NetShield: Matching with a
Large Vulnerability Signature Ruleset
for High Performance Network Defense
Yan Chen
Department of Electrical Engineering and
Computer Science
Northwestern University
Thursday,
October 22, 4pm
Location: BA 1210
Abstract:
Accuracy and speed are the
two most important metrics for Network Intrusion Detection or Prevention Systems
(NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many
cases regular expressions (regexes) cannot capture the vulnerability conditions
accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a
serious problem. In contrast, the recently-proposed vulnerability signatures
exactly describe the vulnerability conditions and achieve better accuracy.
However, when applying vulnerability signatures to high speed NIDS/NIPS with a
large ruleset, how to efficiently match them is an untouched but challenging
issue.
This paper presents the design of NetShield, a vulnerability signature based
NIDS/NIPS which achieves multi-gigabit throughput while offering much better
accuracy. This is accomplished because of the following contributions: (i) we
propose a candidate selection (CS) algorithm which efficiently matches thousands
of vulnerability signatures simultaneously requiring a small amount of memory;
(ii) we propose a automatic lightweight parsing transition state machine
achieving fast protocol parsing; (iii) we implement the NetShield prototype.
Experimental results show that the core engine of NetShield achieves at least
1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can
scale-up to at least 11+Gbps under a 8-core CPU for 794 HTTP vulnerability
signatures.
Bio:
Dr. Yan
Chen is an Associate Professor in the Department of Electrical Engineering and
Computer Science at Northwestern University, Evanston, IL. He got his Ph.D. in
Computer Science at University of California at Berkeley in 2003. His research
interests include network security, and network measurement and diagnosis for
both wired and wireless networks. He won the Department of Energy (DoE) Early
CAREER award in 2005, the Department of Defense (DoD) Young Investigator Award
in 2007, and the Microsoft Trustworthy Computing Awards in 2004 and 2005 with
his colleagues. Based on Google Scholar, his papers have been cited for over
2,600 times.
Host of Talk:
Hans-Arno Jacobsen (jacobsen@eecg.toronto.edu)