Hsien-Wei Hung

A GPU-Based Multiple-Pattern Matching Algorithm for Network Intrusion Detection Systems

By the development of network applications, network security issues are getting more and more important. This paper proposes a multiple-pattern matching algorithm for the network intrusion detection systems based on the GPU (Graphics Processing Units). The highly parallelism of the GPU computation power is used to inspect the packet content in parallel. The performance of the proposed approach is analyzed through evaluations such as using various texture formats and different implementations. Experimental results indicate that the performance of the proposed approach is twice of that of the modified Wu-Manber algorithm used in Snort. The proposed approach makes a commodity and cheap GPU card as a high performance pattern matching co-processor.

A port-configuration assisted NIC IRQ affinitization scheme for multi-core packet forwarding applications

Interrupt affinitization of network interface cards (NICs) is a fundamental composition that defines how packets are processed by which CPU-cores on multi-core platforms. In this paper, we propose a simple port-configuration assisted scheme to attain an optimal affinitization for packet forwarding applications. Experiments ranging from bridging, routing, flow tracking to deep packet inspection are conducted to show the performance impacts utilizing different affinitization approaches. As a result, our proposed scheme achieves the same performance level as the best fixed affinitization scheme. In addition, the effectiveness of interrupt balancing is demonstrated for our scheme to be superior to the widely-deployed irqbalance with varying network settings.

A unique-pattern based pre-filtering method for rule matching of network security

As a result of continually changing Internet and applications, more and more advanced features are requested to be available in the appliance for more accurately monitoring and managing the network. Therefore, modern networking appliances are equipped with the DPI (Deep Packet Inspection) technology to scan the payload of a packet. A rule (like Snort rules) may consist of several patterns with certain relationships, such as order, relative positions, and offset, etc. The system performance is usually dominated by not only the pattern matching algorithm but also the rule match processing algorithm. This paper proposes a unique-pattern based pre-filtering method for the rule matching. It is employed to filter out unwanted matches after scanning the packet payload by the pattern matching algorithm. The proposed algorithm is also implemented on different multi-core platforms to demonstrate its efficiency and performance. The experimental results indicate that the throughput is improved significantly and can be increased approximately linearly to the number of CPU cores.

Automatic NIDS Rule Generating System for Detecting HTTP-like Malware Communication

HTTP is the main protocol of the Internet and many network applications rely on it. Malware also utilizes it as a covert channel through which to evade the firewall (FW) or network intrusion detection system (NIDS). We recognize a malware, which employs HTTP to communicate as the HTTP-like Botnet. Some parts of the network traffic of an HTTP-like Botnet are different from normal HTTP applications. Based on the differences between HTTP-like Botnet traffic and normal HTTP applications, we developed an Automatic NIDS Rule Generating System (ARGS). The ARGS is a proof of concept (POC), which generates the corresponding NIDS rules efficiently and precisely from the input malign traffic (MT). ARGS is an incremental method to generate and optimize the rules. It can generate rules quickly and precisely without first requiring the collection of many malware samples for clustering. For practical purposes, we adopt Snort as our IDS engine in ARGS. In our experiments, the time required by ARGS to process MTs and generate corresponding rules is significantly shorter than existing solution when the rule-optimization is not required. Besides, the generated rule set can detect more 30% malware traffic compared to SourceFire IDS full-set and thus can efficiently stop the spreading of malware in time.

A predictive zero-day network defense using long-term port-scan recording

Zero-day attack is a critical network attack. The zero-day attack period (ZDAP) is the period from the release of malware/exploit until a patch becomes available. IDS/IPS cannot effectively block zero-day attacks because they use pattern-based signatures in general. This paper proposes a Prophetic Defender (PD) by which ZDAP can be minimized. Prior to actual attack, hackers scan networks to identify hosts with vulnerable ports. If this port scanning can be detected early, zero-day attacks will become detectable. PD architecture makes use of a honeypot-based pseudo server deployed to detect malicious port scans. A port-scanning honeypot was operated by us in 6 years from 2009 to 2015. By analyzing the 6-year port-scanning log data, we understand that PD is effective for detecting and blocking zero-day attacks. The block rate of the proposed architecture is 98.5%.

A Lock-Controlled Session Table Partitioning Scheme with Dynamic Resource Balancing for Multi-Core Architecture

Connection tracking by manipulating session tables is essential for stateful inspection capable applications such as stateful firewalls, network-based intrusion prevention systems (NIPS), traffic accounting and monitoring to process packets according to session state information. With the prevalence of multi-core computing, it is crucial to optimize the existing connection tracking structures and algorithms to fully utilize the underlying parallelism. In this paper, we propose a lock-controlled session table partitioning scheme accompanied with a dynamic resource balancing algorithm for session-aware multi-core networking systems. Experimental results show that the proposed scheme reduces the number of lock contentions to a maximum of 100 times less and, in turn, boosts the performance to 3.5 Gbps higher than the baseline. 100% resource utilization is also achieved by overcoming the constraint of fixed-sized partitioning.

A retargetable multiple string matching code generation for embedded network intrusion detection platforms

The common means of defense for network security systems is to block the intrusions by matching the signatures. Intrusion-signature matching is the critical operation. However, small and medium-sized enterprise (SME) or Small Office Home Office (SOHO) network security systems may not have sufficient resources to maintain good matching performance with full-set rules. Code generation is a technique used to convert data structures or instruction to other forms to obtain greater benefits within execution environments. This study analyzes intrusion detection system (IDS) signatures and discovers character occurrence to be significantly uneven. Based on this property, this study designs a method to generate a string matching source code according to the state table of AC algorithm for embedded network intrusion detection platforms. The generated source code requires less memory and relies not only on table lookup, but also on the ability of processor. This method can upgrade the performance by compiling optimization and contribute to the application of network processors and DSP-like based platforms. From evaluation, this method requires use of only 20% memory and can achieve 86% performance in clean traffic compared to the original Aho-Corasick algorithm (AC).

Fast proxyless stream-based anti-virus for Network Function Virtualization

Network anti-virus (AV) solutions are the first line of defense against malicious software. Traditional proxy-based network anti-virus solutions with store-scan-forward techniques decrease network performance and consume massive amounts of memory. Therefore, traditional solutions are not easily adaptable for Network Function Virtualization (NFV). This paper details the work on a novel virus scanning solution for NFV, called StreamAV. It does not require a proxy and maintains high network performance with less memory usage. StreamAV conducts policy matching on streams, rather than on complete files. This eliminates buffering, thereby accelerating traffic and requiring far less memory than solutions that scan complete files. The prototype was 40 times faster than its closest open source competitor, while its memory consumption was only a fraction of that of this competitor. Coverage was 100% with random test samples.

Construct Efficient Hyper-alert Correlation for Defense-in-Depth Network Security System

The current intrusion detection systems faced the problem of generating too many false alerts. The raising alerts are too elementary and do not accurate enough to be managed by a security administrator. Several alert correlation techniques have been proposed to solve this problem, such as hyper-alert correlation. The hyper-alert correlation takes advantage of the prerequisites and consequences of the attack to correlate the related alerts together. But the performance of this approach highly depends on the quality of the modeling of attacks. On the other hand, with growing of the network attacks, specifying the relationship for alert correlation would be quite complex and tedious task to perform mutually. This paper presents a practical technique to address this issue for hyper-alert correlation. On the basis of the attack signatures and the hyper-alert types defined in hyper-alert correlation, the proposed approach constructs alert relationship automatically. Furthermore, to take the various kinds of attacks into consideration, some of the relationships between attacks may be neglected. At this time, fine tuning the relationship by human user can efficiently deal with the above problem.

WKeeper: a distributed Web filtering system for IPv6 home networks

We propose a distributed architecture of Web filtering system focused on its operation and implementation for IPv6 home networks. The realized system, called WKeeper, employs the feature of IPv6 anycast to achieve distributed load balance. WKeeper has been proven to be functioning well in both IPv4 and IPv6 networks even with mobility support. In a home network environment, WKeeper efficiently and precisely maintains the URL-block-list database with enormous amount of entries, as well as its operation is robust and with low cost. Besides, experimental result shows that the delay of query response is bounded significantly even if heavy load.