2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Slides:

Advertisements

Similar presentations

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.

Advertisements

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

The Inter-network is a big network of networks.. The five-layer networking model for the internet.

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.

SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Early Detection of DDoS Attacks against SDN Controllers

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.

A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:

Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.

Packet Classification Using Dynamically Generated Decision Trees

GFlow: Towards GPU-based High- Performance Table Matching in OpenFlow Switches Author : Kun Qiu, Zhe Chen, Yang Chen, Jin Zhao, Xin Wang Publisher : Information.

LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.

Hierarchical Hybrid Search Structure for High Performance Packet Classification Authors : O˜guzhan Erdem, Hoang Le, Viktor K. Prasanna Publisher : INFOCOM,

Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.

LightFlow : Speeding Up GPU-based Flow Switching and Facilitating Maintenance of Flow Table Author : Nobutaka Matsumoto and Michiaki Hayashi Conference:

JA-trie: Entropy-Based Packet Classiﬁcation Author: Gianni Antichi, Christian Callegari, Andrew W. Moore, Stefano Giordano, Enrico Anastasi Conference.

CompTIA Security+ Study Guide (SY0-401)

Snort – IDS / IPS.

Reorganized and Compact DFA for Efficient Regular Expression Matching

2018/4/23 Dynamic Load-balanced Path Optimization in SDN-based Data Center Networks Author: Yuan-Liang Lan , Kuochen Wang and Yi-Huai Hsu Presenter: Yi-Hsien.

Minimizing latency of critical traffic through SDN

2018/5/8 An approach for detecting encrypted insider attacks on OpenFlow SDN Networks Author: Charles V. Neu , Avelino F. Zorzox , Alex M. S. Orozcoy and.

Lab 2: Packet Capture & Traffic Analysis with Wireshark

A DFA with Extended Character-Set for Fast Deep Packet Inspection

2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.

CompTIA Security+ Study Guide (SY0-401)

Regular Expression Matching in Reconfigurable Hardware

2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.

CPSC 641: WAN Measurement Carey Williamson

Dynamic Packet-filtering in High-speed Networks Using NetFPGAs

SigMatch Fast and Scalable Multi-Pattern Matching

Parallel Processing Priority Trie-based IP Lookup Approach

2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.

2018/12/29 A Novel Approach for Prefix Minimization using Ternary trie (PMTT) for Packet Classification Author: Sanchita Saha Ray, Abhishek Chatterjee,

2019/1/3 Exscind: Fast Pattern Matching for Intrusion Detection Using Exclusion and Inclusion Filters Next Generation Web Services Practices (NWeSP) 2011.

Memory-Efficient Regular Expression Search Using State Merging

Virtual TCAM for Data Center Switches

Scalable Multi-Match Packet Classification Using TCAM and SRAM

A New String Matching Algorithm Based on Logical Indexing

IP Control Gateway (IPCG)

Carey Williamson Department of Computer Science University of Calgary

Compact DFA Structure for Multiple Regular Expressions Matching

2019/5/10 A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Author: Tejmani Sinam, Irengbam Tilokchan Singh,

2019/5/8 BitCoding Network Traffic Classification Through Encoded Bit Level Signatures Author: Neminath Hubballi, Mayank Swarnkar Publisher/Conference:

2019/5/13 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Peng Wang, George Trimponias, Hong Xu,

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Fast Testing Network Data Plane with RuleChecker

Power-efficient range-match-based packet classification on FPGA

Large-scale Packet Classification on FPGA

OpenSec：Policy-Based Security Using Software-Defined Networking

Design principles for packet parsers

A Hybrid IP Lookup Architecture with Fast Updates

2019/7/26 OpenFlow-Enabled User Traffic Profiling in Campus Software Defined Networks Presenter: Wei-Li,Wang Date: 2016/1/4 Author: Taimur Bakhshi and.

Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure

2019/9/3 Adaptive Hashing Based Multiple Variable Length Pattern Search Algorithm for Large Data Sets 比對 Simple Pattern 的方法是基於 Hash 並且可以比對不同長度的 Pattern。

Lightweight Security Scheme for Vehicle Tracking System Using CoAP

2019/10/9 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Jin-Li Ye, Yu-Huang Chu, Chien Chen.

Presentation transcript:

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix Erlacher, Falko Dressler Presenter: Cheng-Feng Ke Date: 2018/01/10 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2019/1/1 RELATED WORK A very generic approach is to use the first 500 kB of every flow [21]. It has been shown that 99 % of the threats are located in this portion of the network traffic. This is very similar to early filtering algorithms such as Front Payload Aggregation (FPA) [10]. A first step towards handling more complex application protocol behavior focusing on HTTP/1.0 has been addressed in [11]. The presented DPA approach collects the first N bytes after every TCP direction change, i.e., keeping track of multiple HTTP request / response pairs in the same transport layer connection. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 RELATED WORK HTTP pipelining is a technique in which multiple HTTP requests are sent on a single TCP connection without waiting for the corresponding responses. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 INTRODUCTION Filters have been proposed to reduce the amount of traffic to be analyzed by a NIDS, yet, such filters need to be very carefully designed in order not to miss relevant data. We address this problem by proposing a novel concept for filtering taking into account the pipelining architecture of modern web traffic. Our concept, which we named HTTP-based Payload Aggregation (HPA), is able to retain the first N bytes of the basic Protocol Data Unit (PDU) of an application layer protocol and discard the rest, arguing that the retained payload portion contains almost all relevant data for intrusion detection. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

HPA: HTTP-BASED PAYLOAD AGGREGATION 2019/1/1 HPA: HTTP-BASED PAYLOAD AGGREGATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Snort rules (snapshot 2990) 2019/1/1 Snort rules (snapshot 2990) We then filtered all rules so that only active (uncommented) rules remained that were related to HTTP: 67 % (18363) of all active rules (27375) are related to HTTP (using http_* content restrictors, using the “service http” metadata tag or using the $HTTP_SERVER or $HTTP_PORTS variable); 42 % (11468) of the rules apply the pattern to a field in the HTTP header and thus the beginning of the HTTP message. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 Implementation For implementing our new algorithm, we use the network monitoring toolkit Vermont [23]. We use the capability of the HTTP parser to filter out only the first N bytes of every HTTP message (request and response) and then export these bytes as one packet per message to the NIDS Snort. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 EVALUATION To represent typical HTTP traffic, we use a trace that was created by capturing the traffic going through an HTTP proxy used by a scientific work group for one week (from now on called proxy trace). In total the trace contains more than 2.2 million packets divided among 2996 unique IP Flows (IP source/destination pairs). The average packet size is 825 B. We used Snort version 2.9.9.0 in IDS mode with the default snort.conf configuration file. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 EVALUATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 EVALUATION We assessed the overall system performance using a realistic scenario by replaying the previously used proxy trace between two workstations (Linux 3.2.0, i5-4440 CPU, 32 GB RAM), which are directly connected over a 10 Gbit/s Ethernet network (Intel 82599 NICs). The goal was to measure the workload processing capacity (in our case packet throughput) and to assess the influence of our filtering system. We adapted the proxy trace used above for the performance tests by repeating the trace 15 times. The result is a trace with 33 million packets and 28 GB of data. To replay the network trace, we used the program pfsend from the PF_Ring program suite [26], which is more accurate than the well-known tcpreplay. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 EVALUATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/1/1 EVALUATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab