Tal Anker

High performance string matching algorithm for a network intrusion prevention system (NIPS)

Intrusion detection systems (IDS) were developed to identify and report attacks in the late 1990s, as hacker attacks and network worms began to affect the Internet. Traditional IDS technologies detect hostile traffic and send alerts but do nothing to stop the attacks. Network intrusion prevention systems (NIPS) are deployed in-line with the network segment being protected. As the traffic passes through the NIPS, it is inspected for the presence of an attack. Like viruses, most intruder activities have some sort of signatures. Therefore, a pattern-matching algorithm resides at the heart of the NIPS. When an attack is identified, the NIPS blocks the offending data. There is an alleged trade-off between the accuracy of detection and algorithmic efficiency. Both are paramount in ensuring that legitimate traffic is not delayed or disrupted as it flows through the device. For this reason, the pattern-matching algorithm must be able to operate at wire speed, while simultaneously detecting the main bulk of intrusions. With networking speeds doubling every year, it is becoming increasingly difficult for software based solutions to keep up with the line rates. This paper presents a novel pattern-matching algorithm. The algorithm uses a ternary content addressable memory (TCAM) and is capable of matching multiple patterns in a single operation. The algorithm achieves line-rate speed of several orders of magnitude faster than current works, while attaining similar accuracy of detection. Furthermore, our system is fully compatible with Snorts rules syntax, which is the de facto standard for intrusion prevention systems

Efficient clustering for improving network performance in wireless sensor networks

Clustering is an important mechanism in large multi-hop wireless sensor networks for obtaining scalability, reducing energy consumption and achieving better network performance. Most of the research in this area has focused on energy-efficient solutions, but has not thoroughly analyzed the network performance, e.g. in terms of data collection rate and time. The main objective of this paper is to provide a useful fully-distributed inference algorithm for clustering, based on belief propagation. The algorithm selects cluster heads, based on a unique set of global and local parameters, which finally achieves, under the energy constraints, improved network performance. Evaluation of the algorithm implementation shows an increase in throughput in more than 40% compared to HEED scheme. This advantage is expressed in terms of network reliability, data collection quality and transmission cost.

Enhancing RSSI-based tracking accuracy in wireless sensor networks

In recent years, the demand for high-precision tracking systems has significantly increased in the field of Wireless Sensor Network (WSN). A new tracking system based on exploitation of Received Signal Strength Indicator (RSSI) measurements in WSN is proposed. The proposed system is designed in particular for WSNs that are deployed in close proximity and can transmit data at a high transmission rate. The close proximity and an optimized transmit power level enable accurate conversion of RSSI measurements to range estimates. Having an adequate transmission rate enables spatial-temporal correlation between consecutive RSSI measurements. In addition, advanced statistical and signal processing methods are used to mitigate channel distortion and to compensate for packet loss. The system is evaluated in indoor conditions and achieves tracking resolution of a few centimeters which is compatible with theoretical bounds.

Cooperative and Reliable Packet-Forwarding on Top of AODV

Cooperative and reliable packet forwarding presents a formidable challenge in mobile ad hoc networks (MANET), due to special network characteristics; e.g., mobility, dynamic topology and absence of centralized management. Lack of cooperation, due to misbehavior caused by selfishness or malice, may severely degrade the performance of the network. Previous studies, relying on reputation systems, have demonstrated solutions designed for Dynamic Source Routing (DSR) protocol. This paper highlights various aspects of cooperation enforcement and reliability, when AODV is the underlying protocol. Furthermore, it presents a scalable protocol that combines a reputation system with AODV that addresses reputation fading, second-chance, robustness against liars and load balancing.

Enhanced calibration technique for RSSI-based ranging in body area networks

Indoor positioning systems based on Received Signal Strength Indicator (RSSI) in Wireless Sensor Networks (WSNs) are commonly used. The position accuracy in these systems is highly affected by the wireless medium variability, and therefore, a precise calibration is necessary to translate the power measurements to corresponding distance between each pair of nodes. In this paper, we propose a calibration scheme that is tailored to Body Area Networks (BANs) applications. The a priori knowledge about the environment conditions in these applications can increase the accuracy of the localization system, improve its robustness to interference, and reduce the number of RSSI measurements which are required for the calibration process compared to the traditional calibration methods. We define a criterion to obtain the calibration scheme using different a priori knowledge for both the mapping table and the path-loss model parameters. For evaluation of our new calibration scheme, we conducted a series of experiments in a real-world indoor environment, focusing on a proximate environment that is commonly used in BANs. We showed that for a tracking application, calibration methods utilizing the a priori knowledge are superior in terms of localization accuracy over other existing calibration methods with relatively small number of offline measurements.

