Ambika Shrestha Chitrakar Prof. Slobodan Petrovic

Slides:

Advertisements

Similar presentations

Indexing DNA Sequences Using q-Grams

Advertisements

Author ： Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher ： ANCS, 2011 Presenter ： Tsung-Lin Hsieh Date ： 2011/12/14 1.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Jiannan Wang (Tsinghua, China) Guoliang Li (Tsinghua, China) Jianhua Feng (Tsinghua, China)

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Integrating Bayesian Networks and Simpson’s Paradox in Data Mining Alex Freitas University of Kent Ken McGarry University of Sunderland.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Sequence Alignment Variations Computing alignments using only O(m) space rather than O(mn) space. Computing alignments with bounded difference Exclusion.

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.

1 Convolution and Its Applications to Sequence Analysis Student: Bo-Hung Wu Advisor: Professor Herng-Yow Chen & R. C. T. Lee Department of Computer Science.

By Makinen, Navarro and Ukkonen. Abstract Let A and B be two run-length encoded strings of encoded lengths m’ and n’, respectively. we will show an O(m’n+n’m)

Triple Patterning Aware Detailed Placement With Constrained Pattern Assignment Haitong Tian, Yuelin Du, Hongbo Zhang, Zigang Xiao, Martin D.F. Wong.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Recap Don’t forget to – pick a paper and – me See the schedule to see what’s taken –

1 Theory I Algorithm Design and Analysis (11 - Edit distance and approximate string matching) Prof. Dr. Th. Ottmann.

A String Matching Approach for Visual Retrieval and Classification Mei-Chen Yeh* and Kwang-Ting Cheng Learning-Based Multimedia Lab Department of Electrical.

L. Padmasree Vamshi Ambati J. Anand Chandulal J. Anand Chandulal M. Sreenivasa Rao M. Sreenivasa Rao Signature Based Duplicate Detection in Digital Libraries.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.

CSE7701: Research Seminar on Networking

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

Fast and deterministic hash table lookup using discriminative bloom filters  Author: Kun Huang, Gaogang Xie,  Publisher: 2013 ELSEVIER Journal of Network.

Click to edit Present’s Name Xiaoyang Zhang 1, Jianbin Qin 1, Wei Wang 1, Yifang Sun 1, Jiaheng Lu 2 HmSearch: An Efficient Hamming Distance Query Processing.

Filter Algorithms for Approximate String Matching Stefan Burkhardt.

A Survey Based Seminar: Data Cleaning & Uncertain Data Management Speaker: Shawn Yang Supervisor: Dr. Reynold Cheng Prof. David Cheung

1 An Efficient Index Structure for String Databases Tamer Kahveci Ambuj K. Singh Department of Computer Science University of California Santa Barbara.

Intelligent Database Systems Lab 國立雲林科技大學 National Yunlin University of Science and Technology A self-organizing neural network using ideas from the immune.

RecBench: Benchmarks for Evaluating Performance of Recommender System Architectures Justin Levandoski Michael D. Ekstrand Michael J. Ludwig Ahmed Eldawy.

1 Approximate Algorithms (chap. 35) Motivation: –Many problems are NP-complete, so unlikely find efficient algorithms –Three ways to get around: If input.

An Efficient Linear Time Triple Patterning Solver Haitong Tian Hongbo Zhang Zigang Xiao Martin D.F. Wong ASP-DAC’15.

A Resource Efficient Content Inspection System for Next Generation Smart NICs Karthikeyan Sabhanatarajan, Ann Gordon-Ross* The Energy Efficient Internet.

Data and Knowledge Engineering Laboratory Clustered Segment Indexing for Pattern Searching on the Secondary Structure of Protein Sequences Minkoo Seo Sanghyun.

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

Efficient Processing of Updates in Dynamic XML Data Changqing Li, Tok Wang Ling, Min Hu.

Dynamic Programming & Memoization. When to use? Problem has a recursive formulation Solutions are “ordered” –Earlier vs. later recursions.

1 Travel Times from Mobile Sensors Ram Rajagopal, Raffi Sevlian and Pravin Varaiya University of California, Berkeley Singapore Road Traffic Control TexPoint.

Onlinedeeneislam.blogspot.com1 Design and Analysis of Algorithms Slide # 1 Download From

Author: Weirong Jiang and Viktor K. Prasanna Publisher: The 18th International Conference on Computer Communications and Networks (ICCCN 2009) Presenter:

C language + The Preprocessor. + Introduction The preprocessor is a program that processes that source code before it passes through the compiler. It.

Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]

Evaluating Translation Memory Software Francie Gow MA Translation, University of Ottawa Translator, Translation Bureau, Government of Canada

Efficient Merging and Filtering Algorithms for Approximate String Searches Chen Li, Jiaheng Lu and Yiming Lu Univ. of California, Irvine, USA ICDE ’08.

Mustafa Gokce Baydogan, George Runger and Eugene Tuv INFORMS Annual Meeting 2011, Charlotte A Bag-of-Features Framework for Time Series Classification.

Some Great Open Source Intrusion Detection Systems (IDSs)

Finding approximate occurrences of a pattern that contains gaps Inbok Lee Costas S. Iliopoulos Alberto Apostolico Kunsoo Park.

