A Di Pietro

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems

Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Instead of standard strings to represent the dataset to be matched, state-of-the-art systems adopt regular expressions, due to their high expressive power. The current trend is to use Deterministic Finite Automata (DFAs) to match regular expressions. However, while the problem of the large memory consumption of DFAs has been solved in many different ways, only a few works have focused on increasing the lookup speed. This paper introduces a novel yet simple idea to accelerate DFAs for security applications: payload sampling. Our approach allows to skip a large portion of the text, thus processing less bytes. The price to pay is a slight number of false alarms which require a confirmation stage. Therefore, we propose a double-stage matching scheme providing two new different automata. Results show a significant speed-up in regular traffic processing, thus confirming the effectiveness of the approach.

Design of a High Performance Traffic Generator on Network Processor

Evaluating the performance of high-speed networks is a critical task due to the lack of reliable tools to generate traffic workloads at high rates. The current open-source software tools are not suitable to deal with high-speed networks as they present poor performance in terms of generated frames per second and scarce timing/rate accuracy in traffic generation. These issues are due to the intrinsic limitations of the PC architecture, for which these tools are designed. This paper proposes a different approach based on the Intel Network Processor IXP2400. The design aims to maintain the high flexibility of PC solutions while outperforming them in terms of throughput and packet rate. This is obtained by combining a general-purpose PC with the processing units of a network processor.

Crosstalk: A Scalable Cross-Protocol Monitoring System for Anomaly Detection

Monitoring is crucial both to the correct operation of a network and to the services that run on it. Operators perform monitoring for various purposes, including traffic engineering, quality of service, security and detection of faults and mis-configurations. However, the relentless growth of IP traffic volume renders real-time monitoring and analysis of data a very challenging problem. In this paper we introduce Crosstalk, a scalable and efficient distributed monitoring architecture that uses cross-protocol correlation to detect network anomalies. While applicable to a wide range of applications such as botnet detection, spam mitigation and mis-configurations, we pick a point in this application space, concentrating on VoIP attacks. We present extensive simulation results based both on generated calls and on millions of Call Data Records (CDRs) from a large VoIP operator to show our approachs performance and effectiveness.

A Randomized Scheme for IP Lookup at Wire Speed on NetFPGA

Because of the rapid growth of both traffic and links capacity, the time budget to perform IP address lookup on a packet continues to decrease and lookup tables of routers unceasingly grow. Therefore, new lookup algorithms and new hardware platform are required to perform fast IP lookup. This paper presents a new scheme on top of the NetFPGA board which takes advantage of parallel queries made on perfect hash functions. Such functions are built by using a very compact and fast data structure called Blooming Trees, thus allowing the vast majority of memory accesses to involve small and fast on-chip memories only.

PingPair: A Lightweight Tool for Measurement Noise Free Path Capacity Estimation

The paper presents PingPair, a novel tool for end-to-end path capacity estimation. The tool is based on the classical packet dispersion technique, enhanced by a novel algorithm for the selection of the best measurement samples based on queueing delay estimation. In addition, PingPair takes into account the measurement noise that afflicts the interarrival times registered by a user level application; we experimentally observe the Gaussian nature of such a noise. Since PingPair relies on one- point measurements only, it can be deployed in almost all network scenarios, thus providing maximum flexibility. The performance of the tool has been assessed through both NS2 simulations and extensive experimental campaigns, including Internet as well as field trial measurements. The results are compared to those achieved by Capprobe, which is one of the most effective out of the many available one-point measurement-based capacity estimation tools. Despite the very low amount of probing traffic generated, PingPair outperforms Capprobe in most scenarios, yielding more precise capacity estimates; therefore, it proves to be a very fast and unintrusive way to measure the capacity of a network path.

Noise Reduction Techniques for Network Topology Discovery

Topology discovery techniques based on a network tomography approach can be successfully adopted in almost all scenarios, in that they infer the internal characteristics of a network without any cooperation from the internal nodes. Out of the many tomographic topology discovery techniques proposed in the literature, those based on the use of packet sandwich probes (a special kind of packet trains) present some particularly attractive features. The rationale of such approaches is to take advantage of end-to-end measurements to infer the logical topology of the network through hierarchical clustering algorithms. Typically, due to the interference with cross traffic, such measurements are affected by a zero-mean noise which, in turn, may cause the wrong reconstruction of the network topology. This paper analyzes the causes of certain noise patterns (which have actually been observed during experiments) and proposes a noise reduction algorithm to sort out this issue. Such an algorithm does not rely on any assumption about the statistical model of the cross-traffic noise and its effectiveness has been tested through a campaign of ns2 simulations.

Faster DFAs through Simple and Efficient Inverse Homomorphisms

Performing Deep Packet Inspection at high speed is a fundamental task for network security and application- specific services. In state-of-the-art systems, sets of signatures to be searched are described by regular expressions, and finite automata (FAs) are employed for the search. In particular, deterministic FAs (DFAs) need a large amount of memory to represent current sets, therefore the target of many recent works has been the reduction of memory footprint of DFAs. This paper, instead, focuses on speed multiplication by enlarg- ing the amount of bytes observed in the text (i.e., searching for k-bytes per state-traversal). For this purpose, an interesting yet simple inverse homomorphism is employed to reduce the amount of transitions in the modified DFA. The algorithm results to be remarkably faster than standard DFAs, and provides also a good compression scheme that is orthogonal to other schemes.

Merging Spanning Trees in Tomographic Network Topology Discovery

Tomographic techniques allow the reconstruction of network topologies with no need for cooperation from internal routers. However, most of such mechanisms adopt a method of node clustering producing trees that reveal only a partial structure of the network. Therefore, we have proposed a novel approach to topology discovery based on packet sandwich probes and decision theory allowing to retrieve a complete picture of the network, which includes the detection of all the internal nodes along with the values of capacities of the interconnecting links. Such an approach, as well as all the standard techniques of topology discovery, reconstructs the spanning tree of the probe sender only. Hence, in this paper a specific technique is presented for merging the spanning trees associated to all different roots, in order to provide a complete representation of the network. Such a method does not require further probing traffic and is specifically designed to merge topology reconstructions where all the nodes of the network (not only the branching nodes) are revealed, along with link capacities. Our algorithm performs quite well on a wide set of both synthetic and realistic topologies, and in many cases provides a picture of the network which is exactly equivalent to the original one.

Network Topology Discovery Based on a Finite Set of Hypotheses

Tomographic techniques allow for the reconstruction of network topologies with no need for cooperation from internal routers. Traditional tomographic techniques infer the internal network layout by clustering nodes into tree structures that, in many cases, reveal only a partial graph structure of the network. This paper proposes a novel approach to network topology discovery by means of packet sandwich probes; the underlying theoretical basis relies on the application of Decision Theory to a finite set of possible topological hypotheses. The decision process is however disturbed by the interaction of probes with regular cross traffic, which results in a background noise that afflicts the measurements. To cope with this phenomenon, a model-free noise reduction technique is also used. The algorithms presented in the paper are validated through extensive simulations in several network scenarios. The results show that such a methodology allows to retrieve a complete picture of the network that includes the detection of all the internal nodes along with the values of capacities of the interconnecting links.