Presentation is loading. Please wait.

Presentation is loading. Please wait.

Liu Yang New Pattern Matching Algorithms for Network Security Applications Liu Yang Department of Computer Science Rutgers University April 4th, 2013.

Published byJean Ray Modified over 9 years ago

Similar presentations

Presentation on theme: "Liu Yang New Pattern Matching Algorithms for Network Security Applications Liu Yang Department of Computer Science Rutgers University April 4th, 2013."— Presentation transcript:

1 Liu Yang New Pattern Matching Algorithms for Network Security Applications Liu Yang Department of Computer Science Rutgers University April 4th, 2013

2 Liu Yang Intrusion Detection Systems (IDS) 2 Intrusion detection Host-based Network-based Anomaly-basedSignature-based (using patterns to describe malicious traffic) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS …; pcre:“/username=[^&\x3b\r\n]{255}/si”; … Example signature 1 : This is an example signature from Snort, an network-based intrusion detection system (NIDS) (statistics …)

3 Liu Yang..evil.. patterns Network-based Intrusion Detection Systems 3 Network traffic Alerts NIDS Network intrusion detection systems (NIDS) employ regular expressions to represent attack signatures. … = { /.*evil.*/} … innocent Pattern matching: detecting malicious traffic

4 Liu Yang Ideal of Pattern Matching Time efficient –fast to keep up with network speed, e.g., Gbps Space efficient –compact to fit into main memory 4

5 Liu Yang The Reality: Time-space Tradeoff 5 Deterministic Finite Automata (DFAs) –Fast in operation –Consuming large space Nondeterministic Finite Automata (NFAs) –Space efficient –Slow in operation Recursive backtracking (implemented by PCRE, Java, etc) –Fast in general –Extremely slow for certain types of patterns

6 Liu Yang The Reality: Time-space Tradeoff 6 Space Time Ideal DFA (deterministic finite automaton) NFA (non-deterministic finite automaton) Backtracking (under algorithmic complexity attacks) Backtracking (with benign patterns) My contribution

7 Liu Yang Overview of My Thesis 7 … “.*? address (\d+\.\d+\.\d+\.\d+), resolved by (\d+\.\d+\.\d+\.\d+)” … “.*(NLSessionS[^=\s]*)\s*=\s*\x3 B.*\1\s*=[^\s\x3B]” … Regular expressions +submatch extraction Regular expressions +back references … “.* ]*javascript ^file\x3a\x2f\x2f[^\n]{400}” … Regular expressions NFA-OBDD [RAID’10, COMNET’11] Submatch-OBDD [ANCS’12] NFA-backref [to submit] Three types of patterns

8 Liu Yang Main Contribution Algorithms for time and space efficient pattern matching –NFA-OBDD space efficient (60MB memory for 1500+ patterns) 1000x faster than NFAs –Submatch-OBDD: space efficient 10x faster than PCRE and Google’s RE2 –NFA-backref: space efficient resisting known algorithmic attacks (1000x faster than PCRE for certain types of patterns) 8

9 Liu Yang Part I: NFA-OBDD: A Time and Space Efficient Data Structure for Regular Expression Matching 9 Joint work with R. Karim, V. Ganapathy, and R. Smith [RAID’10, COMNET’11]

10 Liu Yang Finite Automata Regular expressions and finite automata are equally expressive 10 Regular expressions NFAs DFAs

11 Liu Yang Why not DFA? 11 “.*ab.*cd”“.*ef.*gh”“.*ab.*cd |.*ef.*gh” Picture courtesy : [Smith et al. Oakland’08] Combining DFAs: Multiplicative increase in number of states

12 Liu Yang Why not DFA? (cont.) 12 Pattern: “.*1[0|1] {3} ” NFA DFA State explosion n  O(2^n) State explosion may happen The value of quantifier n is up to 255 in Snort

13 Liu Yang Pattern Set Grows Fast 13 Snort rule set grows 7x in 8 years

14 Liu Yang Space-efficiency of NFAs 14 M N “.*ab.*cd”“.*ef.*gh”“.*ab.*cd |.*ef.*gh” Combining NFAs: Additive increase in number of states

15 Liu Yang NFAs are Slow NFA frontiers 1 may contain multiple states Frontier update may require multiple transition table lookups 15 1. A frontier set is a set of states where NFA can be at any instant.

