Chia-Nan Kao

A fast string-matching algorithm for network processor-based intrusion detection system

Network intrusion detection systems (NIDSs) are one of the latest developments in security. The matching of packet strings against collected signatures dominates signature-based NIDS performance. Network processors are also one of the fastest growing segments of the semiconductor market, because they are designed to provide scalable and flexible solutions that can accommodate change quickly and economically. This work presents a fast string-matching algorithm (called FNP) over the network processor platform that conducts matching sets of patterns in parallel. This design also supports numerous practical features such as case-sensitive string matching, signature prioritization, and multiple-content signatures. This efficient multiple-pattern matching algorithm utilizes the hardware facilities provided by typical network processors instead of employing the external lookup co-processors. To verify the efficiency and practicability of the proposed algorithm, it was implemented on the Vitesse IQ2000 network processor platform. The searching patterns used in the present experiments are derived from the well-known Snort ruleset cited by most open-source and commercial NIDSs. This work shows that combining our string-matching methodology, hashing engine supported by most network processors, and characteristics of current Snort signatures frequently improves performance and reduces number of memory accesses compared to conventional string-matching algorithms. Another contribution of this work is to highlight that, besides total number of searching patterns, shortest pattern length is also a major influence on NIDS multipattern matching algorithm performance.

Apply data mining to defense-in-depth network security system

This paper proposes a defense in depth network security architecture and applies the data mining technologies to analyze the alerts collected from distributed intrusion detection and prevention systems (IDS/IPS). The proposed defense in depth architecture consists of a global policy server (GPS) to manage the scattered intrusion detection and prevention systems, each of which is managed by a local policy server (LPS). The key component of the GPS is the security information management (SIM) module where data mining technology is employed to analyze the events (alerts) collected from the LPSs. Once a DDoS attack is recognized by the SIM module, the GPS informs the LPS (IDS/IPS) to adjust the thresholds immediately to block the attack from the sources. To evaluate the effectiveness of the proposed defense in depth architecture, a prototyping is implemented, where three different data mining tools are employed. Experiment results demonstrate that for detecting the DDOS attacks, the proposed data mining-based defense in depth architecture performs very well on attack detection rate and false alarm rate.

FTSE: the FNIP-like TCAM searching engine

As the Internet grows at a very rapid pace, so does the incidence of attack events and documented unlawful intrusions. The network intrusion detection systems (NIDSes) are designed to identify attacks against networks or a host that are invisible to firewalls, thus providing an additional layer of security. NIDSes detect and filter the malicious packets by inspecting packet payloads to find worm signatures. The payload inspection operation dominates the throughput of an NIDS since every byte of packet payload needs to be examined. At network speeds of 1 Gbps or above, it can be difficult to keep up with intrusion detection in software, and hardware systems or software with hardware assist are normally required. This paper presents FTSE, a ternary content addressable memory (TCAM) based pattern matching engine. In this paper we show how FTSE can be used effectively to perform string matching for thousands of strings at multiple-Gigabit speed. We also describe how FTSE can be implemented feasibly with an FPGA/ASIC, a 2.25 Mb TCAM, and a small SSRAM. Our analysis shows that this approach for string matching is very effective and the throughput of our design can achieve up to 8 Gbps for 2,085 snort rules.

A pattern matching coprocessor for deep and large signature set in network security system

As the network is growing fast and the viruses are spreading around the network more frequently, network intrusion prevention system (NIPS) is becoming more and more important. The traditional way for intrusion prevention is done by pure software solution with high performance CPU. However, this method is out of date, when gigabit network is booming and the high performance throughput is required. In recent years, the programmable hardware solutions have been proposed but they cannot deal with deep and large amount of pattern matching and are lack of flexibility when signatures are growing up. In this paper, we propose a novel pattern-matching coprocessor that overcomes the difficulties in TCAM implementation when pattern length is deep and signature set is large. Since patterns are all stored in TCAM, it is a scalable and flexible system.

A fast pattern matching algorithm for network processor-based intrusion detection system

Network intrusion detection systems (NIDS) monitor packets on the network and attempts to discover if a hacker is attempting to break into a system. The matching of packet strings against collected signatures dominates signature-based NIDS performance. Network processors are one of the fastest growing segments of the semiconductor market, because they are designed to provide scalable and flexible solutions that can accommodate change quickly and economically. This work presents a fast string matching algorithm (called FNP) over the network processor platform that conducts matching sets of patterns in parallel. FNP needs less number of memory accesses against conventional pattern-matching algorithms. Another contribution of this work is to highlight that, besides total number of searching patterns, shortest pattern length is also a major influence on NIDS multi-pattern matching algorithm performance.

A Network Processor-Based Fault-Tolerance Architecture for Critical Network Equipments

Businesses and individuals often suffer from significant amount of damage as a result of network failures, and that is why network fault tolerant mechanism is important for network design and management. The most common failure is happen to the network equipments. Moreover, network equipments located at the entrance of a network play an important role in the availability and reliability of the internal network. Therefore, we design and implement a fault-tolerant system especially for the network equipments located at the entrance of a network. On the situation that no redundant device exists, the fault-tolerant system could bypass the forwarding path to survive the network connections. We adopt the Intel IXDP1200 Network Processor as development platform to implement the proposed system.

A novel software-based MD5 checksum lookup scheme for anti-virus systems

In recent years, the size of virus signature databases has been growing rapidly, leading to a corresponding reduction in the performance of anti-virus (AV) software. In general, virus signature databases comprise string-based and hash-based (e.g., MD5) signatures. Currently the majority of signatures are hash-based and Cloud-based AV systems rely on them as the local cache to reduce the network loading. In this paper, we provide a novel scheme for looking up MD5 checksums to improve virus scanning performance involving hash-based signatures. The authors treat the range hash in which characters occur as a filter to avoid unnecessary lookups and keep the range of the exact search range to a minimum. The scheme is 135 times faster than ClamAVs in clean/general cases and only required 4MB of memory for hash-based filtering. This scheme could easily be extended to other hash-based applications.

Automatic NIDS Rule Generating System for Detecting HTTP-like Malware Communication

HTTP is the main protocol of the Internet and many network applications rely on it. Malware also utilizes it as a covert channel through which to evade the firewall (FW) or network intrusion detection system (NIDS). We recognize a malware, which employs HTTP to communicate as the HTTP-like Botnet. Some parts of the network traffic of an HTTP-like Botnet are different from normal HTTP applications. Based on the differences between HTTP-like Botnet traffic and normal HTTP applications, we developed an Automatic NIDS Rule Generating System (ARGS). The ARGS is a proof of concept (POC), which generates the corresponding NIDS rules efficiently and precisely from the input malign traffic (MT). ARGS is an incremental method to generate and optimize the rules. It can generate rules quickly and precisely without first requiring the collection of many malware samples for clustering. For practical purposes, we adopt Snort as our IDS engine in ARGS. In our experiments, the time required by ARGS to process MTs and generate corresponding rules is significantly shorter than existing solution when the rule-optimization is not required. Besides, the generated rule set can detect more 30% malware traffic compared to SourceFire IDS full-set and thus can efficiently stop the spreading of malware in time.

An OpenFlow-based collaborative intrusion prevention system for cloud networking

Software-Defined Networking (SDN) is an emerging architecture that is ideal for todays high-bandwidth, dynamic network environments. In this architecture, the control and data planes are decoupled from each other. Although much research has been performed into how SDN can resolve some of the most-glaring security issues of traditional networking, less research has addressed cloud security threats, and, in particular, botnet/malware detection and in-cloud attacks. This work proposes an intrusion prevention system for cloud networking with SDN solutions. To realize collaborative defense, mechanisms of botnet/malware blocking, scan filtering and honeypot are implemented. Malicious traffic is isolated because bot-infected VMs are removed effectively and efficiently from the private cloud. The scanning behavior can be filtered at a very early stage of prevention, making the VMs less exploitable. A honeypot mechanism is also deployed to trap attackers. Experimental results show the high detection rate, high prevention accuracy and low vulnerability of the proposed system.

A predictive zero-day network defense using long-term port-scan recording

Zero-day attack is a critical network attack. The zero-day attack period (ZDAP) is the period from the release of malware/exploit until a patch becomes available. IDS/IPS cannot effectively block zero-day attacks because they use pattern-based signatures in general. This paper proposes a Prophetic Defender (PD) by which ZDAP can be minimized. Prior to actual attack, hackers scan networks to identify hosts with vulnerable ports. If this port scanning can be detected early, zero-day attacks will become detectable. PD architecture makes use of a honeypot-based pseudo server deployed to detect malicious port scans. A port-scanning honeypot was operated by us in 6 years from 2009 to 2015. By analyzing the 6-year port-scanning log data, we understand that PD is effective for detecting and blocking zero-day attacks. The block rate of the proposed architecture is 98.5%.