Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Published byMina Sall Modified over 9 years ago

Similar presentations

Presentation on theme: "Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1."— Presentation transcript:

1 Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1

2  Introduction  Related Work  Background  Proposed Algorithm : AC-Suffix-Tree Algorithm  Performance Analysis 2

3  TCP and IP fragmentation can be used to evade signature detection at IDS / IPS.  The common defense is buffering and reassembling packets. However, buffering of out-of-sequence packets can become impractical on high speed links due to limited fast memory capacity. 3

4  In this paper, AC-Suffix-Tree, a buffer free scheme for string matching is proposed, which detects patterns across out-of-sequence packets without buffering and reassembly.  This novel algorithm associates the classical AC (ACA) algorithm with a pattern suffix tree to search patterns with only the state numbers of AC automaton and suffix tree stored. 4

5  What is the current situation of packet reordering in Internet?  In 2005, Dharmapurikar found that packet reordering in TCP traffic only affects 2-3% of the overall traffic[6].  An older paper reports that 90% of the TCP packets were reordered in the trace of Dec. 1997 and Jan. 1998 [3], but Dharmapurikar claims it was because the older generation of router architecture. 5

6  Pattern Suffix Tree : Let X = {abaaba,ababab}, suffix set of X is {a,ba,aba,aaba,baaba,b,ab,bab,abab,babab} 6

7  The return value contains the stop state and a “fact” mark. Once the input string is not finished but there is no available next state, fact is false; and once the input string is finished but PST is not finished, fact is true. So fact = true means str is a proper factor of some patterns in X. 7

8  A simple situation of two packets’ reordering.  When packet y2 comes first, a pattern may exist between the two packets only if some prefix of y2 is one suffix of the patterns. 8

9  For example : y i =aaba, y j =abaa stop at s 6 append path(s 6 ) 9

10  What if the pattern x crosses more than two segments?  A information merging mechanism is used to merge the PST state records in successive blocks.  the return value “fact” of PST is used to identify the proper factor of x. fact = true means the entire segment is a proper factor of x, thus needs to merge the PST state with the predecessor segment. 10

11  Example : Pattern set X = {abaaba, ababab} Input Y = y 1 y 2 y 3 y 4, where y 1 = bbaa,y 2 = baba,y 3 = baab,y 4 = aabb 11 -> flow number -> sequence number -> length -> state of ACA -> state of PST

12  First input is y 3 : (baab) passing y 3 to both ACA & PST  Buffer contains (1,8,4,2,11,true) 12

13  Second input is y 1 : (bbaa) passing y 1 to both ACA & PST  Buffer contains (1,8,4,2,11,true), (1,0,4,2,11,false) 13

14  Third input is y 4 : (aabb) combine y 4 with its predecessor (1,8,4,2,11,true) ACA begin with s2,PST begin with s11  Buffer contains (1,0,4,1,8,false), (1,8,8,0,12,false) 14

15  Fourth input is y 2 : (baba) combine y 2 with (1,0,4,1,8,false) & (1,8,8,0,12,false) path(12) appended to y 2 ’s tail -> bababaaba ACA match with {abaaba,ababab}  Buffer clean all records with fid = 1. 15

16  Compression of Suffix Tree : idea - using a suffix array instead of a tree  Pre-processing time will be longer but not the focus 16

17  Pattern set is chosen from snort,released on 2010/07/22. no regular expressions included.  Use traces generated by their own program.  Running on PC Pentium 2-core CPU,4GB RAM,32- bit XP 17

18  Processing speed for different traces with long set 18

19  Memory usage of AC and suffix tree 19

20  1,3,2,4,5, 6,7,8,9,10  1,4,5,6,7 8,9,10,2,3  1,3,4,6,7 8,9,2,10,5 20

Download ppt "Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1."

Similar presentations

Monitoring very high speed links Gianluca Iannaccone Sprint ATL joint work with: Christophe Diot – Sprint ATL Ian Graham – University of Waikato Nick McKeown.

Monitoring very high speed links Gianluca Iannaccone Sprint ATL joint work with: Christophe Diot – Sprint ATL Ian Graham – University of Waikato Nick McKeown.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
1 CNPA B Nasser S. Abouzakhar Queuing Disciplines Week 8 – Lecture 2 16 th November, 2009.

1 CNPA B Nasser S. Abouzakhar Queuing Disciplines Week 8 – Lecture 2 16 th November, 2009.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Author: Nan Hua, Bill Lin, Jun (Jim) Xu, Haiquan (Chuck) Zhao Publisher: ANCS’08 Presenter: Yun-Yan Chang Date:2011/02/23 1.

Author: Nan Hua, Bill Lin, Jun (Jim) Xu, Haiquan (Chuck) Zhao Publisher: ANCS’08 Presenter: Yun-Yan Chang Date:2011/02/23 1.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:
Tries Standard Tries Compressed Tries Suffix Tries.

Tries Standard Tries Compressed Tries Suffix Tries.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
Hermes: An Integrated CPU/GPU Microarchitecture for IPRouting Author: Yuhao Zhu, Yangdong Deng, Yubei Chen Publisher: DAC'11, June 5-10, 2011, San Diego,

Hermes: An Integrated CPU/GPU Microarchitecture for IPRouting Author: Yuhao Zhu, Yangdong Deng, Yubei Chen Publisher: DAC'11, June 5-10, 2011, San Diego,
1 Searching Very Large Routing Tables in Wide Embedded Memory Author: Jan van Lunteren Publisher: GLOBECOM 2001 Presenter: Han-Chen Chen Date: 2010/01/06.

1 Searching Very Large Routing Tables in Wide Embedded Memory Author: Jan van Lunteren Publisher: GLOBECOM 2001 Presenter: Han-Chen Chen Date: 2010/01/06.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
1 A Fast IP Lookup Scheme for Longest-Matching Prefix Authors: Lih-Chyau Wuu, Shou-Yu Pin Reporter: Chen-Nien Tsai.

1 A Fast IP Lookup Scheme for Longest-Matching Prefix Authors: Lih-Chyau Wuu, Shou-Yu Pin Reporter: Chen-Nien Tsai.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:

1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
Indexing and Searching

Indexing and Searching
Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp. 588-605, February.

Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp , February.
Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Similar presentations

Ads by Google