research-article

Public Access

O3FA: A Scalable Finite Automata-based Pattern-Matching Engine for Out-of-Order Deep Packet Inspection

Authors:

Danfeng (Daphne) Yao,

Michela BecchiAuthors Info & Claims

ANCS '16: Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems

Pages 1 - 11

https://doi.org/10.1145/2881025.2881034

Published: 17 March 2016 Publication History

Abstract

To match the signatures of malicious traffic across packet boundaries, network-intrusion detection (and prevention) systems (NIDS) typically perform pattern matching after flow reassembly or packet reordering. However, this may lead to the need for large packet buffers, making detection vulnerable to denial-of-service (DoS) attacks, whereby attackers exhaust the buffer capacity by sending long sequences of out-of-order packets. While researchers have proposed solutions for exact-match patterns, regular-expression matching on out-of-order packets is still an open problem. Specifically, a key challenge is the matching of complex sub-patterns (such as repetitions of wildcards matched at the boundary between packets). Our proposed approach leverages the insight that various segments matching the same repetitive sub-pattern are logically equivalent to the regular-expression matching engine, and thus, inter-changing them would not affect the final result. In this paper, we present O3FA, a new finite automata-based, deep packet-inspection engine to perform regular-expression matching on out-of-order packets without requiring flow reassembly. O3FA consists of a deterministic finite automaton (FA) coupled with a set of prefix-/suffix-FA, which allows processing out-of-order packets on the fly. We present our design, optimization, and evaluation for the O3FA engine. Our experiments show that our design requires 20x-4000x less buffer space than conventional buffering-and-reassembling schemes on various datasets and that it can process packets in real-time, i.e., without reassembly.

References

[1]

J. Newsome, B. Karp, and D. Song, "Polygraph: automatically generating signatures for polymorphic worms," in IEEE Symposium Security and Privacy, 2005.

Digital Library

[2]

R. Sommer and V. Paxson, "Enhancing byte-level network intrusion detection signatures with context," in Proc. of CCS 2003.

Digital Library

[3]

Y. Xie, et al., "Spamming botnets: signatures and characteristics," in Proc. of SIGCOMM 2008.

Digital Library

[4]

R. M. J. Hopcroft, and J. Ullman, Introduction to Automata Theory, Languages, and Computation: Addison Wesley, 1979.

Digital Library

[5]

B. C. Brodie, D. E. Taylor, and R. K. Cytron, "A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching," in Proc. of ISCA 2006.

Digital Library

[6]

F. Yu, et al., "Fast and memory-efficient regular expression matching for deep packet inspection," in Proc. of ANCS 2006.

Digital Library

[7]

M. Becchi and P. Crowley, "A hybrid finite automaton for practical deep packet inspection," in Proc. of CoNEXT 2007.

Digital Library

[8]

S. Kumar, et al., "Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia," in Proc. of ANCS 2007.

Digital Library

[9]

R. Smith, et al., "Deflating the big bang: fast and scalable deep packet inspection with extended finite automata," in Proc. of SIGCOMM 2008.

Digital Library

[10]

M. Becchi and P. Crowley, "Extending finite automata to efficiently match Perl-compatible regular expressions," in Proc. of CoNEXT 2008.

Digital Library

[11]

X. Yu, B. Lin, and M. Becchi, "Revisiting State Blow-Up: Automatically Building Augmented-FA While Preserving Functional Equivalence," in JSAC, vol. 32, pp. 1822--1833, 2014.

[12]

V. Paxson, "End-to-end Internet packet dynamics," in Proc. of SIGCOMM 1997.

Digital Library

[13]

J. Sharad, et al., "Measurement and classification of out-of-sequence packets in a tier-1 IP backbone," in Proc. of INFO-COM 2003.

[14]

S. Dharmapurikar and V. Paxson, "Robust TCP stream reas-sembly in the presence of adversaries," in Proc. of USENIX Security Symposium 2005.

