簡易檢索 / 詳目顯示

回結果列表
研究生: 貝理
Zuhdi Jawad Bali
論文名稱: Memory Optimization and Performance Evaluation of Traffic Route in Network IDS
指導教授: 孫宏民
Hung-Min Sun
口試委員:
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 資訊系統與應用研究所
Institute of Information Systems and Applications
論文出版年: 2007
畢業學年度: 95
語文別: 英文
論文頁數: 90
中文關鍵詞: Intrusion detection systemdeep packet inspectionNIDSBro
相關次數: 點閱:4下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • Since the emergence of intrusion detection systems (IDS) were developed to identify, and to report attacks in computer systems and networks, or against information systems in general, it has always been difficult to provide provably secure information systems that are maintained in a constant secure state throughout their operations. Therefore, the task of intrusion-detection systems is to monitor the usage of such systems, and to detect the apparition of insecure states through out their existence, in order to avoid serious disruption to network services. As a result of the above, we have propose to research and implement a framework that will accomplish our purpose of devising a complete packet scan engine, and evaluate the efficiency of our approach and algorithm, by conducting a wide range of data captured from the university campus. The result of these analyses will be used to investigate the possibility of determining the number of packets that can be verified by the packet scan engine, in order to reduce the cost of scanning the packets that pass through both SNORT and Bro rules. With this framework, large scale or co-ordinate anomalies can be detected in real time.

