Towards High Speed Network Defense

1
Towards High Speed Network Defense

• Zhichun Li
• EECS Deparment
• Northwestern University

2
Agenda

• Briefly introduce my thesis work
• Dive in high performance vulnerability signature
  matching
• Future research directions

3
Motivation
Attackers
Botnets
Professional attackers exploit the enterprise
networks for profit
Worms
4
Network Level Defense

• Network gateways/routers are the vantage points
  for detecting large scale attacks
• Only host based detection/prevention is not
  enough for modern enterprise networks
• Some users do not apply the host-based schemes
  due to the reliability, overhead, and conflicts.
• Many users do not update or patch their system on
  time.
• Enterprises cannot only reply on their end users
  for security protection

5
Challenges

• Scalable to high speed networks with a large
  number of users
• Need to be highly accurate
• Adapt fast to the emerging threats
• Have good attack coverage.

6
Network-based Intrusion Detection, Prevention,
and Forensics System

• Framework

Scalability
(I) Sketch based monitoring detection
Accuracy Scalability Coverage
Accuracy adapt fast
(III) Signature matching engines
(II) Polymorphic worm signature generation
Packet streams
(IV) Network Situational Awareness
Honynet honeyfarms
Accuracy adapt fast
7
Network-based Intrusion Detection, Prevention,
and Forensics System (I)

• Online traffic monitoring and recording
• INFOCOM 2006, ToN 2007 (cited by 30)
• Reversible sketch for data streaming computation
• Record millions of flows (GB traffic) in a few
  hundred KB
• Small of memory access per packet
• Scalable to large key space size (232 or 264)
• Online sketch-based flow-level anomaly detection
• IEEE ICDCS 2006 IEEE CGA, Security
  Visualization 2006
• Detect TCP SYN flooding, horizontal and vertical
  scans even when mixed

7
8
Network-based Intrusion Detection, Prevention,
and Forensics System (II)

• Polymorphic worm signature generation
• Token based Signature IEEE Symposium on Security
  and Privacy 2006 (cited by 40, code requested
  by Columbia U. UT Austin, Purdue, Georgia Tech,
  UC Davis, etc)
• Network based Vulnerability Signature IEEE ICNP
  2007 NSF Cyber Trust Award

Network gateway
Internet
Our network
8
9
Network-based Intrusion Detection, Prevention,
and Forensics System (III)

• NetShield Vulnerability Signature based NIDS/NIPS
  under submission NSF Cyber Trust Award
  (interested by Cisco and Juniper)

Focus of this talk, details come later
9
10
Network-based Intrusion Detection, Prevention,
and Forensics System (IV)

• Large-scale botnet and P2P misconfiguration event
  situational-aware forensics
• Botnet attack target/strategy inference
  ASIACCS09
• Root cause analysis of the P2P misconfiguration/po
  isoning traffic under submission

10
11
NetShied Matching a Large vulnerability
Signature Ruleset for High Performance Network
Defense
12
NetShield Overview

• NIDS/NIPS (Network Intrusion
  Detection/Prevention System) operation

NIDS/NIPS
Packets

• Accuracy
• Speed
• Attack Coverage

Security alerts
13
State of the art
Regular expression (regex) based approaches
Example .Abc.\x90de\r\n30

• Pros
• Can efficiently match multiple sigs
  simultaneously, through DFA
• Can describe the syntactic context

• Cons
• Limited expressive power
• Cannot describe the semantic context
• Inaccurate

14
State of the art
Vulnerability Signature Wang et al. 04
Example BIND rpc_vers5 rpc_vers_minor1
packed_drep\x10\x00\x00\x00
context0.abstract_syntax.uuidUUID_RemoteActivat
ion BIND-ACK rpc_vers5 rpc_vers_minor1 CAL
L rpc_vers5 rpc_vers_minors1
packed_drep\x10\x00\x00\x00
stub.RemoteActivationBody.actual_lengthgt40
matchRE( stub.buffer, /\x5c\x00\x5c\x00/)

