of states .*ab.*cd .*ef.*gh Picture courtesy : [Smith et al. Oakland 08] .*ab.*cd | .*ef.*gh 11 Liu Yang

  12. Why not DFA? (cont.) State explosion may happen NFA Pattern: .*1[0|1] {3} DFA State explosion n O(2^n) The value of quantifier n is up to 255 in Snort 12 Liu Yang

  13. Pattern Set Grows Fast 30000 25000 20000 15000 10000 5000 0 2005 2006 2007 2008 2009 2010 2011 2012 Snort rule set grows 7x in 8 years 13 Liu Yang

  14. Space-efficiency of NFAs Combining NFAs: Additive increase in number of states M N .*ab.*cd .*ef.*gh .*ab.*cd | .*ef.*gh 14 Liu Yang

  15. NFAs are Slow NFA frontiers1 may contain multiple states Frontier update may require multiple transition table lookups 1. A frontier set is a set of states where NFA can be at any instant. 15 Liu Yang

  16. NFAs of Regular Expressions Example: regex= a*aa a a a 1 2 3 Current state (x) 1 1 2 Input symbol (i) a a a Next state (y) 1 2 3 Transition table T(x,i,y) 16 Liu Yang

  17. NFA Frontier Update: Multiple Lookups regex= a*aa ; input= aaaa 1 2 3 Accept aaaa aaaa aaaa aaaa Frontier {1} {1,2} {1,2,3} {1,2,3} {1,2,3} 17 Liu Yang

  18. Can We Make NFAs Faster? regex= a*aa ; input= aaaa 1 2 3 Accept aaaa aaaa aaaa aaaa Frontier {1} {1,2} {1,2,3} {1,2,3} {1,2,3} Idea: Update frontiers in ONE step 18 Liu Yang

  19. NFA-OBDD: Main Idea Represent and operate NFA frontiers symbolically using Boolean functions Update the frontiers in ONE step: using a single Boolean formula Use ordered binary decision diagrams (OBDDs) to represent and operate Boolean formula 19 Liu Yang

  20. Transitions as Boolean Functions regex= a*aa Current state (x) 1 1 2 Input symbol (i) a a a Next state (y) 1 2 3 (1 a 1) V (1 a 2) V (2 a 3) T(x,i,y) = 20 Liu Yang

  21. Match Test using Boolean Functions (1 a 1 ) V (1 a 2 ) aaaa {1} a T(x,i,y) Input symbol Start states Transition relation Next states aaaa (1 a 1) V (1 a 2) V (2 a 3) {1,2} a T(x,i,y) Current states aaaa (1 a 1) V (1 a 2) V (2 a 3) {1,2,3} a T(x,i,y) Accept 21 Liu Yang

  22. NFA Operations using Boolean Functions Frontier derivation: finding new frontiers after processing one input symbol: Next frontiers = Checking acceptance: ( ( ) Map InputSymbo l i , y x x i ( ) Frontier x ( , , i x )) TransFunct ion y ( ( ) ( )) SAT SetOfAccep tStates x Frontier x 22 Liu Yang

  23. Ordered Binary Decision Diagram (OBDD) [Bryant 1986] OBDDs: Compact representation of Boolean functions x1 0 0 1 x2 1 1 0 x3 1 1 1 x4 0 1 1 x5 1 0 1 x6 1 0 0 F(x) 1 1 1 = ( ) ( ) F x x x x x x x 1 2 x 3 x 4 x 5 x 6 x ( ) x 1 2 3 4 5 6 ( ) x x x x x x 1 2 3 4 5 6 23 Liu Yang

  24. Experimental Toolchain C++ and CUDD package for OBDDs 24 Liu Yang

  25. Regular Expression Sets Snort HTTP signature set 1503 regular expressions from March 2007 2612 regular expressions from October 2009 Snort FTP signature set 98 regular expressions from October 2009 Extracted regular expressions from pcre and uricontent fields of signatures 25 Liu Yang

  26. Traffic Traces HTTP traces Rutgers datasets 33 traces, size ranges: 5.1MB 1.24 GB One week period in Aug 2009 from Web server of the CS department at Rutgers DARPA 1999 datasets (11.7GB) FTP traces 2 FTP traces Size: 19.4MB, 24.7 MB Two weeks period in March 2010 from FTP server of the CS department at Rutgers 26 Liu Yang

  27. Experimental Results For 1503 regexes from HTTP Signatures 10x 1645x 9-26x 27 Liu Yang *Intel Core2 Duo E7500, 2.93GHz; Linux-2.6; 2GB RAM*

  28. Summary NFA-OBDD is time and space efficient Outperforms NFAs by three orders of magnitude, retaining space efficiency of NFAs Outperforms or competitive with the PCRE package Competitive with variants of DFAs but drastically less memory-intensive 28 Liu Yang

  29. Part II: Extension of NFA-OBDD to Model Submatch Extraction [ANCS 12] Joint work with P. Manadhata, W. Horne, P. Rao, and V. Ganapathy 29 Liu Yang

  30. Submatch Extraction Extract information of interest when finding a match host address 128.6.60.45 resolved by 128.6.1.1 Submatch extraction .*? address (\d+\.\d+\.\d+\.\d+), resolved by (\d+\.\d+\.\d+\.\d+) $1 = 128.6.60.45 $2 = 128.6.1.1 30 Liu Yang

  31. Submatch Tagging: Tagged NFAs E = (a*)aa Tag(E) = (a*)t aa 1 Tagged NFA of (a*)aa with submatch tagging t1 a/t1 a a 1 2 3 Current state (x) 1 1 2 Input symbol (i) Next state (y) a a a Output tags (t) {t1} {} {} 1 2 3 Transition table T(x,i,y,t) of the tagged NFA 31 Liu Yang

  32. Match Test RE= (a*)aa ; Input = aaaa {t1} {t1} {t1} {t1} 1 2 3 Accept aaaa aaaa aaaa aaaa Frontier {1} {1,2} {1,2,3} {1,2,3} {1,2,3} 32 Liu Yang

  33. Submatch Extraction {t1} {t1} {t1} {t1} 1 2 3 accept aaaa aaaa aaaa aaaa $1=aa Frontier {1} {1,2} {1,2,3} {1,2,3} {1,2,3} Any path from an accept state to a start state generates a valid assignment of submatches. 33 Liu Yang

  34. Submatch-OBDD Representing tagged NFAs using Boolean functions Updating frontiers using Boolean formula Finding a submatch path using Boolean operations Using OBDDs to manipulate Boolean functions 34 Liu Yang

  35. Boolean Representation of Submatch Extraction A back traversal approach: starting from the last input symbol. = OneRrevers eTransitio n ( ( ) PickOne CurrentSta te y ( ) InputSymbo l i ( , , OneRrevers , )) IntermTran = sitions x i y t ( ( )) previousSt ate = Map eTransitio n , , x y i y t ( ) OutputTag Submatch extraction: the last consecutive sequence of symbols that are assigned with same tags OneRrevers eTransitio n , , i x y 35 Liu Yang

  36. Overview of Toolchain Toolchain in C++, interfacing with the CUDD* input stream Tagged NFAs OBDDs regexes with capturing groups pattern matching re2tnfa tnfa2obdd rejected matched submatches $1 = 36 Liu Yang

  37. Experimental Datasets Snort-2009 Patterns: 115 regexes with capturing groups from HTTP rules Traces: 1.2GB CS department network traffic; 1.3GB Twitter traffic; 1MB synthetic trace Snort-2012 Patterns: 403 regexes with capturing groups from HTTP rules Traces: 1.2GB CS department network traffic; 1.3GB Twitter traffic; 1MB synthetic trace Firewall-504 Patterns: 504 patterns from a commercial firewall F Trace: 87MB of firewall logs (average line size 87 bytes) 37 Liu Yang

  38. Experimental Setup Platform: Intel Core2 Duo E7500, Linux-2.6.3, 2GB RAM Two configurations on pattern matching Conf.S patterns compiled individually compiled pattern matched sequentially against input traces Conf.C patterns combined with UNION and compiled combined pattern matched against input traces 38 Liu Yang

  39. Experimental Results: Snort-2009 Submatch-OBDD is one order of magnitude faster than RE2 and PCRE 10000000 execution time (cycle/byte) 1000000 100000 10x 10000 1000 100 10 1 Conf.S Conf.C RE2 PCRE Submatch-OBDD Execution time (cycle/byte) of different implementations Memory consumption: RE2 (7.3MB), PCRE (1.2MB), Submatch-OBDD (9.4MB) 39 Liu Yang

  40. Summary Submatch-OBDD: an extension of NFA-OBDD to model submatch extraction Feasibility study Submatch-OBDD is one order of magnitude faster than PCRE and Google s RE2 when patterns are combined 40 Liu Yang

  41. PART III: Efficient Matching of Patterns with Back References Joint work with V. Ganapathy and P. Manadhata 41 Liu Yang

  42. Regexes Extended with Back References Identifying repeated substrings within a string Non-regular languages Example: sense sensibility response responsibility sense responsibility response sensibility (sens|respons)e \1ibility Note: \1 denotes referencing the substring captured by the first capturing group An example from Snort rule set: /.*javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\}/sim 42 Liu Yang

  43. Existing Approach Recursive backtracking (PCRE, etc.) Fast in general Can be extremely slow for certain patterns (algorithmic complexity attacks) 0.14 Throughput (MB/sec) 0.12 0.1 PCRE fails to return correct results when n >= 25 0.08 0.06 0.04 Nearly zero throughput 0.02 0 5 10 15 n 20 25 30 Throughput of PCRE when matching (a?{n})a{n}\1 with an 43 Liu Yang

  44. My Approach: Relax + Constraint Converting back-refs to conditional submatch extraction constraint Example: (a*)aa\1 (a*)aa(a*), s.t. $1=$2 $1 denotes a substring captured by the 1st capturing group, and $2 denotes a substring captured by the 2nd capturing group 44 Liu Yang

  45. Representing Back-refs with Tagged NFAs Example: (a*)aa(a*), s.t. $1=$2 a/t1 a/t2 a a 1 2 3 The tagged NFA constructed from (a*)aa(a*). Labels t1 and t2 are used to tag transitions within the 1st and 2nd capturing groups. The acceptance condition is state 3 and $1 = $2. 45 Liu Yang

  46. Transitions of Tagged NFAs Example (cont.): Current state (x) 1 1 2 3 Input symbol (i) Next state (y) a a a a Action New(t1) or update(t1) Carry-over(t1) Carry-over(t1) New(t2) or Update(t2) 1 2 3 3 New(): create a new captured substring Update(): update a captured substring Carry-over(): copy around the substrings captured from state to state 46 Liu Yang

  47. Match Test Frontier set {(state#, substr1, substr2, )} Frontier derivation table lookup + action Acceptance condition exist (s, substr1, substr2, ), s.t. s is an accept state and substr1=substr2 47 Liu Yang

  48. Implementations Two implementations NFA-backref: an NFA-like C++ implementation OBDD-backref: OBDD representation of NFA-backref input stream patterns with back-refs tagged NFAs with constraint match test re2tnfa matched or not 48 Liu Yang

  49. Experimental Datasets Patho-01 regexes: (a?{n})a{n}\1 input strings: an (n from 5 to 30, 100% accept rate) Patho-02 10 pathological regexes from Snort-2009 synthetic input strings (0% accept rate) Benign-03 46 regexes with one back-ref from Snort-2012 Synthetic input strings (50% accept rate) 49 Liu Yang

  50. Experimental Results: Patho-02 NFA-back-ref is >= 3 orders of magnitude faster than PCRE 10000000 Exec-time (cycle/byte) 1000000 100000 10000 1000 100 10 1 1 2 3 4 5 6 7 8 9 10 regex # PCRE OBDD-backref NFA-backref Execution time (cycle/byte) of different implementations for 10 regexes revised from Snort-2009 *Intel Core2 Duo E7500, 2.93GHz; Linux-2.6; 2GB RAM* 50 Liu Yang

Related


Near-Optimal Quantum Algorithms for String Problems - Summary and Insights

Near-Optimal Quantum Algorithms for String Problems - Summary and Insights

lark
SPC Algorithm: Shift-based Pattern Matching for Compressed Web Traffic

SPC Algorithm: Shift-based Pattern Matching for Compressed Web Traffic

shad_24
Coverage Semantics for Dependent Pattern Matching

Coverage Semantics for Dependent Pattern Matching

ivory
Understanding the State Design Pattern in Software Development

Understanding the State Design Pattern in Software Development

agar_mir
5G Use Case Proposal for Dublin Ericsson

5G Use Case Proposal for Dublin Ericsson

raina
Combining Graph Algorithms with Data Structures and Algorithms in CSE 373 by Kasey Champion

Combining Graph Algorithms with Data Structures and Algorithms in CSE 373 by Kasey Champion

maliyah
Understanding Randomized Algorithms: A Deep Dive into Las Vegas and Monte Carlo Algorithms

Understanding Randomized Algorithms: A Deep Dive into Las Vegas and Monte Carlo Algorithms

nieve
Mathematical Analysis of Algorithms in CMPE371 - Fall 2023-2024

Mathematical Analysis of Algorithms in CMPE371 - Fall 2023-2024

crandall_m
Exploring the Role of Algorithms in Game Design

Exploring the Role of Algorithms in Game Design

tjer
Intelligent Information Retrieval: Models, Ranking, and Algorithms

Intelligent Information Retrieval: Models, Ranking, and Algorithms

layl_2
Evolutionary Computation and Genetic Algorithms Overview

Evolutionary Computation and Genetic Algorithms Overview

raffaele_n
Understanding Snort: An Open-Source Network Intrusion Detection System

Understanding Snort: An Open-Source Network Intrusion Detection System

farah
Near-Optimal Quantum Algorithms for String Problems

Near-Optimal Quantum Algorithms for String Problems

zahava
Understanding Security Onion: Network Security Monitoring Tools

Understanding Security Onion: Network Security Monitoring Tools

sadhbh
Understanding Approximation Algorithms: Types, Terminology, and Performance Ratios

Understanding Approximation Algorithms: Types, Terminology, and Performance Ratios

leander
Enhancing Matching Gift Strategies for Nonprofits

Enhancing Matching Gift Strategies for Nonprofits

loyd_ora
Understanding Algorithms and Programming Fundamentals

Understanding Algorithms and Programming Fundamentals

dorothy
Understanding Algorithms and Programming: A Visual Introduction

Understanding Algorithms and Programming: A Visual Introduction

glara
Distributed Algorithms for Leader Election in Anonymous Systems

Distributed Algorithms for Leader Election in Anonymous Systems

gude_za
Pseudodeterministic Algorithms and Their Application in Search Problems

Pseudodeterministic Algorithms and Their Application in Search Problems

jeen497
Understanding STL Algorithms: A Practical Guide

Understanding STL Algorithms: A Practical Guide

mal_s
BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
Methods of Pattern Making in Fashion Design

Methods of Pattern Making in Fashion Design

dah_543
Understanding Sentence Patterns for Effective Writing

Understanding Sentence Patterns for Effective Writing

narc_858

More Related Content

Understanding Façade Design Pattern in Structural Design Patterns
Understanding Façade Design Pattern in Structural Design Patterns
Understanding Template Method Design Pattern in Software Design
Understanding Template Method Design Pattern in Software Design
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Network Routing Algorithms and Protocols Overview
Network Routing Algorithms and Protocols Overview
Meridian: An SDN Platform for Cloud Network Services
Meridian: An SDN Platform for Cloud Network Services
NLDB 2020 Pattern Learning for Detecting Defect Reports and Improvement Requests
NLDB 2020 Pattern Learning for Detecting Defect Reports and Improvement Requests
Trust-Based Anonymous Communication Models and Routing Algorithms
Trust-Based Anonymous Communication Models and Routing Algorithms
Understanding Networking Principles and Routing Algorithms in Distributed Systems
Understanding Networking Principles and Routing Algorithms in Distributed Systems
Enhancing Network Security with Software-Defined Snort and OpenFlow
Enhancing Network Security with Software-Defined Snort and OpenFlow
Understanding Security Goals and Cryptographic Algorithms
Understanding Security Goals and Cryptographic Algorithms
Apache MINA: High-performance Network Applications Framework
Apache MINA: High-performance Network Applications Framework
Understanding Randomized Algorithms: Types and Examples
Understanding Randomized Algorithms: Types and Examples
Real-Time Data-Driven Network Security Workshop by Joe St. Sauver
Real-Time Data-Driven Network Security Workshop by Joe St. Sauver
IPv6 Security and Threats Workshop Summary
IPv6 Security and Threats Workshop Summary
Network Slicing with OAI 5G CN Workshop Overview
Network Slicing with OAI 5G CN Workshop Overview
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
MI8 Line to RR Lattice Measurement and Matching Study
MI8 Line to RR Lattice Measurement and Matching Study
Understanding TCP Congestion Control in Operating Systems
Understanding TCP Congestion Control in Operating Systems
Primal-Dual Algorithms for Node-Weighted Network Design in Planar Graphs
Primal-Dual Algorithms for Node-Weighted Network Design in Planar Graphs
Understanding Machine Learning and Algorithms in Digital Citizenship
Understanding Machine Learning and Algorithms in Digital Citizenship
Transportation Network Modeling and Analysis with C.Coupled SE Platform
Transportation Network Modeling and Analysis with C.Coupled SE Platform
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding the Composite Design Pattern in Object-Oriented Programming
Understanding the Composite Design Pattern in Object-Oriented Programming
Progress of Network Architecture Work in FG IMT-2020
Progress of Network Architecture Work in FG IMT-2020