Hongyu gao clint sbisa
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Automated Parser Generation for High-Speed NIDS PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on
  • Presentation posted in: General

Hongyu Gao Clint Sbisa. Automated Parser Generation for High-Speed NIDS. Motivation. Processing speed is crucial concern for NIDS/NIPS Limited by rate of parsing packets Inefficient parsing leads to slow speeds and bottlenecks. Current Solutions. Binpac Declarative language and compiler

Download Presentation

Automated Parser Generation for High-Speed NIDS

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Hongyu gao clint sbisa

Hongyu Gao

Clint Sbisa

Automated Parser Generation for High-Speed NIDS


Motivation

Motivation

  • Processing speed is crucial concern for NIDS/NIPS

  • Limited by rate of parsing packets

  • Inefficient parsing leads to slow speeds and bottlenecks


Current solutions

Current Solutions

  • Binpac

    • Declarative language and compiler

    • Designed to simplify task of constructing complex protocol parsers

    • Constructs a full parsing tree


Current solutions1

Current Solutions

  • Netshield

    • Integrate high-speed protocol parser to provide fast parsing speed

    • Parsers are manually written, which is tedious work and error-prone


Proposed solution

Proposed Solution

  • A protocol parser generator

  • Read the protocol specification

  • Output the parser for the specific protocol

  • The parser is aware of matching

  • The parser focuses on the fields needed by matching and skip unnecessary fields


Proposed solutions

Proposed Solutions


Design principles

Design Principles

  • The parsing process should avoid recursive calls

    • Parse trees are not used in parsing phase

  • Skip unneeded information

    • After parsing one field, the parser should be able to quickly jump to the next necessary field


Detailed design

Detailed design

  • The parser consists of three parts

  • A pair of buffer pointers

  • A field table ( key data structure)

  • A table pointer


Detailed design on field table

Detailed design on field table


Detailed design on parser

Detailed Design on Parser


Implementation

Implementation

  • Basic approach:

    • Fixed driver

    • Fixed data structure

    • Protocol-specific table content


Related files

Related files


How to realize the system

How to realize the system

  • Determine the size of field table

    • Start with one root node in protocol parse tree

    • Iteratively substitute complex field with multiple simpler fields

  • Determine the FieldLength function

    • Retrieve the information from Type class

    • Type::attr_length_expr_,

    • Type::attr_oneline_,

    • etc.


How to realize the system1

How to realize the system

Determine the GarbageLength function

Before compression, GarbageLength returns “0” for every field

Compress the table

Look forward for consequent fields

Merge the length of unused fields into garbage fields of the field that precedes them


Snapshot for generated code

Snapshot for generated code


Snapshot for generated code cont d

Snapshot for generated code, cont’d


Snapshot for generated code cont d1

Snapshot for generated code, cont’d


Automated parser generation for high speed nids

Demo


Automated parser generation for high speed nids

Questions? Suggestions?


  • Login