Frank C. Lin

Profiling and accelerating string matching algorithms in three network content security applications

The efficiency of string matching algorithms is essential for network content security applications, such as intrusion detection systems, anti-virus systems, and Web content filters. This work reviews typical algorithms and profiles their performance under various situations to study the influence of the number, the length, and the character distribution of the signatures on performance. This profiling can reveal the most efficient algorithm in each situation. A fast verification method for some string matching algorithms is also proposed. This work then analyzes the signature characteristics of three content security applications and replaces their original algorithms with the most efficient ones in the profiling. The improvement for both real and synthetic sample data is observed. For example, an open source anti-virus package, ClamAV, is five times faster after the revision. This work features comprehensive profiling results of typical string matching algorithms and observations of their application on network content security. The results can enlighten the choice of a proper algorithm in practical design.

Test coverage optimization for large code problems

Because running all previous tests for the regression testing of a system is time-consuming, the size of a test suite of the system must be reduced intelligently with adequate test coverage and without compromising its fault detection capability. Five algorithms were designed for reducing the size of test suites where two metrics, tests function reach ability and functions test intensity, were defined. Approaches to the algorithm CW-NumMin, CW-CostMin, or CW-CostCov-B are the safe-mode of test case selection with full-modified function coverage, while the CW-CovMax algorithm is of non-safe mode, which was performed under time restriction. In this study, the most efficient algorithm could reduce the cost (time) of a test suite down to 1.10%, on the average, over the MPLS area of Cisco IOS.

Extracting Attack Sessions from Real Traffic with Intrusion Prevention Systems

False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%

Integrated Software Vulnerability and Security Functionality Assessment

Product security is an on-going challenge for network equipment vendors. In this paper, we present a systematic methodology for some software vulnerability assessment and security function verification. Based on this approach, a scalable and adaptable automatic test system was implemented to test over a hundred production software releases over the past year. This paper describes the methodology, the framework, and the results.

Embedded TaintTracker: Lightweight Tracking of Taint Data against Buffer Overflow Attacks

Taint tracking is a novel technique to prevent buffer overflow. Previous studies on taint tracking ran a victims program on an emulator to dynamically instrument the code for tracking the propagation of taint data in memory and checking whether malicious code is executed. However, the critical problem of this approach is its heavy performance overhead. This paper proposes a new taint-style system called Embedded TaintTracker to eliminate the overhead in the emulator and dynamic instrumentation by compressing a checking mechanism into the operating system (OS) kernel and moving the instrumentation from runtime to compilation time. Results show that the proposed system outperforms the previous work, TaintCheck, by at least 8 times on throughput degradation, and is about 17.5 times faster than TaintCheck when browsing 1KB web pages.

Test Coverage Optimization for Large Code Problems

Because running all previous tests for the regression testing of a system is time-consuming, the size of a test suite of the system must be reduced intelligently with adequate test coverage and without compromising its fault detection capability. Five algorithms were designed for reducing the size of test suites where two metrics, tests function reach ability and functions test intensity, were defined. Approaches to the algorithm CW-NumMin, CW-CostMin, or CW-CostCov-B are the safe-mode of test case selection with full-modified function coverage, while the CW-CovMax algorithm is of non-safe mode, which was performed under time restriction. In this study, the most efficient algorithm could reduce the cost (time) of a test suite down to 1.10%, on the average, over the MPLS area of Cisco IOS.