Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ambika Shrestha Chitrakar Prof. Slobodan Petrovic

Published byAugustus Martin Modified over 6 years ago

Similar presentations

Presentation on theme: "Ambika Shrestha Chitrakar Prof. Slobodan Petrovic"— Presentation transcript:

1 CRBP-OpType: A Constrained Approximate Search Algorithm for Detecting Similar Attack Patterns
Ambika Shrestha Chitrakar Prof. Slobodan Petrovic CyberICPS, Oslo, 2017

2 Outline Introduction Background CRBP-OpType Experimental Work
Misuse-based IDS Problem and Motivation Contribution Background Approximate Search Approximate Search and Bit-Parallelism Row-based Bit-Parallelism (RBP) CRBP-OpType Experimental Work Conclusion

3 Introduction

4 Misuse-based IDS Misuse-based IDS detect attacks based on the previously known attack signatures Example: Snort Snort is one of the widely used open-source misuse-based IDS It stores known attack signatures in its misuse database as rules Applies Aho-Corasick (an exact search) to find them in the network traffic Generates alert when it can find one of them

5 Problem and Motivation
The problem is, Snort like misuse-based IDS fail to detect new attacks even when they are similar to the known ones It is even enough to modify a single bit in the known attack signatures to evade such IDS Proposed Solution Apply approximate search instead of an exact search However, they generate lot of false positives

6 Contribution CRBP-OpType: a constrained approximate search algorithm
The number of false positives can be reduced At the same time, it can also help in detecting new attacks that are similar to the known ones

7 Background

8 Approximate Search Allows errors to find the occurrences of the search pattern in the given search string Lavenshtein distance has been used extensively in approximate search Given string T=abbaccacbbadrbbb, and pettern P = bbba, find all the occurrences of P in T with errors k=1, using edit distance abbaccacbbadrbbb - occurrences at position 4, 11, and 16

9 Constrained Approximate Search
Allows one to define constraints on the edit operations Example: Constraints on the number of indels (Sankoff-Indels and CRBP-Indels) considers insertions and deletions together 2 indels = 2 insertions/deletions or 1 insertion and 1 deletion Constraints on the allowed number of each edit operations (CRBP-OpCount) E.g.: allowing 1 insertion and 2 substitutions

10 Approximate Search and Bit-Parallelism
Σ 00 k 01 i 02 l 03 l 04 ԑ ԑ ԑ ԑ Σ Σ Σ Σ 10 k 11 i 12 l 13 l 14 An NFA for the search pattern «kill», permitting up to 1 error A character match Insertion Substitution Deletion

11 Row-based Bit-Parallelism (RBP)
Search pattrn (P) = kill, search string (T) = kil, error (k) = 1 00 k 01 i 02 l 03 l 04 i k l ԑ ԑ ԑ ԑ Σ Σ Σ Σ 10 k 11 i 12 l 13 l 14 An NFA for the search pattern «kill», permitting up to 1 error A character match Insertion Substitution Deletion

12 CRBP-OpType

13 Possible edit operations
N = 3, k = 2 N = 1, k = 2

14 RBP and CRBP-OpType Bit-mask: same as in RBP Initialization of NFA:
The position j in the search pattern is set to active if the character at that position is equal to the character for which bit-mask is being performed Other positions of the search pattern is set to inactive We start bit-mask from right to left Initialization of NFA: In RBP, consecutive bits equal to the number of rows (starting from 0) is set active In CRBP-OpType, it is valid if deletion is allowed. Otherwise, all the bits in all the rows are kept inactive Applying the Search: Update formula for the rows greater than 0 is broken down and the formula related to the allowed edit operations is only included in the computation

15 CRBP-OpType Search pattrn (P) = kill, search string (T) = kil, error (k) = 1 deletion 00 k 01 i 02 l 03 l 04 l k i ԑ ԑ ԑ ԑ 10 k 11 i 12 l 13 l 14 An NFA for the search pattern «kill», permitting up to 1 deletion A character match Insertion Substitution Deletion