Digital Library

[15]

T. Ptacek and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection," Secure Net-works, Inc. Technical Report, 1998.

[16]

A. E. Saldinger, J. Ding, and S. K. Sathe, "Method and apparatus for ensuring ATM cell order in multiple cell transmission lane switching system," US Patent, 1999.

[17]

A. S. J. Chapman and H. T. Kung, "Method and apparatus for re-ordering data packets in a network environment," US Patent, 2001.

[18]

A. V. Rana and C. A. Garrow, "Queue engine for reassembling and reordering data packets in a network," US Patent 2004.

[19]

M. Zhang and J.-b. Ju, "Space-Economical Reassembly for Intrusion Detection System," in Information and Communications Security. vol. 2836, ed: Springer Berlin Heidelberg, 2003, pp. 393--404.

[20]

X. Chen, et al., "AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets," in Proc. of ANCS 2011.

Digital Library

[21]

T. Johnson, S. Muthukrishnan, and I. Rozenbaum, "Monitoring Regular Expressions on Out-of-Order Streams," in Proc. of ICDE 2007.

[22]

M. Becchi and P. Crowley, "An improved algorithm to accel-erate regular expression evaluation," in Proc. of ANCS 2007.

Digital Library

[23]

S. Kong, R. Smith, and C. Estan, "Efficient signature matching with multiple alphabet compression tables," in Proc. Security and privacy in communication networks, 2008.

Digital Library

[24]

J. Patel, A. X. Liu, and E. Torng, "Bypassing Space Explosion in High-Speed Regular Expression Matching," in TON, vol. 22, pp. 1701--1714, 2014.

Digital Library

[25]

S. Kumar, et al., "Algorithms to accelerate multiple regular expressions matching for deep packet inspection," in Proc. of SIGCOMM 2006.

Digital Library

[26]

D. Ficara, et al., "An improved DFA for fast regular expression matching," SIGCOMM Comput. Commun. Rev., vol. 38, pp. 29--40, 2008.

Digital Library

[27]

G. Varghese, J. A. Fingerhut, and F. Bonomi, "Detecting evasion attacks at high speeds without reassembly," in Proc. of SIGCOMM 2006.

Digital Library

[28]

R. Smith, C. Estan, and S. Jha, "XFA: Faster Signature Matching with Extended Automata," in Symp. Security and Privacy, 2008.

Digital Library

[29]

M. Becchi, M. Franklin, and P. Crowley, "A workload for evaluating deep packet inspection architectures," in Proc. of IISWC 2008.

[30]

C. R. Clark and D. E. Schimmel, "Efficient reconfigurable logic circuits for matching complex network intrusion detection patterns," in Proc. of FPL 2003.

[31]

X. Yu and M. Becchi, "GPU acceleration of regular expression matching for large datasets: exploring the implementation space," presented at the Proc. of CF 2013.

Digital Library

Cited By

Patowary RBarua GSukapuram R(2024)Correctness of Flow Migration for Service Function ChainsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575826(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575826
Patowary RBarua GSukapuram R(2024)Flow Migration for Service Function Chains: Preserving External-Ordering2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639762(1-9)Online publication date: 8-Oct-2024
https://doi.org/10.1109/LCN60385.2024.10639762
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Show More Cited By

Index Terms

O3FA: A Scalable Finite Automata-based Pattern-Matching Engine for Out-of-Order Deep Packet Inspection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

XFA: Faster Signature Matching with Extended Automata
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

Automata-based representations and related algorithms have been applied to address several problems in information security, and often the automata had to be augmented with additional information. For example, extended finite-state automata (EFSA) ...
Translating Regular Expressions into Small ε-Free Nondeterministic Finite Automata

We prove that every regular expression of size n can be converted into an equivalent nondeterministic -free finite automaton (NFA) with O(n(logn)2) transitions in time O(n2logn). The best previously known conversions result in NFAs of worst-case size (...
Fast, memory-efficient regular expression matching with NFA-OBDDs