• Pros
• Directly describe semantic context
• Very expressive, can express the vulnerability
  condition exactly
• Accurate

• Cons
• Slow!
• Existing approaches all use sequential matching
• Require protocol parsing

15
Motivation of NetShield
15
16
Motivation

• Desired Features for Signature-based NIDS/NIPS
• Accuracy (especially for IPS)
• Speed
• Coverage Large ruleset

Cannot capture vulnerability condition well!
Shield sigcomm04
Regular Expression Vulnerability
Accuracy Relative Poor Much Better
Speed Good ??
Memory OK ??
Coverage Good ??
16
17
Research Challenges

• Background
• Use protocol semantics to express the
  vulnerability
• Defined on a sequence of PDUs one predicate for
  each PDU
• Example ver1 methodput len(buf)gt300
• Challenges
• Matching thousands of vulnerability signatures
  simultaneously
• Sequential matching ?match multiple sigs
  simultaneously
• High speed parsing

17
18
Outline

• Motivation
• High Speed Matching for Large Rulesets.
• High Speed Parsing
• Evaluation
• Research Contributions

18
19
A Vulnerability Signature Example

• Data representations
• For all the vulnerability signatures we studied,
  we only need numbers and strings
• number operators , gt, lt, gt, lt
• String operators , match_re(.,.), len(.).
• Example signature for Blaster worm

Example BIND rpc_vers5 rpc_vers_minor1
packed_drep\x10\x00\x00\x00
context0.abstract_syntax.uuidUUID_RemoteActivat
ion BIND-ACK rpc_vers5 rpc_vers_minor1 CAL
L rpc_vers5 rpc_vers_minors1
packed_drep\x10\x00\x00\x00
stub.RemoteActivationBody.actual_lengthgt40
matchRE( stub.buffer, /\x5c\x00\x5c\x00/)
19
20
Matching Problem Formulation

• Consider single PDU matching first
• Suppose we have n signatures, defined on k
  matching dimensions (matchers)
• A matcher is a two-tuple (field, operation) or a
  four-tuple for the associative array elements.
• Translate the n signatures to a n by k table.

Rule 6 URI.Filenamefp40reg.dll
len(Headershost)gt300
20
21
Matching Problem Formulation

• Challenges for Single PDU matching problem (SPM)
• Large number of signatures n
• Large number of matchers k
• Large number of dont cares
• Cannot reorder matchers arbitrarily -- buffering
  constraint
• Field dependency
• Arrays, associative arrays
• Mutually exclusive fields.

21
22
Matching Algorithms

• Candidate Selection Algorithm
• Pre-computation decides the rule order and
  matcher order
• Divide-and-conquer comparison w/ matchers and
  iteratively combine the results efficiently

22
23
Step 1 Pre-Computation

• Matcher reoder Put the non-selective matchers
  later based on buffering constraint field
  arrival order
• Rule reorder

23
24
Step 2 Iterative Matching
24
25
Candidate merge operation
Dont care matcher i1
Si
require matcher i1
In Ai1
25
26
Refinement and Extension

• SPM improvement
• Allow negative conditions
• Handle array case
• Handle associate array case
• Handle mutual exclusive case
• Report the matched rules as early as possible
• Extend to Multiple PDU Matching (MPM)
• Allow checkpoints.

26
27
Outline

• Motivation
• High Speed Matching for Large Rulesets.
• High Speed Parsing
• Evaluation
• Research Contribution

27
28
Observations

• PDU ? parse tree
• Leaf nodes are integers or strings
• Vulnerability signatures mostly based on leaf
  nodes

• Observation 1 Only need to parse the fields
  related to signatures.
• Observation 2 Traditional recursive descent
  parsers which need one function call per node are
  too expensive.

28
29
Efficient Parsing with State Machines

• