Po-Ching Lin

Using String Matching for Deep Packet Inspection

String matching has sparked renewed research interest due to its usefulness for deep packet inspection in applications such as intrusion detection, virus scanning, and Internet content filtering. Matching expressive pattern specifications with a scalable and efficient design, accelerating the entire packet flow, and string matching with high-level semantics are promising topics for further study.

Review: Application classification using packet size distribution and port association

Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4-5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.

Direct Web switch routing with state migration, TCP masquerade, and cookie name rewriting

Existing layer 4 load balancers are content-blind and often have difficulty in redirecting HTTP requests to the appropriate server in the session manner. Layer 7 load balancers, also referred to as Web switches, are content-aware and support session persistence. However, most Web switches employ a bidirectional architecture, which means that request and response traffic must both pass through the load balancer. This means a Web switch can easily become a bottleneck. We present a direct routing architecture to prevent response traffic from passing through the Web switch. Our solution is highly scalable in the number of back-end servers. In addition, two simple but effective mechanisms, one-packet TCP state migration and cookie name rewriting to packet filter, are presented to support persistent connection and session persistence. Through the external benchmark, we prove that our system outperforms existing solutions. The internal benchmark investigates the bottlenecks of our system and suggests areas for future improvement.

Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems

Detecting attacks disguised by evasion techniques is a challenge for signature-based Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). This study examines five common evasion techniques to determine their ability to evade recent systems. The denial-of-service (DoS) attack attempts to disable a system by exhausting its resources. Packet splitting tries to chop data into small packets, so that a system may not completely reassemble the packets for signature matching. Duplicate insertion can mislead a system if the system and the target host discard different TCP/IP packets with a duplicate offset or sequence. Payload mutation fools a system with a mutative payload. Shellcode mutation transforms an attackers shellcode to escape signature detection. This study assesses the effectiveness of these techniques on three recent signature-based systems, and among them, explains why Snort can be evaded. The results indicate that duplicate insertion becomes less effective on recent systems, but packet splitting, payload mutation and shellcode mutation can be still effective against them.

Profiling and accelerating string matching algorithms in three network content security applications

The efficiency of string matching algorithms is essential for network content security applications, such as intrusion detection systems, anti-virus systems, and Web content filters. This work reviews typical algorithms and profiles their performance under various situations to study the influence of the number, the length, and the character distribution of the signatures on performance. This profiling can reveal the most efficient algorithm in each situation. A fast verification method for some string matching algorithms is also proposed. This work then analyzes the signature characteristics of three content security applications and replaces their original algorithms with the most efficient ones in the profiling. The improvement for both real and synthetic sample data is observed. For example, an open source anti-virus package, ClamAV, is five times faster after the revision. This work features comprehensive profiling results of typical string matching algorithms and observations of their application on network content security. The results can enlighten the choice of a proper algorithm in practical design.

On campus beta site: architecture designs, operational experience, and top product defects

Testing network products in a beta site to reduce the possibility of customer found defects is a critical phase before marketing. We design and deploy an innovative beta site on the campus of National Chiao Tung University, Hsinchu, Taiwan. It can be used for developers to test and debug products, while maintaining network quality for network users. To satisfy the needs of developers, we set up environments and mechanisms, such as a variety of test zones for multiple types of products or systems under test (SUTs), remote control, degrees of traffic volume, and traffic profiling. For network users, we set up mechanisms of failure detection, notification, and recovery. The beta site network users are all volunteers. Test results show that beta site testing is good for finding stability and compatibility defects. The period starting from the beginning of a test until the next defect is found is called the time to fail (TTF). We call it converged if the TTF exceeds four weeks, and the convergence ratio is the percentage of SUTs that reach convergence. We find that the TTF increases with longer test duration, meaning that product quality improves through beta site testing. However, the convergence ratios are only 7 and 20 percent for test durations of one month and one year, respectively, meaning that few products operate faultlessly for a long duration. The convergence ratios also indicate that it takes much more time to enhance product quality to be converged. Therefore, if considering both marketing timing and product quality, one month is our suggested minimum TD for low-end and shortlife- cycle products. However, we recommend one year as the minimum TD for high-end and long-life-cycle products.

A Hybrid Algorithm of Backward Hashing and Automaton Tracking for Virus Scanning

Virus scanning involves computationally intensive string matching against a large number of signatures of different characteristics. Matching a variety of signatures challenges the selection of matching algorithms, as each approach has better performance than others for different signature characteristics. We propose a hybrid approach that partitions the signatures into long and short ones in the open-source ClamAV for virus scanning. An algorithm enhanced from the Wu-Manber algorithm, namely the Backward Hashing algorithm, is responsible for only long patterns to lengthen the average skip distance, while the Aho-Corasick algorithm scans for only short patterns to reduce the automaton sizes. The former utilizes the bad-block heuristic to exploit long shift distance and reduce the verification frequency, so it is much faster than the original WM implementation in ClamAV. The latter increases the AC performance by around 50 percent due to better cache locality. We also rank the factors to indicate their importance for the string matching performance.

An extended SDN architecture for network function virtualization with a case study on intrusion prevention

In conventional software-defined networking (SDN), a controller classifies the traffic redirected from a switch to determine the path to network function virtualization (NFV) modules. The redirection generates a large volume of control-plane traffic. We propose an extended SDN architecture to reduce the traffic overhead to the controller for providing NFV. The extension includes two-layer traffic classification in the data plane, extended OpenFlow protocol messages and service chaining mechanisms. Network events are analyzed in the data plane instead of the control plane. The efficiency is evaluated with a case study of intrusion prevention. The evaluation shows that only 0.12 percent of the input traffic is handled by the controller, while 77.23 percent is handled on the controller in conventional SDN.

PCAPLib: A System of Extracting, Classifying, and Anonymizing Real Packet Traces

This paper presents the PCAPLib system for providing extracted, well-classified, and anonymized packet traces from real network traffic with two mechanisms. First, active trace collection actively extracts and classifies packet traces into sessions by leveraging multiple detection devices. Second, deep packet anonymization protects the privacy in the packet payloads for hundreds of application protocols while preserving the utility of the traces. We evaluate 318 anonymized packet traces collected over a period of four months and show that the efficiency of anonymization is up to 96%. The usefulness of this system for assessing false positives/false negatives in intrusion detection has been also demonstrated.

Hardware-Software Codesign for High-Speed Signature-based Virus Scanning

High-speed network content security applications often offload signature matching to hardware. In such systems, the throughput of the overall system, rather than the hardware engine alone, is significant. The authors offload virus scanning in the ClamAV antivirus package to the BFAST* hardware engine. They find that the data-passing processes significantly degrade system throughput.