1 / 29

Space-Time Tradeoffs in Software-Based Deep Packet Inspection

Space-Time Tradeoffs in Software-Based Deep Packet Inspection. Anat Bremler - Barr Yotam Harchol ⋆ David Hay IDC Herzliya , Israel Hebrew University, Israel . OWASP Israel 2011. (Was also presented in IEEE HPSR 2011).

carina
Download Presentation

Space-Time Tradeoffs in Software-Based Deep Packet Inspection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Space-Time Tradeoffs in Software-Based Deep Packet Inspection AnatBremler-Barr Yotam Harchol⋆David Hay IDC Herzliya, Israel Hebrew University, Israel . OWASP Israel 2011 (Was also presented in IEEE HPSR 2011) Parts of this work were supported by European Research Council (ERC) Starting Grant no. 259085 ⋆ Supported by the Check Point Institute for Information Security

  2. Outline Motivation Background New Compression Techniques Experimental Results Conclusions

  3. Network Intrusion Detection Systems • Classify packets according to: • Header fields:Source IP & port, destination IP & port, protocol, etc. • Packet payload (data) Internet IP packet Deep Packet Inspection Motivation

  4. Deep Packet Inspection The environment: High Capacity Slow Memory Locality-based Low Capacity Fast Memory Cache Memory (D)RAM Motivation Motivation

  5. Our Contributions Literature assumption: try to fit data structure in cache  Efforts to compress the data structures Our paper: Is it beneficial? • In reality, even in non-compressed implementation, most memory accesses are done to the cache BUT • One can attackthe non-compressed implementation by reducing its locality, getting it out of cache - and making it much slower! How to mitigate this attack? • Compress even further - our new techniques: 60% less memory Motivation

  6. Complexity DoS Attack • Find a gap between average case and worst case • Engineer input that exploits this gap • Launch a Denial of Service attack on the system Real-Life Traffic Internet Throughput Motivation

  7. Outline Motivation Background New Compression Techniques Experimental Results Conclusions

  8. Aho-Corasick Algorithm [Aho, Corasick; 1975] s0 • Build a Deterministic Finite Automaton • Traverse the DFA, byte by byte • Accepting state pattern found • Example:{E, BE, BD, BCD, CDBCAB, BCAA} E E C s0 C B C E B B s1 s2 s7 s2 C B C B D D C E B E B s3 s4 s5 s8 E C E s5 D D A B D E B s9 s13 s6 s9 C s6 C B A B C s14 s10 s10 E C A E s11 Input: s11 BCDBCAB B C E B s12 s12 Background

  9. Aho-Corasick Algorithm [Aho, Corasick; 1975] • Naïveimplementation:Represent the transition functionin a table of |Σ|×|S| entries • Σ: alphabet • S: set of states • Lookup time: one memory accessper input symbol • Space: In reality: 70MB to gigabytes… Background

  10. Potential Complexity DoS Attack s0 E C • Exhaustive Traversal Adversarial Traffic • Traverses as much states of the automaton • Bad locality - Bad for naïve implementation(will not utilize cache) B s1 s2 s7 D E D C s3 s4 s5 s8 D B A s9 s13 s6 A C s14 s10 A s11 B s12 Background

  11. Alternative Implementation [Aho, Corasick; 1975] s0 • Failure transition goes to the state that matches the longest suffix of the input so far • Lookup time: at most two memory accesses per input symbol (via amortized analysis) • Space: at most, # of symbols in pattern set, depends on implementation Forward Transition E E C s0 C Failure Transition B C E B B s1 s2 s7 s1 s7 C B C B D D C E B E B s3 s4 s5 s8 E C E s5 D D A B D E B s9 s13 s6 B C C A B C s14 s10 s10 E C A E s11 B C E B s12 Background

  12. Potential Complexity DoS Attack s0 E C • Exhaustive Traversal Adversarial Traffic • Traverses as much states of the automaton • Bad locality - Bad for naïve implementation(will not utilize cache) • Failure-path Traversal Adversarial Traffic • Traverses as much failure transitions • Bad for failure-path based automaton(as much memory accesses per input symbol) B s1 s2 s7 D E D C s3 s4 s5 s8 D B A s9 s13 s6 A C s14 s10 A s11 B s12 Background

