Presentation is loading. Please wait.

Presentation is loading. Please wait.

Counting bloom filters for pattern matching and anti-evasion at the wire speed Author: Gianni Antichi, Domenico Ficara, Stefano Giordano, Gregorio Procissi,

Published byKelly Thompson Modified over 7 years ago

Similar presentations

Presentation on theme: "Counting bloom filters for pattern matching and anti-evasion at the wire speed Author: Gianni Antichi, Domenico Ficara, Stefano Giordano, Gregorio Procissi,"— Presentation transcript:

1 Counting bloom filters for pattern matching and anti-evasion at the wire speed
Author: Gianni Antichi, Domenico Ficara, Stefano Giordano, Gregorio Procissi, and Fabio Vitucci. Publisher: IEEE Network 2009 Presenter: Chun-Yi Lee Date: 2009/07/21

2 Outline Introduction The Anti-Evasion System Performance
System Architecture Small Packets System Optimization Performance

3 Introduction How to evade standard pattern matching?
Splitting malicious strings into several packets, thus making useless the pattern matching on single packets. Pattern : architecture Packet flow a r c h i t e c t u r e Packet 1 Packet 2 Packet 3 3

4 The Anti-Evasion System
Pattern Match Engine System Architecture Substring Detector 4

5 The Anti-Evasion System
System Architecture Split strings to be searched in three-byte-long substrings and create a subCBF representing them 1 2 Sub pattern 1: ABC Pattern : ABCDE subCBF Sub pattern 2: BCD Sub pattern 3: CDE 5

6 The Anti-Evasion System
System Architecture PME pattern 1 striCBF Substring Detector (SD) 1 ‥‥ 3 flow 1 subCBF hit pattern 2 striCBF packet 1 2 ‥‥ 1 2 ‥‥ pattern 5 striCBF flow 2 2 1 ‥‥ ‥‥ pattern k striCBF flow m 1 ‥‥ 2 6

7 The Anti-Evasion System
System Architecture Whenever a striCBF is completely reset to zero, it is assumed that the string was detected. hi(sub pattern) subCBF match sub pattern of patter k 1 2 3 1 2 Pattern k striCBF of flow n Pattern k striCBF of flow n 7

8 The Anti-Evasion System
System Architecture Such a CBF represents all the remaining characters of the string in the format (char, pos) pos is the sequence number of the byte that gets off the string is associated to the filter. 8

9 The Anti-Evasion System
Small Packets If an attacker splits the signature in several one or two byte long packets, the system cannot detect the attack Pattern : architecture Packet flow a r c h i t e c t u r e Packet 1 Packet 2 Packet 3 Packet 4 Packet 5 Packet 6 9

10 The Anti-Evasion System
Small Packets We divert all the small packets to a slow path engine. The slow path engine must reassemble such flows and perform a deterministic pattern matching on them to verify the actual presence of an attack. 10

11 The Anti-Evasion System
System Optimization In some cases the beginning of a signature is missed, because it is too short to be revealed by the substring detectors. Pattern : architecture Packet flow X a r c h i t e c t u r e Packet 1 Packet 2 Packet 3 11

12 The Anti-Evasion System
System Optimization In for the efficiency of our system, it seems advisable to set an “emptying threshold ” α for the striCBFs attack is considered as detected 12

13 Performance Performance of the standard system in terms of detected attacks and false positives 13

14 Performance The effects of deleting the most frequent substrings. 14

15 Performance Detection percentage and false positives by varying α 15

Download ppt "Counting bloom filters for pattern matching and anti-evasion at the wire speed Author: Gianni Antichi, Domenico Ficara, Stefano Giordano, Gregorio Procissi,"

Similar presentations

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
A Memory-optimized Bloom Filter using An Additional Hashing Function Author: Mahmood Ahmadi, Stephan Wong Publisher: IEEE GLOBECOM 2008 Presenter: Yu-Ping.

A Memory-optimized Bloom Filter using An Additional Hashing Function Author: Mahmood Ahmadi, Stephan Wong Publisher: IEEE GLOBECOM 2008 Presenter: Yu-Ping.
1 Blooming Trees: Space-Efficient Structures for Data Representation Author: Domenico Ficara, Stefano Giordano, Gregorio Procissi, Fabio Vitucci Publisher:

1 Blooming Trees: Space-Efficient Structures for Data Representation Author: Domenico Ficara, Stefano Giordano, Gregorio Procissi, Fabio Vitucci Publisher:
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
1 A Heuristic and Hybrid Hash- based Approach to Fast Lookup Author: Gianni Antichi, Andrea Di Pietro, Domenico Ficara, Stefano Giordano, Gregorio Procissi,

1 A Heuristic and Hybrid Hash- based Approach to Fast Lookup Author: Gianni Antichi, Andrea Di Pietro, Domenico Ficara, Stefano Giordano, Gregorio Procissi,
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:

Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:
1 Memory-Efficient 5D Packet Classification At 40 Gbps Authors: Ioannis Papaefstathiou, and Vassilis Papaefstathiou Publisher: IEEE INFOCOM 2007 Presenter:

1 Memory-Efficient 5D Packet Classification At 40 Gbps Authors: Ioannis Papaefstathiou, and Vassilis Papaefstathiou Publisher: IEEE INFOCOM 2007 Presenter:
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
An Efficient and Scalable Pattern Matching Scheme for Network Security Applications Department of Computer Science and Information Engineering National.

An Efficient and Scalable Pattern Matching Scheme for Network Security Applications Department of Computer Science and Information Engineering National.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
1 ARCHITECTURES FOR BIT-SPLIT STRING SCANNING IN INTRUSION DETECTION Author: Lin Tan, Timothy Sherwood Publisher: IEEE MICRO, 2006 Presenter: Hsin-Mao.

1 ARCHITECTURES FOR BIT-SPLIT STRING SCANNING IN INTRUSION DETECTION Author: Lin Tan, Timothy Sherwood Publisher: IEEE MICRO, 2006 Presenter: Hsin-Mao.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Similar presentations

Ads by Google