16 Liu Yang NFAs of Regular Expressions Current state (x)Input symbol (i)Next state (y) 1a1 1a2 2a3 Example: regex=“a*aa” Transition table T(x,i,y) 12 3 a a a 16

17 Liu Yang NFA Frontier Update: Multiple Lookups regex=“a*aa”; input=“aaaa” 1 2 3 aaaa {1}{1,2}{1,2,3} Accept Frontier 17

18 Liu Yang Can We Make NFAs Faster? 1 2 3 aaaa {1}{1,2}{1,2,3} Accept Frontier Idea: Update frontiers in ONE step regex=“a*aa”; input=“aaaa” 18

19 Liu Yang NFA-OBDD: Main Idea Represent and operate NFA frontiers symbolically using Boolean functions –Update the frontiers in ONE step: using a single Boolean formula –Use ordered binary decision diagrams (OBDDs) to represent and operate Boolean formula 19

20 Liu Yang Transitions as Boolean Functions 20 regex=“a*aa” Current state (x)Input symbol (i)Next state (y) 1a1 1a2 2a3 T(x,i,y) = (1 Λ a Λ 1) V (1 Λ a Λ 2) V (2 Λ a Λ 3)

21 Liu Yang Match Test using Boolean Functions 21 {1} Λ a Λ T(x,i,y) (1ΛaΛ 1 ) V (1ΛaΛ 2 ) {1,2} Λ a Λ T(x,i,y) (1ΛaΛ 1) V (1ΛaΛ 2) V (2ΛaΛ 3) {1,2,3} Λ a Λ T(x,i,y) (1ΛaΛ 1) V (1ΛaΛ 2) V (2ΛaΛ 3) Input symbol Start states Transition relation Next states Current states Accept aaaa …

22 Liu Yang NFA Operations using Boolean Functions Frontier derivation: finding new frontiers after processing one input symbol: Next frontiers = Checking acceptance: 22

23 Liu Yang Ordered Binary Decision Diagram (OBDD) [Bryant 1986] 23 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 F(x) 0110111 0111001 1011101 OBDDs: Compact representation of Boolean functions

24 Liu Yang Experimental Toolchain 24 C++ and CUDD package for OBDDs

25 Liu Yang Regular Expression Sets Snort HTTP signature set –1503 regular expressions from March 2007 –2612 regular expressions from October 2009 Snort FTP signature set –98 regular expressions from October 2009 Extracted regular expressions from pcre and uricontent fields of signatures 25

26 Liu Yang Traffic Traces HTTP traces –Rutgers datasets 33 traces, size ranges: 5.1MB –1.24 GB One week period in Aug 2009 from Web server of the CS department at Rutgers –DARPA 1999 datasets (11.7GB) FTP traces –2 FTP traces –Size: 19.4MB, 24.7 MB –Two weeks period in March 2010 from FTP server of the CS department at Rutgers 26

27 Liu Yang Experimental Results For 1503 regexes from HTTP Signatures 27 *Intel Core2 Duo E7500, 2.93GHz; Linux-2.6; 2GB RAM* 1645x 9-26x 10x

28 Liu Yang Summary NFA-OBDD is time and space efficient –Outperforms NFAs by three orders of magnitude, retaining space efficiency of NFAs –Outperforms or competitive with the PCRE package –Competitive with variants of DFAs but drastically less memory-intensive 28

29 Liu Yang Part II: Extension of NFA-OBDD to Model Submatch Extraction [ANCS’12] 29 Joint work with P. Manadhata, W. Horne, P. Rao, and V. Ganapathy

30 Liu Yang Submatch Extraction 30 … “.*? address (\d+\.\d+\.\d+\.\d+), resolved by (\d+\.\d+\.\d+\.\d+)” … host address 128.6.60.45 resolved by 128.6.1.1 Submatch extraction $1 = 128.6.60.45 $2 = 128.6.1.1 Extract information of interest when finding a match

31 Liu Yang Submatch Tagging: Tagged NFAs E = (a*)aa Current state (x)Input symbol (i)Next state (y)Output tags (t) 1a1{t 1 } 1a2{} 2a3 Tagged NFA of “(a*)aa” with submatch tagging t 1 Transition table T(x,i,y,t) of the tagged NFA Tag(E) = (a*) t aa 1 12 3 a a a/t 1 31

32 Liu Yang Match Test RE=“(a*)aa”; Input = “aaaa” 1 2 3 aaaa {1}{1,2}{1,2,3} {t 1 } Accept Frontier 32

33 Liu Yang Submatch Extraction 1 2 3 aaaa {t 1 } accept {1}{1,2}{1,2,3} Frontier Any path from an accept state to a start state generates a valid assignment of submatches. $1=aa 33

34 Liu Yang Submatch-OBDD Representing tagged NFAs using Boolean functions –Updating frontiers using Boolean formula –Finding a submatch path using Boolean operations Using OBDDs to manipulate Boolean functions 34

35 Liu Yang Boolean Representation of Submatch Extraction Submatch extraction: the last consecutive sequence of symbols that are assigned with same tags A back traversal approach: starting from the last input symbol. 35

36 Liu Yang Overview of Toolchain 36 regexes with capturing groups re2tnfa pattern matching Tagged NFAs input stream rejected tnfa2obdd OBDDs matched submatches $1 = … Toolchain in C++, interfacing with the CUDD*

37 Liu Yang Experimental Datasets Snort-2009 –Patterns: 115 regexes with capturing groups from HTTP rules –Traces: 1.2GB CS department network traffic; 1.3GB Twitter traffic; 1MB synthetic trace Snort-2012 –Patterns: 403 regexes with capturing groups from HTTP rules –Traces: 1.2GB CS department network traffic; 1.3GB Twitter traffic; 1MB synthetic trace Firewall-504 –Patterns: 504 patterns from a commercial firewall F –Trace: 87MB of firewall logs (average line size 87 bytes) 37

38 Liu Yang Experimental Setup Platform: Intel Core2 Duo E7500, Linux-2.6.3, 2GB RAM Two configurations on pattern matching –Conf.S patterns compiled individually compiled pattern matched sequentially against input traces –Conf.C patterns combined with UNION and compiled combined pattern matched against input traces 38

39 Liu Yang Experimental Results: Snort-2009 39 Execution time (cycle/byte) of different implementations execution time (cycle/byte) Memory consumption: RE2 (7.3MB), PCRE (1.2MB), Submatch-OBDD (9.4MB) Submatch-OBDD is one order of magnitude faster than RE2 and PCRE 10x

40 Liu Yang Summary Submatch-OBDD: an extension of NFA-OBDD to model submatch extraction Feasibility study –Submatch-OBDD is one order of magnitude faster than PCRE and Google’s RE2 when patterns are combined 40

41 Liu Yang PART III: Efficient Matching of Patterns with Back References 41 Joint work with V. Ganapathy and P. Manadhata

42 Liu Yang Regexes Extended with Back References Identifying repeated substrings within a string Non-regular languages 42 (sens|respons)e \1ibility sense sensibility response responsibility Note: \1 denotes referencing the substring captured by the first capturing group Example: An example from Snort rule set: /.*javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\}/sim sense responsibility response sensibility