    Table of Contents Page CHAPTER 1: Introduction............................................................................................... 1 1.1 Introduction..................................................................................................... 1 1.2 Related work................................................................................................... 2 1.3 Internet packets system................................................................................... 4 1.4 Challenges....................................................................................................... 6 1.5 Regular Expression and Network Security..................................................... 7 1.6 Organization.................................................................................................... 8 CHAPTER 2:Background and Literature Review......................................................... 9 2.1 Packet Scanning System................................................................................. 9 2.1.1 Snort.................................................................................................. 9 2.1.2 Bro..................................................................................................... 12 2.2 Deep packet inspection Systems..................................................................... 15 2.2.1 Packet Header Processing................................................................. 15 2.2.2 Packet Payload Inspections............................................................... 16 2.3 Regular expression.......................................................................................... 17 2.3.1 Deterministic finite automata DFA................................................... 19 2.3.2 Delay Input Deterministic finite automata D2FA............................. 20 CHAPTER 3: Methodology and Design.......................................................................... 22 3.1 Approach......................................................................................................... 22 3.2 Algorithm Description.................................................................................... 24 3.2.1 Algorithm I........................................................................................ 24 3.2.2 Algorithm II....................................................................................... 35 3.2.2.1 Meaning of different graph.................................................. 35 3.2.2.2 Details of Algorithm II........................................................ 39 CHAPTER 4: Implementation Phase............................................................................. 47 4.1 Framework of packet scanning engine........................................................... 47 4.1.1 Network Layer…………………………………………………….. 48 4.1.1.1 Wireshark…………………………………………………. 48 4.1.1.2 Sharpcap………………………………………………….. 50 4.1.2 Rule Engine Layer………………………………………………… 51 4.1.2.1 VBflex……………………………………………………. 51 4.1.2.2 Signatures database………………………………………. 52 4.1.3 Packet Processing Layer…………………………………………… 54 4.1.3.1 DFA structure…………………………………………….. 55 4.1.3.2 Algorithms………………………………………………... 55 4.1.3.3 Packet detection………………………………………….. 56 4.2 Analysis of Simulation Results……………………………………………... 57 4.2.1 Capturing data......................................................................... 57 4.2.2 Convert bro rules.................................................................... 57 4.2.3 Processing algorithm............................................................... 60 4.2.4 Processing algorithm............................................................... 61 4.3 Conclusion...................................................................................................... 62 CHAPTER 5: Evaluation and Analysis…………………………………….................. 63 5.1 Experimental Setup.............................................................................. 63 5.2 Passing data to normal DFA................................................................. 64 5.3 Evaluation of Algorithm I.................................................................... 65 5.4 Evaluation of Algorithm II................................................................... 66 5.5 Comparisons of two proposed algorithms and refine MST in term of memory....................................................................................................... 67 5.6 Comparisons of two proposed algorithms and refine MST in term of performance................................................................................................ 70 5.7 Conclusion of the test........................................................................... 77 CHAPTER 6: Conclusions………………………………………................................... 78 6.1 Brief review of main contributions...................................................... 78 6.2 Future research topic and direction...................................................... 78 REFERENCES................................................................................................................... 80 APPENDIX......................................................................................................................... 83 . List of Figures Page Figure 1-1: Current internet architecture…………………………………………………. 5 Figure 2-1: Structure of the Snort system [18]…………………………………………… 10 Figure 2-2: Rule Example for Snort [31]………………………………………………… 11 Figure 2-3: Structure of Bro System [30]........................................................................... 13 Figure 2-4: Example or Bro Rule........................................................................................ 14 Figure 2-5: DFA Graph of (1(0*)1(0+1)*)+(0(1*)0(0+1)*)…………............................... 19 Figure 2-6: Automata example to recognize expressions a+, b+c, and c*d+ [13]…………. 20 Figure 2-7: The reduction space Graph of figure 2-6.a [13]............................................... 21 Figure 3-1: DFA graph for regular expression (aa + b)*ab(bb)*……….………………... 25 Figure 3-2: Two D2FA options for regular expression (aa + b)*ab(bb)*………………... 25 Figure 3-3: DFA represent the expressions aab*ad+b*ab+db+b+............................... 29 Figure 3-4: Resulting Graph from Table 3-5…………………………………………….. 32 Figure 3-5: Resulting Graph from Table 3-6…………………………………………….. 33 Figure 3-6: Resulting D2FA for expressions aab*ad+b*ab+db+b+…………………. 35 Figure 3-7: An example of DFA[13]…………………………………………………. 36 Figure 3-8: Two possible Graphs from DFA in figure 3-7………………………………. 37 Figure 3-9: Resulting Graph from Table 3-17…………………………………………… 46 Figure 4-1: The framework of packet scanning engine………………………………….. 48 Figure 4-2: Capturing packet with Wireshark……………………………………………. 49 Figure 4-3: Reading packets using SharpPcap…………………………………………… 50 Figure 4-4: Tables for storing DFA version from Bro Rules…………………………….. 53 Figure 4-5: Tables for storing DFA version from Bro Rules…………………………….. 54 Figure 4-6: DFA structure classes………………………………………………………... 55 Figure 4-7: Algorithm classes……………………………………………………………. 56 Figure 4-8: Storing captured packets using Wireshark…………………………………... 57 Figure 4-9: Example of VBFlex file……………………………………………………... 58 Figure 4-10: Using VBFlex to convert Bro rules………………………………………….. 59 Figure 4-11: Using Graph output to represent Bro rule…………………………………… 59 Figure 4-12: Storing Bro rules into database……………………………………………… 60 Figure 4-13: Reading the graph using alogirthm………………………………………….. 60 Figure 4-14: The result of applying Algorithm I.................................................................. 61 Figure 4-15: Getting Processing all step by one click……………………………………... 62 Figure 5-1: Equal Compression in all the algorithms for 52 rule of signature.sig.............. 68 Figure 5-2: Equal Compression in all the algorithms for 27 rule of web-rules.sig............ 68 Figure 5-3: Amount of deleting transitions after applying algorithm on signatures.sig..... 69 Figure 5-4: Amount of deleting transitions after applying algorithm on web-rules.sig...... 69 Figure 5-5: Number of transitions passing 0.5 GB data into 52 rule of signatuers.sig....... 71 Figure 5-6: Numbers of transitions passing 0.5 GB data into 27 rule of web-rules.sig...... 72 Figure 5-7: Different performance between Algorithm I and RMST for signatures.sig.... 72 Figure 5-8: Different performance between Algorithm I and RMST for web-rules.sig..... 73 Figure 5-9: Numbers of transitions passing 0.5 GB data into 52 rule of signatuers.sig..... 74 Figure 5-10: Numbers of transitions passing 0.5 GB data into 27 rule of web-rules.sig...... 74 Figure 5-11: Different performance between Algorithm II and RMST for signatures.sig... 75 Figure 5-12: Different performance between Algorithm II and RMST for web-rules.sig.... 75 Figure 5-13: Different performance between AlgII and AlgI for signatures.sig.................. 76 Figure 5-14: Different performance between AlgII and AlgI for web-rules.sig................... 76 List of Tables Page Table 2-1: Different and similarity between HiCuts and HyperCuts…………………… 16 Table 3-1: Matrix representation for DFA in Figure 3-3……………………………… 30 Table 3-2: Space reduction matrix………………………………………………………. 31 Table 3-3: Sorting the destination roots…………………………………………………. 31 Table 3-4: Show maximum saving value for each destination state…………………….. 32 Table 3-5: Select the first root…………………………………………………………... 33 Table 3-6: Select the Children for root Q7……………………………………………… 33 Table 3-7: Resulting matrix after selecting children for root q7………………………... 34 Table 3-8: Stopping Matrix……………………………………………………………… 34 Table 3-9: Many root among same children…………………………………………….. 36 Table 3-10: Packet payloads passing DFA in figure 3-7…………………………………. 38 Table 3-11: Packet payloads passing D2FA in figure 3-8.a, and figure 3-8.b…………... 38 Table 3-12: Matrix for DFA in figure 3-7………………………………………………... 43 Table 3-13: Space reduction matrix result after applying step 4.a in Algorithm II ……… 43 Table 3-14: Space reduction matrix result after applying step 4.b in Algorithm II ……. 44 Table 3-15: Space reduction matrix result after applying step 4.c in Algorithm II ……. 45 Table 3-16: Space reduction matrix result after applying steps 5, 6.a in Algorithm II … 45 Table 3-17: Space reduction matrix after step 6 for one state……………………………. 46 Table 5-1: Show sample result from passing packets on normal DFA…………………. 64 Table 5-2: Show sample result from testing Algorithm I on signature.sig……………… 65 Table 5-3: Sample result from passing packets into the resulting D2FA from AlgI ……. 66 Table 5-4: Show sample result from testing Algorithm II on signature.sig……………. 67 Table 5-5: Sample result from passing packets into the resulting D2FA from AlgII … 67 Table 5-6: Show the comparison between the three algorithms………………………… 70

    [1] S. T. Shafer and M. Jones, "Network edge courts apps," 2002, http://infoworld.com/article/02/05/27/020527newebdev_1.html”

    [2] A. V. Aho and M. J. Corasick, "Efficient String Matching:An Aid to Bibliographic Search," in Communications of ACM, Vol. 18, 1975, pp. 333-340.

