A workload for evaluating deep packet inspection architectures

Becchi, Michela; Franklin, Mark A.; Crowley, Patrick

doi:10.1109/iiswc.2008.4636093

Cited by 101 publications

(82 citation statements)

References 16 publications

(44 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since the NIDS is most burdened under matching traffic a rule-derived traffic generator is the logical choice for imposing load on the target system [7], [8]. The rule-derived traffic model fills the payload of a packet using a sequence of bytes built through a random traversal of the very automaton used by the NIDS to match traffic.…”

Section: Workload Generation For Signature-based Nidsmentioning

confidence: 99%

“…2 evaluation techniques for NIDS are often inadequate. The makeup of the traffic typically lacks the diversity to sufficiently evaluate the NIDS [7], [8], [19]. The primary problem is that most traffic generators focus on creating realistic traffic, not on creating traffic to specifically stress the detection algorithms of NIDS.…”

Section: Introductionmentioning

confidence: 99%

“…Generating traffic derived from the NIDS rules database has been proposed as a more effective evaluation of NIDS [7], [8]. These methods produce payloads as part of a random walk through a finite automata derived from the NIDS rules.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Grammar-Driven Workload Generation for Efficient Evaluation of Signature-Based Network Intrusion Detection Systems

Shao¹,

Kim²,

Valgenti³

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYNetwork Intrusion Detection Systems (NIDS) are deployed to protect computer networks from malicious attacks. Proper evaluation of NIDS requires more scrutiny than the evaluation for general network appliances. This evaluation is commonly performed by sending pregenerated traffic through the NIDS. Unfortunately, this technique is often limited in diversity resulting in evaluations incapable of examining the complex data structures employed by NIDS. More sophisticated methods that generate workload directly from NIDS rules consume excessive resources and are incapable of running in real-time. This work proposes a novel approach to real-time workload generation for NIDS evaluation to improve evaluation diversity while maintaining much higher throughput. This work proposes a generative grammar which represents an optimized version of a context-free grammar derived from the set of strings matching to the given NIDS rule database. The grammar is memory-efficient and computationally light when generating workload. Experiments demonstrate that grammar-generated workloads exert an order of magnitude more effort on the target NIDS. Even better, this improved diversity comes at much smaller cost in memory and speeds four times faster than current approaches.

show abstract

Section: Workload Generation For Signature-based Nidsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Grammar-Driven Workload Generation for Efficient Evaluation of Signature-Based Network Intrusion Detection Systems

Shao¹,

Kim²,

Valgenti³

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Performance and scalability of regex-based traffic classification has been extensively studied [4,18,44]. Alternative protocol identification strategies that have been explored include using packet sizes and timings [6,51], the types and number connections initiated by a host (its "social behavior") [23,26], and various machine learning techniques [33,34,55].…”

Section: Related Workmentioning

confidence: 99%

Protocol misidentification made easy with format-transforming encryption

Dyer

Coull²,

Ristenpart

et al. 2013

Proceedings of the 2013 ACM SIGSAC Conference on Computer &Amp; Communications Security - CCS '13

View full text Add to dashboard Cite

Deep packet inspection (DPI) technologies provide muchneeded visibility and control of network traffic using portindependent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adversaries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption (FTE), which, intuitively, extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbitrary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and only 16% more bandwidth than standard SSH tunnels. Finally, we integrate our FTE proxy into Tor and demonstrate that it evades realworld censorship by the Great Firewall of China.

show abstract

“…In [7], the skewness in network traffic distribution was utilized to yield effective attacks. Recently, attacks based on algorithmic complexity were proposed for Snort [8], [9] and regular expression matching systems [10].…”

Section: B Related Workmentioning

confidence: 99%

Attacking Pattern Matching Algorithms Based on the Gap between Average-Case and Worst-Case Complexity

Liu¹,

Liu²,

Li³

et al. 2013

JACN

View full text Add to dashboard Cite

Abstract-We have developed an effective method to generate attack data for widely-used pattern matching algorithms. Perceived to be a fundamental problem in the field of computer science, pattern matching has received extensive attention in research and has been used in a variety of fields to include information retrieval, computational biology, information security, etc. The extensive applications of pattern matching are mainly rooted in the fact that pattern matching algorithms, such as SBOM and WuManber, typically have a low time-complexity. However, in the worst case time-complexities of algorithms are very high, making pattern matching algorithms vulnerable to algorithmic complexity attacks (in other words, one might significantly slow down pattern matching algorithms simply by feeding them with specifically-designed text). In this study, we investigated this potential vulnerability by proposing a dynamic programming method designed to attack text having knowledge of patterns. Experimental results suggest that SBOM and WuManber run the specifically-designed text slower than random text (real text). Interestingly, it has been observed that the attacking method is still effective even when parts of patterns are only known, meaning that even a leak of small proportions has the potential to lead to severe attacks. Finally, we propose some suggestions to reduce the risks of these attacks. To the best of our knowledge, this is the first time that an attacking pattern matching approach is proposed based on algorithm complexity.Index Terms-Computer security, algorithmic complexity attacks, pattern matching, SBOM algorithm, WuManber algorithm.

show abstract

A workload for evaluating deep packet inspection architectures

Cited by 101 publications

References 16 publications

Grammar-Driven Workload Generation for Efficient Evaluation of Signature-Based Network Intrusion Detection Systems

Grammar-Driven Workload Generation for Efficient Evaluation of Signature-Based Network Intrusion Detection Systems

Protocol misidentification made easy with format-transforming encryption

Attacking Pattern Matching Algorithms Based on the Gap between Average-Case and Worst-Case Complexity

Contact Info

Product

Resources

About