Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu

Published byLora Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu"— Presentation transcript:

1 NetShield: Towards High Performance Network-based Vulnerability Signature Matching
Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu Northwestern University and Tsinghua University (China) Problems Currently, the regular expressions used by NIDS for signature matching have low accuracy because fundamentally regex cannot capture the vulnerability condition well. On the other hand, vulnerability signatures are much more accurate, but may have performance problems. Regular Expression Vulnerability Accuracy Relative Poor Much Better Speed Good ?? Memory OK Coverage Shield [sigcomm’04] Focus of this work Goal: Build a high speed vulnerability signature matching engine! Our approach Signature Example High speed parsing High speed matching Lightweight parsing state machine An simplified example for WINRPC Problem formulation Using a n x k table to keep track of whether signature i depend on matching dimension (matcher) j Matching dimension is a two tuple (field, operator), e.g., (rpc_vers, ==) Candidate Selection Idea Pre-computation decides the rule order and matcher order. Given that usually most matchers are good rule filters, we only keep track of a few matching candidates for one connection. Group For each matcher, match rules in parallel. Iteratively combine the candidate sets for multiple matchers. Evaluation High speed parsing: 2.9~15 Gbps for different protocols (HTTP, WINRPC, DNS) High speed matching: HTTP, 791 vulnerability signatures at ~1Gbps Applicability: in Snort ruleset (6,735 signatures) 86.7% can be improved to vulnerability signatures Prototype has been deployed on live-network environment and faster than Snort.

Download ppt "Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu"

Similar presentations

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Study of a Paper about Genetic Algorithm For CS8995 Parallel Programming Yanhua Li.

Study of a Paper about Genetic Algorithm For CS8995 Parallel Programming Yanhua Li.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
UltraPAC : automated protocol parser generator Daniel Burgener Jing Yuan.

UltraPAC : automated protocol parser generator Daniel Burgener Jing Yuan.
RAIDM: Router-based Anomaly/Intrusion Detection and Mitigation Zhichun Li EECS Deparment Northwestern University 2008-04-29 Thesis Proposal.

RAIDM: Router-based Anomaly/Intrusion Detection and Mitigation Zhichun Li EECS Deparment Northwestern University Thesis Proposal.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.
Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.

Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
 Zhichun Li  The Robust and Secure Systems group at NEC Research Labs  Northwestern University  Tsinghua University 2.

 Zhichun Li  The Robust and Secure Systems group at NEC Research Labs  Northwestern University  Tsinghua University 2.
Shield: Vulnerability-Driven End- Host Firewall for Preventing Known Vulnerability Attacks Sigcomm ’04.

Shield: Vulnerability-Driven End- Host Firewall for Preventing Known Vulnerability Attacks Sigcomm ’04.
Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.

Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Connecting, Monitoring and Securing Manufacturing Assets 1 Yan Chen Professor, EECS Department Director, Lab for Internet & Security Technology (LIST)

Connecting, Monitoring and Securing Manufacturing Assets 1 Yan Chen Professor, EECS Department Director, Lab for Internet & Security Technology (LIST)

Similar presentations

Ads by Google