43 Liu Yang Existing Approach Recursive backtracking (PCRE, etc.) –Fast in general –Can be extremely slow for certain patterns (algorithmic complexity attacks) 43 PCRE fails to return correct results when n >= 25 Throughput of PCRE when matching (a?{n})a{n}\1 with “a n ” Throughput (MB/sec) n Nearly zero throughput

44 Liu Yang My Approach: Relax + Constraint Converting back-refs to conditional submatch extraction 44 (a*)aa\1(a*)aa(a*), s.t. $1=$2 $1 denotes a substring captured by the 1 st capturing group, and $2 denotes a substring captured by the 2 nd capturing group Example: constraint

45 Liu Yang Representing Back-refs with Tagged NFAs Example: (a*)aa(a*), s.t. $1=$2 45 a/t 1 1 23 a a a/t 2 The tagged NFA constructed from (a*)aa(a*). Labels t 1 and t 2 are used to tag transitions within the 1 st and 2 nd capturing groups. The acceptance condition is state 3 and $1 = $2.

46 Liu Yang Transitions of Tagged NFAs 46 Current state (x)Input symbol (i)Next state (y)Action 1a1 New(t 1 ) or update(t 1 ) 1a2 Carry-over(t 1 ) 2a3 3a3 New(t 2 ) or Update(t 2 ) Example (cont.): New(): create a new captured substring Update(): update a captured substring Carry-over(): copy around the substrings captured from state to state

47 Liu Yang Match Test Frontier set –{(state#, substr 1, substr 2, …)} Frontier derivation –table lookup + action Acceptance condition – exist (s, substr 1, substr 2, …), s.t. s is an accept state and substr 1 =substr 2 47

48 Liu Yang Implementations 48 re2tnfa match test patterns with back-refs tagged NFAs input stream matched or not Two implementations –NFA-backref: an NFA-like C++ implementation –OBDD-backref: OBDD representation of NFA-backref with constraint

49 Liu Yang Experimental Datasets Patho-01 –regexes: (a?{n})a{n}\1 –input strings: a n (n from 5 to 30, 100% accept rate) Patho-02 –10 pathological regexes from Snort-2009 –synthetic input strings (0% accept rate) Benign-03 –46 regexes with one back-ref from Snort-2012 –Synthetic input strings (50% accept rate) 49

50 Liu Yang Experimental Results: Patho-02 50 Execution time (cycle/byte) of different implementations for 10 regexes revised from Snort-2009 regex # NFA-back-ref is >= 3 orders of magnitude faster than PCRE *Intel Core2 Duo E7500, 2.93GHz; Linux-2.6; 2GB RAM*

51 Liu Yang Experimental Results: Benign-03 51 Execution time (cycle/byte) of different implementations for sequentially matching the 46 regexes from Snort 2012 with back references. PCRE is 10x faster than NFA-backref for benign traces, but 1000x slower than NFA-backref for pathological traces (a) benign trace(b) pathological trace

52 Liu Yang Summary NFA-backref: an efficient pattern matching algorithm for back references NFA-backref: resisting known algorithmic complexity attacks (1000x faster than PCRE) PCRE: 10x faster than NFA-backref for benign patterns 52

53 Liu Yang Related Work Multiple DFAs [Yu et al., ANCS’06] XFAs [Smith et al., Oakland’08, SIGCOMM’08] D 2 FA [Kumar et al., SIGCOMM’06] Hybrid finite automata [Becchi et al., ANCS’08] Multibyte speculative matching [Luchaup et al., RAID’09] DFA-based Submatch extraction [Horne et al., LATA’13] RE2 [Cox, code.google.com/p/re2] TNFA [Laurikari et al., SPIRE’00] PCRE [www.pcre.org] Many more – see my papers for details 53

54 Liu Yang Conclusion New algorithms for time and space-efficient pattern matching –NFA-OBDD: a time and space efficient data structure for regular expressions 1000x faster than NFAs –Submatch-OBDD: an extension of NFA-OBDD to model submatch extraction 10x faster than RE2 and PCRE for combined patterns –NFA-backref: an NFA-based algorithm for patterns with back references 1000x faster than PCRE for certain patterns 10x slower than PCRE for benign patterns 54

55 Liu Yang Acknowledgment Advisor: Prof. Vinod Ganapathy Research directors: Prof. Vinod Ganapathy, Prof. Liviu Iftode Thesis Committee: Prof. Vinod Ganapathy, Prof. Liviu Iftode, Prof. Badri Nath, and Dr. Abhinav Srivastava Co-authors: Vinod Ganapathy, Liviu Iftode, Randy Smith, Rezwana Karim, Pratyusa Manadhata, William Horne, Prasad Rao, Nader Boushehrinejadmoradi, Pallab Roy, Markus Jakobsson, … Colleagues: Mohan Dhawan, Shakeel Butt, Lu Han, Amruta Gokhale, Rezwana Karim, and Nader Boushehrinejadmoradi My wife: Weiwei Tang 55

56 Liu Yang Future Directions Hardware Implementation –NFA-OBDD –Submatch-OBDD –NFA-Backref Parallel pattern matching –Multithreading using GPUs –Multithreading using multi-core processors –Speculative NFA-based pattern matching 56

57 Liu Yang Other Contributions Enhancing Users’ Comprehension of Android Permissions [ SPSM’12 ] Enhancing Mobile Malware Detection with Social Collaboration [ Socialcom’12 ] Quantifying Security in Preference-based Authentication [ DIM’08 ] Love and Authentication [ CHI’08 ] Discount Anonymous On-demand Routing for Mobile Ad hoc Networks [ SecureComm’06 ] 57

Download ppt "Liu Yang New Pattern Matching Algorithms for Network Security Applications Liu Yang Department of Computer Science Rutgers University April 4th, 2013."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Fast Submatch Extraction using OBDDs Liu Yang 1, Pratyusa Manadhata 2, William Horne 2, Prasad Rao 2, Vinod Ganapathy 1 Rutgers University 1 HP Laboratories.

Fast Submatch Extraction using OBDDs Liu Yang 1, Pratyusa Manadhata 2, William Horne 2, Prasad Rao 2, Vinod Ganapathy 1 Rutgers University 1 HP Laboratories.
4b Lexical analysis Finite Automata

4b Lexical analysis Finite Automata
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Compiler Construction

Compiler Construction
XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.
Applied Computer Science II Chapter 1 : Regular Languages Prof. Dr. Luc De Raedt Institut für Informatik Albert-Ludwigs Universität Freiburg Germany.

Applied Computer Science II Chapter 1 : Regular Languages Prof. Dr. Luc De Raedt Institut für Informatik Albert-Ludwigs Universität Freiburg Germany.
Introduction to Computability Theory

Introduction to Computability Theory
Lexical Analysis III Recognizing Tokens Lecture 4 CS 4318/5331 Apan Qasem Texas State University Spring 2015.

Lexical Analysis III Recognizing Tokens Lecture 4 CS 4318/5331 Apan Qasem Texas State University Spring 2015.
Courtesy Costas Busch - RPI1 Non Deterministic Automata.

Courtesy Costas Busch - RPI1 Non Deterministic Automata.
A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,

A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.

Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.
Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.

Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.
1.Defs. a)Finite Automaton: A Finite Automaton ( FA ) has finite set of ‘states’ ( Q={q 0, q 1, q 2, ….. ) and its ‘control’ moves from state to state.

1.Defs. a)Finite Automaton: A Finite Automaton ( FA ) has finite set of ‘states’ ( Q={q 0, q 1, q 2, ….. ) and its ‘control’ moves from state to state.
Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.

Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.
Lexical Analysis — Part II: Constructing a Scanner from Regular Expressions Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved.

Lexical Analysis — Part II: Constructing a Scanner from Regular Expressions Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved.
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh.

Similar presentations

Ads by Google