Presentation is loading. Please wait.

Presentation is loading. Please wait.

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Published byRosemary Johnston Modified over 5 years ago

Similar presentations

Presentation on theme: "2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix."— Presentation transcript:

1 2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix Erlacher, Falko Dressler Presenter: Cheng-Feng Ke Date: /01/10 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2 2019/1/1 RELATED WORK A very generic approach is to use the first 500 kB of every flow [21]. It has been shown that 99 % of the threats are located in this portion of the network traffic. This is very similar to early filtering algorithms such as Front Payload Aggregation (FPA) [10]. A first step towards handling more complex application protocol behavior focusing on HTTP/1.0 has been addressed in [11]. The presented DPA approach collects the first N bytes after every TCP direction change, i.e., keeping track of multiple HTTP request / response pairs in the same transport layer connection. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

3 2019/1/1 RELATED WORK HTTP pipelining is a technique in which multiple HTTP requests are sent on a single TCP connection without waiting for the corresponding responses. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

4 2019/1/1 INTRODUCTION Filters have been proposed to reduce the amount of traffic to be analyzed by a NIDS, yet, such filters need to be very carefully designed in order not to miss relevant data. We address this problem by proposing a novel concept for filtering taking into account the pipelining architecture of modern web traffic. Our concept, which we named HTTP-based Payload Aggregation (HPA), is able to retain the first N bytes of the basic Protocol Data Unit (PDU) of an application layer protocol and discard the rest, arguing that the retained payload portion contains almost all relevant data for intrusion detection. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

5 HPA: HTTP-BASED PAYLOAD AGGREGATION
2019/1/1 HPA: HTTP-BASED PAYLOAD AGGREGATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

6 Snort rules (snapshot 2990)
2019/1/1 Snort rules (snapshot 2990) We then filtered all rules so that only active (uncommented) rules remained that were related to HTTP: 67 % (18363) of all active rules (27375) are related to HTTP (using http_* content restrictors, using the “service http” metadata tag or using the $HTTP_SERVER or $HTTP_PORTS variable); 42 % (11468) of the rules apply the pattern to a field in the HTTP header and thus the beginning of the HTTP message. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 2019/1/1 Implementation For implementing our new algorithm, we use the network monitoring toolkit Vermont [23]. We use the capability of the HTTP parser to filter out only the first N bytes of every HTTP message (request and response) and then export these bytes as one packet per message to the NIDS Snort. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

8 2019/1/1 EVALUATION To represent typical HTTP traffic, we use a trace that was created by capturing the traffic going through an HTTP proxy used by a scientific work group for one week (from now on called proxy trace). In total the trace contains more than 2.2 million packets divided among 2996 unique IP Flows (IP source/destination pairs). The average packet size is 825 B. We used Snort version in IDS mode with the default snort.conf configuration file. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

9 2019/1/1 EVALUATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 2019/1/1 EVALUATION We assessed the overall system performance using a realistic scenario by replaying the previously used proxy trace between two workstations (Linux 3.2.0, i CPU, 32 GB RAM), which are directly connected over a 10 Gbit/s Ethernet network (Intel NICs). The goal was to measure the workload processing capacity (in our case packet throughput) and to assess the influence of our filtering system. We adapted the proxy trace used above for the performance tests by repeating the trace 15 times. The result is a trace with 33 million packets and 28 GB of data. To replay the network trace, we used the program pfsend from the PF_Ring program suite [26], which is more accurate than the well-known tcpreplay. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

11 2019/1/1 EVALUATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

12 2019/1/1 EVALUATION National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Download ppt "2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix."

Similar presentations

Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 WAN Traffic Measurements There have been several studies of wide area network traffic.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
The Inter-network is a big network of networks.. The five-layer networking model for the internet.

The Inter-network is a big network of networks.. The five-layer networking model for the internet.
A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:
DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : 2009 15th.

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM 2007. 26th IEEE International.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.
SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.

SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Early Detection of DDoS Attacks against SDN Controllers

Early Detection of DDoS Attacks against SDN Controllers
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.

TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.

Similar presentations

Ads by Google