    [3] B. Commentz-Walter, "A String Matching Algorithm Fast on the Average," in ICALP,LNCS, vol. 6, 1979, pp. 118-132

    [4] S. Wu and U. Manber, "A Fast Algorithm for Multi-Pattern Searching," Computer Science, University of Arizona, TR:94-17, May, 1994.

    [5] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, "Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection," in IEEE Infocom,2004, pp. 333-340.

    [6] L. Tan and T. Sherwood, "A High Throughput String Matching Architecture for Intrusion Detection and Prevention," in Proc. 32nd Annual International Symposium on Computer Architecture (LISA) Madison, Wisconsin, 2005, pp. 112-122.

    [7] I. Sourdis and D. Pnevmatikatos, "Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching," in Annual IEEE Symposium on Field-Programmable Custom Computing Machines FCCM California, 2004, pp. 258-267.

    [8] S. Yusuf and W. Luk, "Bitwise Optimised CAM for Network Intrusion Detection Systems," in IEEE Field Programmable Logic and Applications, 2005, pp. 311-321.

    [9] R. Sommer and V. Paxson, "Enhancing byte-level network intrusion detection signatures with context," in Proc. of the ACM Conference on Computer and Communications Security (CCS), 2003, pp. 262-271.

    [10] "TippingPoint X505," www.tippingpoint.com/products_ips.html.

    [11] "Cisco IOS IPS Deployment Guide, " www.cisco.com

    [12] F. Yu, Z. Chen, Y. Diao, T. V. Lakshman, and R. H. Katz, "Fast and Memory- Efficient Regular Expression Matching for Deep Packet Inspection," in Applied Cryptography and Network Security, 2006, pp. 3-7.

    [13] S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, "Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection," in Proc. ACM SIGCOMM, 2006, pp. 342- 344.

    [14] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm," in Proceedings of IEEE Security and Privacy, Vol.1, 2003, pp. 33-99.

    [15] G. Memik, S. O. Memik, and W. H. Mangione-Smith, “Design and Analysis of a Layer Seven Network Processor Accelerator Using Reconfigurable Logic,” in IEEE Symposium on Field-Programmable Custom Computing Machines, April 2002, pp. 131-140.

    [16] J. H. SALTZER, D. P. REED, and D. D. CLARK, "End-To-End Arguments in System Design," in ACM Transactions on Computer Systems, Vol. 2, No. 4, 1984, pp. 277-288.

    [17] "ISC Domain Survey: Number of Internet Hosts," http://www.isc.org/index.pl?/ops/ds/host-count-history.php

    [18] "SNORT Network Intrusion Detection System," http://www.snort.org.

    [19] "Bro Intrusion Detection System," http://bro-ids.org/Overview.html.

    [20] "CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL," 2002, http://www.cert.org/advisories/CA-2001-19.html”

    [21] H. Zimmermann, "OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection," in IEEE Transactions on Communications No. 4, 1980, pp. 425-432.

    [22] P. Gupta and N. McKeown, "Packet Classification on Multiple Fields," in ACM SIGCOMM, Vol 29, No 4, 1999, pp. 147-160.

    [23] S. Singh, F. Baboescu, G. Varghese, and J. Wang, "Packet Classification Using Multidimensional Cutting," in Proc ACM SIGCOMM, 2003, pp. 213-224.

    [24] "Cisco 2800 Series Integrated Services Routers Network Security Features on the Cisco Integrated Services Routers, ” http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd80169b0a.html.

    [25] S.C. Kleene. Representation of events in nerve nets and finite automata. In C.E. Shannon and J. McCarthy, editors, Automata Studies, pages 3-42. Princeton University Press, Princeton, N.J., 1956.

    [26] A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques and
    Tools. Addison-Wesley, Reading, MA, 1986.

    [27] “Data-Based Decision Making,” http://www.ael.org

    [28] “Wireshark Network Protocol Analyzer,” http://www.wireshark.org

    [29] “Flex: The Fast Lexical Analyzer,” http://flex.sourceforge.net/

    [30] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," in Proceedings of the 7th USENIX Security Symposium, 1998, p. 3.

    [31] F. Yu, R. H. Katz, and T. V. Lakshman, "Efficient Multimatch Packet Classification and Lookup with TCAM," in EEE. Symposium on High Performance Interconnects, 2005, p. 51.

    無法下載圖示 全文公開日期 本全文未授權公開 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)
    全文公開日期 本全文未授權公開 (國家圖書館:臺灣博碩士論文系統)
    QR CODE