CT-ISG: Alternate representation of NIDS/NIPS signatures for fast matching

CT-ISG：NIDS/NIPS 签名的替代表示形式，用于快速匹配

• 批准号: 0716538
• 负责人: Somesh Jha
• 金额: $ 35万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-07-15 至 2012-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0716538&HistoricalAwards=false
• 关键词: CT; ISG; Alternate; representation; NIDS

Proposal: 0715358Cristina EstanUniversity of WisconsinCT-ISG: Alternate Representation of NIDS/NIPS signatures for fast matchingNetwork intrusion prevention systems (IPSes) play an important role inprotecting computers against attacks originating from thenetwork. Signature matching is a performance-critical operation thateach IPS must perform: after storing a reassembled TCP-level bytestream or a field of a higher level protocol in a buffer, the IPSneeds to decide whether it matches any of the signatures that describeknown attacks. This project investigates methods for representingsignatures that allow fast matching, require little memory, and cansupport complex signatures expressed as regular expressions.Currently used representations, such as deterministic finite-stateautomata (DFAs) and non-deterministic finite-state automata (NFAs),have severe drawbacks. In general, DFAs enable fast matching but arespace inefficient and NFAs are concise but are slow to matchagainst. Solutions based on multiple DFAs have intermediary matchingspeeds and memory requirements. One of the core reasons why suchsolutions provide unfavorable speed versus memory tradeoffs is thestate-space explosion problem.This project focuses on a novel signature representation thatneutralizes statespace explosion: extended finite automata(XFAs). XFAs extend DFAs with a few bytes of "scratch memory" used tostore bits which record auxiliary information during the matching, orcounters which record progress. When an accepting state is reached,the scratch memory is checked and a match is declared only if it holdssuitable values. Preliminary results on signature sets from Snort andCisco IPS show that compared to solutions using multiple DFAs, XFAscan be 10 times smaller and at the same time 5 times faster insoftware.

提案：0715358 wisconctinct-ISG的克里斯蒂娜河口：替代代表NIDS/NIPS签名，用于快速匹配匹配网络入侵预防系统（IPSES）发挥着重要作用，以保护计算机对源自该零件的攻击的攻击。签名匹配是一个至关重要的操作，IPS必须执行：在存储重新组装的TCP级别的副流或更高级别协议的字段之后，IPSNEEDS决定它是否匹配任何描述攻击的签名。该项目调查了允许快速匹配，几乎不需要记忆的表示签名的方法，并且以正则表达式表示的cansupport复合签名。目前使用的表示形式，例如确定性有限型stateateautomata（DFAS）和非确定性的有限态态自动组（NFAS），具有严重的偏差。通常，DFA可以快速匹配，但ARESPACE效率低下，NFA却很简洁，但对Matchagainst却很慢。基于多个DFA的解决方案具有中介匹配度和内存要求。这样的溶解提供不利速度与内存权衡的核心原因之一是thestate空间爆炸问题。该项目着重于一种新颖的签名表示，使状态空间爆炸不中和化：扩展有限的自动机（XFAS）。 XFA用几个字节的“刮擦存储器”扩展了DFAS，使用的托斯托尔位在匹配中记录辅助信息，记录进度的辅助信息。当达到接受状态时，仅在持有匹配的情况下，才能在持有合适的值时声明匹配记忆。 Snort Andcisco IPS的签名集的初步结果表明，与使用多个DFAS的解决方案相比，Xfascan较小10倍，同时又有5倍的速度不软件。