Belief Propagation in Wireless Sensor Networks - A Practical Approach

Distributed inference schemes for detection, estimation and learning comprise an attractive approach to Wireless Sensor Networks (WSNs), because of properties such as asynchronous operation and robustness in the face of failures. Belief Propagation (BP) is a method for distributed inference which provides accurate results with rapid convergence properties. However, applying a BP algorithm to WSN is challenging. Many papers that proposed using BP for WSNs do not consider all of the constraints which these networks impose. This paper presents a framework that implements both localized and data-centric approaches to improve the effectiveness and the robustness of this algorithm in the WSN environment. The proposed solution is empirically evaluated, as applied to the clustering problem, and it can be easily extended to suit many other applications that use BP as an underlying algorithm.

One Algorithm to Match Them All: On a Generic NIPS Pattern Matching Algorithm

Todays network intrusion prevention systems (NIPS) provide an important defense mechanism against security threats. The detection of network attacks utilizes a highspeed pattern matching algorithm that can be implemented in either hardware or software. Adapting a software-based pattern matching algorithm to hardware-based device is a complicated task. This paper presents a cost effective multi-pattern matching algorithm based on Field Programmable Gate Arrays (FPGAs) and standard RAM. The algorithm achieves line-rate speed, which is several orders of magnitude faster than the current state of the art, while attaining similar accuracy of detection. The algorithm can be easily adapted to operate in hardware-based NIPS and attain even higher speed by utilizing a TCAM memory.

Probabilistic fair queuing

Packet scheduling constitutes the core problem in efficient fair allocation of bandwidth to competing flows. To date, numerous algorithms for packet scheduling have been suggested and tested. However, only a few of them are currently deployed. One of the key reasons for rarity of applied packet scheduling methods lies in the complexity of their implementation. This paper describes a family of randomized algorithms for packet scheduling. These algorithms are simple to implement and require small amounts of computation time. Specifically we present an O(1) probabilistic weighted fair queuing algorithm that emits packets from flows with an improved delay jitter. Experimental results of the proposed randomized algorithms suggest that the randomized approach is a viable alternative to the currently deployed deterministic fair queuing algorithms.

Delay Fast Packets (DFP): Prevention of DNS Cache Poisoning

The Domain Name System (DNS) protocol is used as a naming system for computers, services, or any other network resource. This paper presents a solution for the cache poisoning attack in which the attacker inserts incorrect data into the DNS cache. In order to successfully poison the cache, the attacker response must beat the real response in the race back to the local DNS server. In our model, we assume an eavesdropping attacker that can construct a response that is identical to the legal response. The primary aim of our solution is to construct a normal profile of the round trip time from when the request is sent until the arrival of the response, and then to search for anomalies of the constructed profile. In order to poison the cache of a DNS server, the attacker has to know the source port and the Transaction ID (TID) of the request. As far as we know, all current solutions which do not change the protocol, assume an attacker that cannot see the request and therefore has to guess the TID. All these solutions try to increase entropy in order to make the guesswork harder. In our strict model, increasing entropy is useless. We in no way claim that our scheme is flawless. Nevertheless, this effort represents the first step towards preserving the DNS cache assuming an eavesdropping attacker.

On a NIC's operating system, schedulers and high-performance networking applications

Two critical issues impact the overall performance of Linux clusters based on Intel servers: inter-process communication latency and data throughput. Underlying both of these performance challenges is the inefficient use of computational power and server CPU cycles to process the network protocols. Todays modern high-end Network Interface Cards (NICs) are equipped with an onboard CPU. In most cases, these CPUs are only used by the vendor and are operated by a proprietary OS, which makes them inaccessible to the HPC application developer. In this paper we present a design and implementation of a framework for building high-performance networking applications. The framework consists of an embedded NIC Operating System with a specialized scheduler. The main challenge in developing such a scheduler is the lack of a preemption mechanism in most high-end NICs. Our scheduler provides finer-grained schedules than the alternatives. We have implemented several network applications, and were able to increase their throughput while decreasing the hosts CPU utilization.