Modern network intrusion detection systems (NIDS) employ regular expressions as attack signatures. Internally, NIDS represent and operate these regular expressions as finite automata. However, finite automata present a well-known time/space tradeoff. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '16: Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems

March 2016

148 pages

ISBN:9781450341837

DOI:10.1145/2881025

General Chair:
Patrick Crowley
Washington University in St. Louis, USA
,
Program Chairs:
Luigi Rizzo
Università di Pisa, Italy
,
Laurent Mathy
Université de Liège, Belgium

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

the Institute for Critical Technology and Applied Science (ICTAS), an institute dedicated to transformative, interdisciplinary research for a sustainable future (http://www.ictas.vt.edu)
National Science Foundation

Conference

ANCS '16

Sponsor:

ANCS '16: Symposium on Architectures for Networking and Communications Systems

March 17 - 18, 2016

California, Santa Clara, USA

Acceptance Rates

ANCS '16 Paper Acceptance Rate 12 of 58 submissions, 21%;

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
552
Total Downloads

Downloads (Last 12 months)70
Downloads (Last 6 weeks)10

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Patowary RBarua GSukapuram R(2024)Correctness of Flow Migration for Service Function ChainsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575826(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575826
Patowary RBarua GSukapuram R(2024)Flow Migration for Service Function Chains: Preserving External-Ordering2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639762(1-9)Online publication date: 8-Oct-2024
https://doi.org/10.1109/LCN60385.2024.10639762
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Çelebi MYavanoğlu U(2023)Accelerating Pattern Matching Using a Novel Multi-Pattern-Matching Algorithm on GPUApplied Sciences10.3390/app1314810413:14(8104)Online publication date: 11-Jul-2023
https://doi.org/10.3390/app13148104
ÇELEBİ MYAVANOĞLU U(2023)Derin Paket İncelemesi için Önerilen Yeni Bir Örüntü Eşleştirme AlgoritmasıA New Pattern Matching Algorithm for Deep Packet InspectionDüzce Üniversitesi Bilim ve Teknoloji Dergisi10.29130/dubited.113154411:3(1546-1562)Online publication date: 31-Jul-2023
https://doi.org/10.29130/dubited.1131544
Liu HPai SJog A(2023)Asynchronous Automata Processing on GPUsProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/35794537:1(1-27)Online publication date: 2-Mar-2023
https://dl.acm.org/doi/10.1145/3579453
ÇELEBİ MÖZBİLEN AYAVANOĞLU U(2022)Modern ağ trafiği analizi için derin paket incelemesi hakkında kapsamlı bir çalışma: sorunlar ve zorluklarÖmer Halisdemir Üniversitesi Mühendislik Bilimleri Dergisi10.28948/ngumuh.1184020Online publication date: 14-Nov-2022
https://doi.org/10.28948/ngumuh.1184020
Wang ZYu JLin S(2022)Research on robust adaptive sliding film fault-tolerant control under nonlinear distortion of signal transmission in amorphous flat air-to-ground wireless ad-hoc network systemAssembly Automation10.1108/AA-04-2021-0045Online publication date: 3-Jan-2022
https://doi.org/10.1108/AA-04-2021-0045
Yu XWei FOu XBecchi MBicer TYao D(2020)GPU-Based Static Data-Flow Analysis for Fast and Scalable Android App Vetting2020 IEEE International Parallel and Distributed Processing Symposium (IPDPS)10.1109/IPDPS47924.2020.00037(274-284)Online publication date: May-2020
https://doi.org/10.1109/IPDPS47924.2020.00037
Shawly TElghariani AKobes JGhafoor A(2019)Architectures for Detecting Interleaved Multi-stage Network Attacks Using Hidden Markov ModelsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2948623(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2019.2948623
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents