Sampling techniques to accelerate pattern matching in network intrusion detection systems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on
  • Presentation posted in: General

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems. Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano Giordano, Gregorio Procissi, Fabio Vitucci Publisher: 2010 IEEE International Conference on Communications

Download Presentation

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sampling techniques to accelerate pattern matching in network intrusion detection systems

Sampling Techniques to Accelerate PatternMatching in Network Intrusion Detection Systems

Author:Domenico Ficara, Gianni Antichi, Andrea Di Pietro,

Stefano Giordano, Gregorio Procissi, Fabio Vitucci

Publisher:2010 IEEE International Conference on Communications

(ICC)

Presenter:Wen-Tse Liang

Date:2011/5/4


Outline

Outline

  • Introduction

  • Sampling DFAS

  • REGEX SAMPLING RULES

    • Regex rewriting

  • DOUBLE STAGE SCHEME

    • First stage: Sampled DFA

    • Second stage: Reverse DFA

  • EXPERIMENTAL RESULTS


Introduction

Introduction

The previous works proposing acceleration techniques rely on multiplying the amount of bytes (strides) processed per cycle, with the obvious problem of memory blow-up (due to the exponential growth of edge numbers with the stride size).


Introduction1

Introduction

Our approach to the finite automata speed up is completely innovative: sampling the text, thus having less symbols to process.

Clearly, sampling introduces some issues and a certain probability of false alarms is introduced. We address these issues by using together a “sampled” DFA and a “reverse” DFA


Sampling dfas

Sampling DFAS

Our idea is to speed up the process by “sampling” the traffic stream:

we extract a byte every θbytes from the stream, where θis the sampling period.

The sampled bytes are then used as input to a proper sampled DFA. The outcome is that all regular traffic is processed θtimes faster.


A motivating example

A Motivating Example

Example: the regex ab.∗cd is sampled (with θ= 2) to [ab].∗[cd] and matched against a text of 16 bytes.


Regex sampling rules

REGEX SAMPLING RULES

Lemma 1:

Let DFA A describe a single regular expression R and let a text T match R.

The corresponding sampled DFA AS will match the sampled text SθT if the sampling period θsatisfies the following condition:


Regex sampling rules1

REGEX SAMPLING RULES

Regex rewriting

simple string str

concatenation of regular expressions a and b: ab

union of regular expressions a and b: a|b

the case of a star closure of a character a followed by a regex


Regex sampling rules2

REGEX SAMPLING RULES

an example helps better understand the rules:

let us sample . ∗ abcde ∗ fgh with period θ= 2.

By applying the rules, it follows that:

S2[.*ab.*cd] = .*(a|b).*(c|d)

S2[.*abcde*fgh ] = .*(ac|bd)e*(fh|g)

S3[.*abcde*fgh ] = .*(ad|b|c)e*(f|g|h)


Double stage scheme

DOUBLE STAGE SCHEME

First stage: Sampled DFA

By sampling all the regexes belonging to the set, we obtain the “sampled” rules on which the “sampled DFA” has to be built.

Such a resulting automaton is a simple DFA and does not require additional information on the states or on the transitions.


Double stage scheme1

DOUBLE STAGE SCHEME

Second stage: Reverse DFA

we propose a novel scheme with a reverse DFA. This requires a slightly larger amount of off-line processing: all the regexes have to be independently reversed and a new DFA has to be built according to such new rules.

More precisely, to take into account all the characters belonging to the string, the correct starting point for the reverse DFA is the (k+1)-th sampled char in the text:

This way we process some useless characters (less than θ), but the correctness of the detection in ensured.


Double stage scheme2

DOUBLE STAGE SCHEME

Algorithm 1 Pseudo-code for the lookup procedure.


Experimental results

EXPERIMENTAL RESULTS


  • Login