High-Speed Matching of Vulnerability Signatures

Authors:
Nabil Schear;David R. Albrecht;Nikita Borisov
Affiliations:
Department of Computer Science, University of Illinois at Urbana---Champaign,;Department of Electrical and Computer Engineering, University of Illinois at Urbana---Champaign,;Department of Electrical and Computer Engineering, University of Illinois at Urbana---Champaign,
Venue:
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Year:
2008

Citing 20
Cited 5

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Scalable Pattern Matching for High Speed Networks

FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
SPARE parts: a C++ toolkit for string pattern recognition

Software—Practice & Experience
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Higher-Order Perl: Transforming Programs with Programs

Higher-Order Perl: Transforming Programs with Programs
Fast and automated generation of attack signatures: a basis for building self-protecting servers

Proceedings of the 12th ACM conference on Computer and communications security
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching

Proceedings of the 33rd annual international symposium on Computer Architecture
binpac: a yacc for writing application protocol parsers

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Protomatching network traffic for high throughputnetwork intrusion detection

Proceedings of the 13th ACM conference on Computer and communications security
Security holes... who cares?

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Dynamic application-layer protocol analysis for network intrusion detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Creating Vulnerability Signatures Using Weakest Preconditions

CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Supercharging planetlab: a high performance, multi-application, overlay network platform

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
XFA: Faster Signature Matching with Extended Automata

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
SafeCard: a gigabit IPS on the network card

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

NetShield: massive semantics-based vulnerability signature matching for high-speed networks

Proceedings of the ACM SIGCOMM 2010 conference
Towards vulnerability-based intrusion detection with event processing

Proceedings of the 5th ACM international conference on Distributed event-based system
Fast, memory-efficient regular expression matching with NFA-OBDDs

Computer Networks: The International Journal of Computer and Telecommunications Networking
Indices of power in optimal IDS default configuration: theory and examples

GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
Editorial: Recent developments in high performance computing and security: An editorial

Future Generation Computer Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Vulnerability signatures offer better precision and flexibility than exploit signatures when detecting network attacks. We show that it is possible to detect vulnerability signatures in high-performance network intrusion detection systems, by developing a matching architecture that is specialized to the task of vulnerability signatures. Our architecture is based upon: i) the use of high-speed pattern matchers, together with control logic, instead of recursive parsing, ii) the limited nature and careful management of implicit state, and iii) the ability to avoid parsing large fragments of the message not relevant to a vulnerability.We have built a prototype implementation of our architecture and vulnerability specification language, called VESPA, capable of detecting vulnerabilities in both text and binary protocols. We show that, compared to full protocol parsing, we can achieve 3x or better speedup, and thus detect vulnerabilities in most protocols at a speed of 1 Gbps or more. Our architecture is also well-adapted to being integrated with network processors or other special-purpose hardware. We show that for text protocols, pattern matching dominates our workload and great performance improvements can result from hardware acceleration.