Presentation is loading. Please wait.

Presentation is loading. Please wait.

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.

Published byDustin Fowler Modified over 9 years ago

Similar presentations

Presentation on theme: "MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay."— Presentation transcript:

1 MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay (HUJI) and Yotam Harchol (HUJI)

2 A multicore system architecture, which is robust against complexity DDoS attacks

3 Network Intrusion Detection System Reports or drops malicious packets Important technique: Deep Packet Inspection (DPI) 3 Internet IP packet IP packet

4 Complexity DoS Attack Over NIDS Find a gap between average case and worst case One may craft an input that exploits this gap Launch a Denial of Service attack on the system 4 Internet Real-Life Traffic Throughput

5 Attack on Security Elements Combined Attack: DDoS on Security Element exposed the network – theft of customers’ information

6 Attack on Snort The most widely deployed IDS/IPS worldwide. Max Throughput Routine Traffic Heavy Packet Traffic

7 Airline Desk Example

8 A flight ticket

9 Airline Desk Example An isle seat near window!! Three carry handbags !!! Doesn’t like food!!! Can’t find passport!! Overweight!!!

10 Airline Desk Example

11 Domain Properties 1.Heavy & Light customers. 2.Easy detection of heavy customers. 3.Moving customers between queues is cheap. 4.Heavy customers have special more efficient processing method. Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method. Special training

12 Some packets are much “heavier” than others The Snort-attack experiment

13 DPI mechanism is a main bottleneck in Snort Allows single step for each input symbol Holds transition for each alphabet symbol Snort uses Aho-Corasick DFA Heavy Packet Fast & Huge Best for normal traffic Exposed to cache-miss attack Best for normal traffic Exposed to cache-miss attack

14 Snort-Attack Experiment Cache Main Memory Normal TrafficAttack Scenario Max Throughput Routine Traffic Heavy Packet Traffic

15 The General Case: Complexity Attacks Building the packet is much cheaper than processing it. Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

16 Detecting heavy packets is feasible

17 How Do We Detect? Normal and heavy packets differ from each other May be classified quickly Claim: the general case in complexity attacks!!! threshold

18 Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

19 System Architecture Processor Chip Core #8 Dedicated Core #9 NIC Core #1 Q Core #2 Q Q Q B Dedicated Core #10 B Q Routine and alert mode Drop mode Dynamic thread allocation model Non blocking queue synchronization Move packets between cores with negligible overhead! Detects heavy packets

20 Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

21 Snort uses Aho-Corasick DFA

22 Full Matrix vs. Compressed

23 Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

24 Experimental Results

25 System Throughput Over Time

26 Different Algorithms Goodput

27 Concluding Remarks A multi-core system architecture, which is robust against complexity DDoS attacks In this talk we focused on specific NIDS and complexity attack Additional results show how the system fits to other cases: – Hybrid-FA – Bro Lazy-FA We believe this approach can be generalized (outside the scope of NIDS).

28 Thank You!!

Download ppt "MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay."

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.

Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.
Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Nan Hua 1, Haoyu Song 2, T. V. Lakshman 2 1 Georgia Tech, 2 Bell Labs, Alcatel-Lucent.

Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Nan Hua 1, Haoyu Song 2, T. V. Lakshman 2 1 Georgia Tech, 2 Bell Labs, Alcatel-Lucent.
Space-Time Tradeoffs in Software-based Deep Packet Inspection Author: Anat Bremler-Barr, Yotam Harchol, and David Hay Published in Proc. IEEE HPSR 2011.

Space-Time Tradeoffs in Software-based Deep Packet Inspection Author: Anat Bremler-Barr, Yotam Harchol, and David Hay Published in Proc. IEEE HPSR 2011.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.
Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC.

Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC.
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Challenge: Securing Routing Protocols Adrian Perrig

Challenge: Securing Routing Protocols Adrian Perrig
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:

1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware Aug 19th / 2004 Rafael Nunez.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware Aug 19th / 2004 Rafael Nunez.

Similar presentations

Ads by Google