16 Experimental Work

17 System specification:
Quad-core 2.7 GHz processor 8 GB RAM Programming: C#

18 Experiment

19 Results

20 Results

21 Conclusion

22 Conclusion Detect new attacks that are similar to the known ones
Can be achieved by using approximate search algorithms like RBP and CRBP-OpType with a certain level of tolerance Reduce the number of false positives/alarms Constrained approximate search (CRBP-OpType) is capable of reducing the number of false positives than the unconstrained approximate search (RBP) Increase the efficiency of the search algorithm Better efficiency can be achieved by limiting the use of edit operations

23 Thank you! Questions?

Download ppt "Ambika Shrestha Chitrakar Prof. Slobodan Petrovic"

Similar presentations

Indexing DNA Sequences Using q-Grams

Indexing DNA Sequences Using q-Grams
Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Jiannan Wang (Tsinghua, China) Guoliang Li (Tsinghua, China) Jianhua Feng (Tsinghua, China)

Jiannan Wang (Tsinghua, China) Guoliang Li (Tsinghua, China) Jianhua Feng (Tsinghua, China)
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
Integrating Bayesian Networks and Simpson’s Paradox in Data Mining Alex Freitas University of Kent Ken McGarry University of Sunderland.

Integrating Bayesian Networks and Simpson’s Paradox in Data Mining Alex Freitas University of Kent Ken McGarry University of Sunderland.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Sequence Alignment Variations Computing alignments using only O(m) space rather than O(mn) space. Computing alignments with bounded difference Exclusion.

Sequence Alignment Variations Computing alignments using only O(m) space rather than O(mn) space. Computing alignments with bounded difference Exclusion.
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman
ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.

ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.
1 Convolution and Its Applications to Sequence Analysis Student: Bo-Hung Wu Advisor: Professor Herng-Yow Chen & R. C. T. Lee Department of Computer Science.

1 Convolution and Its Applications to Sequence Analysis Student: Bo-Hung Wu Advisor: Professor Herng-Yow Chen & R. C. T. Lee Department of Computer Science.
By Makinen, Navarro and Ukkonen. Abstract Let A and B be two run-length encoded strings of encoded lengths m’ and n’, respectively. we will show an O(m’n+n’m)

By Makinen, Navarro and Ukkonen. Abstract Let A and B be two run-length encoded strings of encoded lengths m’ and n’, respectively. we will show an O(m’n+n’m)
Triple Patterning Aware Detailed Placement With Constrained Pattern Assignment Haitong Tian, Yuelin Du, Hongbo Zhang, Zigang Xiao, Martin D.F. Wong.

Triple Patterning Aware Detailed Placement With Constrained Pattern Assignment Haitong Tian, Yuelin Du, Hongbo Zhang, Zigang Xiao, Martin D.F. Wong.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Recap Don’t forget to – pick a paper and – me See the schedule to see what’s taken –

Recap Don’t forget to – pick a paper and – me See the schedule to see what’s taken –
1 Theory I Algorithm Design and Analysis (11 - Edit distance and approximate string matching) Prof. Dr. Th. Ottmann.

1 Theory I Algorithm Design and Analysis (11 - Edit distance and approximate string matching) Prof. Dr. Th. Ottmann.
A String Matching Approach for Visual Retrieval and Classification Mei-Chen Yeh* and Kwang-Ting Cheng Learning-Based Multimedia Lab Department of Electrical.

A String Matching Approach for Visual Retrieval and Classification Mei-Chen Yeh* and Kwang-Ting Cheng Learning-Based Multimedia Lab Department of Electrical.
L. Padmasree Vamshi Ambati J. Anand Chandulal J. Anand Chandulal M. Sreenivasa Rao M. Sreenivasa Rao Signature Based Duplicate Detection in Digital Libraries.

L. Padmasree Vamshi Ambati J. Anand Chandulal J. Anand Chandulal M. Sreenivasa Rao M. Sreenivasa Rao Signature Based Duplicate Detection in Digital Libraries.

Similar presentations

Ads by Google