Efficient fingerprint extraction for high performance Intrusion Detection System

Deep Packet Inspection (DPI) module in Intrusion Detection Systems (IDSes) consists of two components: Pre-filter and Rule Verification (RV). Pre-filter adopts Multi-Pattern Matching (MPM) engine to filter out the vast majority of benign packets and then leave a few suspicious packets with false positives into RV component. These false positives are due to the scanning process in the pre-filter: it detects the traffic in a single pass against a set of fingerprints, which are extracted from the given ruleset by selecting only a small portion of the patterns in each signature. RV component precisely checks the suspicious packets and eliminates these false positives. The performance of DPI module is related to the extracted fingerprint set. An efficient fingerprint set should improve the pre-filter throughput, and at the same time decrease the count of checking activities in RV component. We show in this paper that these two requirements cannot be simultaneously satisfied in the existing fingerprint extraction strategies. Pre-filter performance greatly benefits from smaller fingerprint set because of the more compact MPM engine. But RV component suffers from the higher rate of false positives caused by the smaller fingerprint set. We optimally trade off these two requirements with a new extraction method in this work. Through analysing a small amount of training traffic in the initial phase, our strategy gives each fingerprint candidate an empirical weight for the subsequent extraction. Experimental results obtained by integrating our proposed method into the Snort IDS show that our strategy improves the IDS average throughput by at least 69% over the latest real ruleset and real traffic.

[1]  Viktor K. Prasanna,et al.  High-throughput linked-pattern matching for intrusion detection systems , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[2]  Sally A. McKee,et al.  Hitting the memory wall: implications of the obvious , 1995, CARN.

[3]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[4]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2009, NSS 2009.

[5]  Stamatis Vassiliadis,et al.  Packet pre-filtering for network intrusion detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[6]  Anat Bremler-Barr,et al.  Space-time tradeoffs in software-based deep Packet Inspection , 2011, 2011 IEEE 12th International Conference on High Performance Switching and Routing.

[7]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[8]  Xiaofei Wang,et al.  Extraction of fingerprint from regular expression for efficient prefiltering , 2009, 2009 IEEE International Conference on Communications Technology and Applications.

[9]  Jignesh M. Patel,et al.  SigMatch: Fast and Scalable Multi-Pattern Matching , 2010, Proc. VLDB Endow..

[10]  J.B.D. Cabrera,et al.  On the statistical distribution of processing times in network intrusion detection , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[11]  Yan Luo,et al.  DPICO: a high speed deep packet inspection engine using compact finite automata , 2007, ANCS '07.

[12]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[13]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2007, 2007 IEEE Sarnoff Symposium.

[14]  Benfano Soewito,et al.  Deep packet pre-filtering and finite state encoding for adaptive intrusion detection system , 2011, Comput. Networks.