Toronto Networking Seminar

Organized by Department of Computer Science and Department of Electrical and Computer Engineering, University of Toronto

NetShield: Matching with a Large Vulnerability Signature Ruleset for High Performance Network Defense

Yan  Chen
Department of Electrical Engineering and Computer Science
Northwestern University


Thursday, October 22, 4pm
Location: BA 1210


Accuracy and speed are the two most important metrics for Network Intrusion Detection or Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures exactly describe the vulnerability conditions and achieve better accuracy. However, when applying vulnerability signatures to high speed NIDS/NIPS with a large ruleset, how to efficiently match them is an untouched but challenging issue.

This paper presents the design of NetShield, a vulnerability signature based NIDS/NIPS which achieves multi-gigabit throughput while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection (CS) algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we propose a automatic lightweight parsing transition state machine achieving fast protocol parsing; (iii) we implement the NetShield prototype. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core CPU for 794 HTTP vulnerability signatures.



Dr. Yan Chen is an Associate Professor in the Department of Electrical Engineering and Computer Science at Northwestern University, Evanston, IL. He got his Ph.D. in Computer Science at University of California at Berkeley in 2003. His research interests include network security, and network measurement and diagnosis for both wired and wireless networks. He won the Department of Energy (DoE) Early CAREER award in 2005, the Department of Defense (DoD) Young Investigator Award in 2007, and the Microsoft Trustworthy Computing Awards in 2004 and 2005 with his colleagues. Based on Google Scholar, his papers have been cited for over 2,600 times.

Host of Talk:

Hans-Arno Jacobsen (