TY - GEN
T1 - NetShield
T2 - 7th International Conference on Autonomic Computing, SIGCOMM 2010
AU - Li, Zhichun
AU - Xia, Gao
AU - Gao, Hongyu
AU - Tang, Yi
AU - Chen, Yan
AU - Liu, Bin
AU - Jiang, Junchen
AU - Lv, Yuezhou
PY - 2010
Y1 - 2010
N2 - Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures (a.k.a data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue. This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures.
AB - Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures (a.k.a data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue. This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures.
KW - deep packet inspection
KW - intrusion detection
KW - signature matching
KW - vulnerability signature
UR - http://www.scopus.com/inward/record.url?scp=78149345721&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78149345721&partnerID=8YFLogxK
U2 - 10.1145/1851182.1851216
DO - 10.1145/1851182.1851216
M3 - Conference contribution
AN - SCOPUS:78149345721
SN - 9781450302012
T3 - SIGCOMM'10 - Proceedings of the SIGCOMM 2010 Conference
SP - 279
EP - 290
BT - SIGCOMM'10 - Proceedings of the SIGCOMM 2010 Conference
Y2 - 30 August 2010 through 3 September 2010
ER -