  13. Prior Work: Compress the State Representation s0 s0 E E C C B B s1 s1 s2 s2 s7 s7 D D E E D D C C failure: failure: match: match: s3 s4 s3 s4 s5 s5 s8 s8 size: D D B B A A Lookup Table Linear Encoded s9 s9 s13 s13 s6 s6 A A C C Bitmap: Can count bits usingpopcnt instruction Length=|Σ| s14 s14 s10 s10 A A failure: match: s11 s11 B B Bitmap Encoded s12 s12 Background Experimental Results Conclusions

  14. Outline Motivation Background New Compression Techniques Experimental Results Conclusions

  15. Path Compression s0 s0 s0 • One-way branches can berepresented using a single state • Similarly to PATRICIA tries • Problem: Incoming failure transitions • Solution: Compress only states withno incoming failure transitions E C E E C C B B B s1 s2 s7 s1 s1 s2 s2 s7 s7 (B) D D C E D D D D C C E E s3 s4 s5 s8 s3 s3 s4 s4 s5 s5 s8 s8 (BC) D A BCAB D D A A B B s9' s13 s6 s9 s9 s13 s13 s6 s6 (BCA) A C C A A s14 s14 s14 s10 s10 (BCAB) 100% A A s11 s11 75% 2004 B B Tuck et al. Our PathCompression s12 s12 New Compression Techniques

  16. Leaves Compression E* s0 s0 s0 E C C E* C • By definition, leaves have noforward transitions • Their single purpose is to indicatea match • We can push this indication up byadding a bit to each pointer • Then, leaves can be eliminated from theautomaton - by copying their failuretransition up B B B D* s1 s2 s2 s7 s7 s1 s2 s7 (B) (B) (B) E* D D E D C C D E* C D* s3 s4 s5 s5 s3 s4 s8' s8' s5 s8' A* (BC) (BC) (BC) D* BCAB* D BCAB A A A D* s13 s6 s9' BCAB* s13 s13 s6 s9' (BCA) A* A (BCA) s14 (BCA) s14 3% more space reduction Reduces number of transitions taken New Compression Techniques

  17. Pointer Compression In Snort IDS pattern-set, 79% of the fail pointers point to states in depths 0, 1, 2 Add two bits to encode depth of pointer: 00: Depth 0 01: Depth 1 10: Depth 2 11: Depth 3 and deeper 16 bits pointer 2 bits Depth ≤ 2 16 bits pointer 2 bits 16 bits pointer Depth > 2 11 New Compression Techniques

  18. Pointer Compression Determine next state from pointer depth: • 0: Go to root • 1: Use a lookup table using last symbol • 2: Use a hash table using last two symbols • ≥ 3: Use the stored pointer Depth 1 Lookup Table: Depth 2 Hash Table: Last 2 symbols 100% 75% 2004 hash table Tuck et al. 41% Our PathCompression Pointer Comp. Next state New Compression Techniques

  19. Function Inlining • Compressed implementation makes more memory accesses • Initial implementation was based on a few functions calling each other • Avoiding function calls (by inlining their code) reduced total number of memory reads by 36% New Compression Techniques

  20. Outline Motivation Background New Compression Techniques Experimental Results Conclusions

  21. Experimental Setup Test Systems Pattern-Sets Real-life traffic logs taken from MIT DARPA * We used only half of ClamAV signatures for our tests Experimental Results

  22. Space Requirement 722.14 Memory Footprint [MB] 2.59 1.5 Experimental Results

  23. Memory Accesses per Input Symbol Experimental Results

  24. L1 Data Cache Miss Rate Intel Core 2 Duo (2 cores) 16KB L1 Data Cache 3MB L2 Cache L1 Data Cache Miss Rate Experimental Results

  25. L2 Cache Miss Rate Intel Core 2 Duo (2 cores) 16KB L1 Data Cache 3MB L2 Cache Real-Life Traffic: 0.7% L2 Cache Miss Rate Adversarial Traffic: 23%L2 Cache Miss Rate L2 Cache Miss Rate Maximal L2 Miss Rate: 0.06% Experimental Results

  26. Experimental Results Space vs. Time: Naïve Implementation -86% OurImplementation Experimental Results

  27. Outline Motivation Background New Compression Techniques Experimental Results Conclusions

  28. Conclusions It is crucial to model the cache in software-based Deep Packet Inspection: • Naïve Aho-Corasick implementationhas a huge memory footprint, but works well on real-life traffic due to locality of reference • Naïve implementation can be easily attacked,making it 7 times slower, even though it has constant number of memory accesses We also show new compression techniques: • 60% less memory than best prior-art compression • Stable throughput, better performance under attacks Naïve Aho-Corasick implementation Conclusions

  29. Questions? Thank you!

More Related