NetShield: Massive semantics-based vulnerability signature matching for high-speed networks

Zhichun Li*, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu, Junchen Jiang, Yuezhou Lv

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

28 Scopus citations

Abstract

Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures (a.k.a data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue. This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures.

Original languageEnglish (US)
Title of host publicationSIGCOMM'10 - Proceedings of the SIGCOMM 2010 Conference
Pages279-290
Number of pages12
DOIs
StatePublished - Nov 15 2010
Event7th International Conference on Autonomic Computing, SIGCOMM 2010 - New Delhi, India
Duration: Aug 30 2010Sep 3 2010

Publication series

NameSIGCOMM'10 - Proceedings of the SIGCOMM 2010 Conference

Other

Other7th International Conference on Autonomic Computing, SIGCOMM 2010
CountryIndia
CityNew Delhi
Period8/30/109/3/10

Keywords

  • deep packet inspection
  • intrusion detection
  • signature matching
  • vulnerability signature

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Theoretical Computer Science

Fingerprint Dive into the research topics of 'NetShield: Massive semantics-based vulnerability signature matching for high-speed networks'. Together they form a unique fingerprint.

Cite this