Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu

Slides:



Advertisements
Similar presentations
XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.
Advertisements

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Study of a Paper about Genetic Algorithm For CS8995 Parallel Programming Yanhua Li.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
UltraPAC : automated protocol parser generator Daniel Burgener Jing Yuan.
RAIDM: Router-based Anomaly/Intrusion Detection and Mitigation Zhichun Li EECS Deparment Northwestern University Thesis Proposal.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.
Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
 Zhichun Li  The Robust and Secure Systems group at NEC Research Labs  Northwestern University  Tsinghua University 2.
Shield: Vulnerability-Driven End- Host Firewall for Preventing Known Vulnerability Attacks Sigcomm ’04.
Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Connecting, Monitoring and Securing Manufacturing Assets 1 Yan Chen Professor, EECS Department Director, Lab for Internet & Security Technology (LIST)
MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.
Objective - To subtract integers. To subtract an integer is to add its opposite. a - b =a + -b = (-5) =8 + 5 = = 4 Rewrite the.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
Pattern-Based DFA for Memory- Efficient and Scalable Multiple Regular Expression Matching Author: Junchen Jiang, Yang Xu, Tian Pan, Yi Tang, Bin Liu Publisher:IEEE.
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
Towards Vulnerability-Based Intrusion Detection with Event Processing Amer Farroukh, Mohammad Sadoghi, Hans-Arno Jacobsen University of Toronto July 13,
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
1 3 Computing System Fundamentals 3.4 Networked Computer Systems.
1 NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu,
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
Towards High Performance Network Defense Zhichun Li EECS Department Northwestern University.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Yan Chen Department of Electrical Engineering and Computer Science
TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.
Yan Chen Lab for Internet and Security Technology EECS Department Northwestern University Intrusion Detection and Forensics for Self-defending Wireless.
Towards High Speed Network Defense Zhichun Li EECS Deparment Northwestern University.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Monitoring, Diagnosing, and Securing the Internet 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for.
SRD-DFA Achieving Sub-Rule Distinguishing with Extended DFA Structure Author: Gao Xia, Xiaofei Wang, Bin Liu Publisher: IEEE DASC (International Conference.
Range Hash for Regular Expression Pre-Filtering Publisher : ANCS’ 10 Author : Masanori Bando, N. Sertac Artan, Rihua Wei, Xiangyi Guo and H. Jonathan Chao.
SketchVisor: Robust Network Measurement for Software Packet Processing
Snort – IDS / IPS.
Notes Over 1.2.
Problem: Internet diagnostics and forensics
Jennifer Rexford Princeton University
6.8 Multiplying and Dividing Rational Expressions
A DFA with Extended Character-Set for Fast Deep Packet Inspection
Network-based Intrusion Detection, Prevention and Forensics System
Automated Parser Generation for High-Speed NIDS
Attack Transformation to Evade Intrusion Detection
Automated Parser Generation for High-Speed NIDS
Efficient Deformable Template Matching for Face Tracking
Yan Chen Department of Electrical Engineering and Computer Science
Wireshark(Ethereal).
5 × 7 = × 7 = 70 9 × 7 = CONNECTIONS IN 7 × TABLE
5 × 8 = 40 4 × 8 = 32 9 × 8 = CONNECTIONS IN 8 × TABLE
4 × 6 = 24 8 × 6 = 48 7 × 6 = CONNECTIONS IN 6 × TABLE
5 × 6 = 30 2 × 6 = 12 7 × 6 = CONNECTIONS IN 6 × TABLE
Northwestern Lab for Internet and Security Technology (LIST)
10 × 8 = 80 5 × 8 = 40 6 × 8 = CONNECTIONS IN 8 × TABLE MULTIPLICATION.
3 × 12 = 36 6 × 12 = 72 7 × 12 = CONNECTIONS IN 12 × TABLE
Using decision trees to improve signature-based intrusion detection
Compact DFA Structure for Multiple Regular Expressions Matching
2019/5/3 A De-compositional Approach to Regular Expression Matching for Network Security Applications Author: Eric Norige Alex Liu Presenter: Yi-Hsien.
Actively Learning Ontology Matching via User Interaction
5 × 12 = × 12 = × 12 = CONNECTIONS IN 12 × TABLE MULTIPLICATION.
Lu Tang , Qun Huang, Patrick P. C. Lee
5 × 9 = 45 6 × 9 = 54 7 × 9 = CONNECTIONS IN 9 × TABLE
3 × 7 = 21 6 × 7 = 42 7 × 7 = CONNECTIONS IN 7 × TABLE
Presentation transcript:

NetShield: Towards High Performance Network-based Vulnerability Signature Matching Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu Northwestern University and Tsinghua University (China) Problems Currently, the regular expressions used by NIDS for signature matching have low accuracy because fundamentally regex cannot capture the vulnerability condition well. On the other hand, vulnerability signatures are much more accurate, but may have performance problems. Regular Expression Vulnerability Accuracy Relative Poor Much Better Speed Good ?? Memory OK Coverage Shield [sigcomm’04] Focus of this work Goal: Build a high speed vulnerability signature matching engine! Our approach Signature Example High speed parsing High speed matching Lightweight parsing state machine An simplified example for WINRPC Problem formulation Using a n x k table to keep track of whether signature i depend on matching dimension (matcher) j Matching dimension is a two tuple (field, operator), e.g., (rpc_vers, ==) Candidate Selection Idea Pre-computation decides the rule order and matcher order. Given that usually most matchers are good rule filters, we only keep track of a few matching candidates for one connection. Group For each matcher, match rules in parallel. Iteratively combine the candidate sets for multiple matchers. Evaluation High speed parsing: 2.9~15 Gbps for different protocols (HTTP, WINRPC, DNS) High speed matching: HTTP, 791 vulnerability signatures at ~1Gbps Applicability: in Snort ruleset (6,735 signatures) 86.7% can be improved to vulnerability signatures Prototype has been deployed on live-network environment and faster than Snort.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.