Spatial Approximate String Search. Abstract This work deals with the approximate string search in large spatial databases. Specifically, we investigate.

Snort – IDS / IPS.

Outline Introduction State-of-the-art solutions

Evolutionary Technique for Combinatorial Reverse Auctions

Updating SF-Tree Speaker: Ho Wai Shing.

A DFA with Extended Character-Set for Fast Deep Packet Inspection

Approximate Matching of Run-Length Compressed Strings

CSE7701: Research Seminar on Networking

James Logan CS526 Dr. Chow April 29, 2009

Pyramid Sketch: a Sketch Framework

Motivation and Background

Bloom Filters Very fast set membership. Is x in S? False Positive

Motivation and Background

Yan Chen Department of Electrical Engineering and Computer Science

Predicting Traffic Dmitriy Bespalov.

Efficient Subgraph Similarity All-Matching

On the Designing of Popular Packages

Jongik Kim1, Dong-Hoon Choi2, and Chen Li3

Chap 3 String Matching 3 -.

Pipelined Architecture for Multi-String Matching

15-826: Multimedia Databases and Data Mining

Presentation transcript:

CRBP-OpType: A Constrained Approximate Search Algorithm for Detecting Similar Attack Patterns Ambika Shrestha Chitrakar Prof. Slobodan Petrovic CyberICPS, Oslo, 2017

Outline Introduction Background CRBP-OpType Experimental Work Misuse-based IDS Problem and Motivation Contribution Background Approximate Search Approximate Search and Bit-Parallelism Row-based Bit-Parallelism (RBP) CRBP-OpType Experimental Work Conclusion

Introduction

Misuse-based IDS Misuse-based IDS detect attacks based on the previously known attack signatures Example: Snort Snort is one of the widely used open-source misuse-based IDS It stores known attack signatures in its misuse database as rules Applies Aho-Corasick (an exact search) to find them in the network traffic Generates alert when it can find one of them

Problem and Motivation The problem is, Snort like misuse-based IDS fail to detect new attacks even when they are similar to the known ones It is even enough to modify a single bit in the known attack signatures to evade such IDS Proposed Solution Apply approximate search instead of an exact search However, they generate lot of false positives

Contribution CRBP-OpType: a constrained approximate search algorithm The number of false positives can be reduced At the same time, it can also help in detecting new attacks that are similar to the known ones

Background

Approximate Search Allows errors to find the occurrences of the search pattern in the given search string Lavenshtein distance has been used extensively in approximate search Given string T=abbaccacbbadrbbb, and pettern P = bbba, find all the occurrences of P in T with errors k=1, using edit distance abbaccacbbadrbbb - occurrences at position 4, 11, and 16

Constrained Approximate Search Allows one to define constraints on the edit operations Example: Constraints on the number of indels (Sankoff-Indels and CRBP-Indels) considers insertions and deletions together 2 indels = 2 insertions/deletions or 1 insertion and 1 deletion Constraints on the allowed number of each edit operations (CRBP-OpCount) E.g.: allowing 1 insertion and 2 substitutions

Approximate Search and Bit-Parallelism Σ 00 k 01 i 02 l 03 l 04 ԑ ԑ ԑ ԑ Σ Σ Σ Σ 10 k 11 i 12 l 13 l 14 An NFA for the search pattern «kill», permitting up to 1 error A character match Insertion Substitution Deletion

Row-based Bit-Parallelism (RBP) Search pattrn (P) = kill, search string (T) = kil, error (k) = 1 00 k 01 i 02 l 03 l 04 i k l ԑ ԑ ԑ ԑ Σ Σ Σ Σ 10 k 11 i 12 l 13 l 14 An NFA for the search pattern «kill», permitting up to 1 error A character match Insertion Substitution Deletion

CRBP-OpType

Possible edit operations N = 3, k = 2 N = 1, k = 2

RBP and CRBP-OpType Bit-mask: same as in RBP Initialization of NFA: The position j in the search pattern is set to active if the character at that position is equal to the character for which bit-mask is being performed Other positions of the search pattern is set to inactive We start bit-mask from right to left Initialization of NFA: In RBP, consecutive bits equal to the number of rows (starting from 0) is set active In CRBP-OpType, it is valid if deletion is allowed. Otherwise, all the bits in all the rows are kept inactive Applying the Search: Update formula for the rows greater than 0 is broken down and the formula related to the allowed edit operations is only included in the computation

CRBP-OpType Search pattrn (P) = kill, search string (T) = kil, error (k) = 1 deletion 00 k 01 i 02 l 03 l 04 l k i ԑ ԑ ԑ ԑ 10 k 11 i 12 l 13 l 14 An NFA for the search pattern «kill», permitting up to 1 deletion A character match Insertion Substitution Deletion

Experimental Work

System specification: Quad-core 2.7 GHz processor 8 GB RAM Programming: C#

Experiment

Results

Results

Conclusion

Conclusion Detect new attacks that are similar to the known ones Can be achieved by using approximate search algorithms like RBP and CRBP-OpType with a certain level of tolerance Reduce the number of false positives/alarms Constrained approximate search (CRBP-OpType) is capable of reducing the number of false positives than the unconstrained approximate search (RBP) Increase the efficiency of the search algorithm Better efficiency can be achieved by limiting the use of edit operations

Thank you! Questions?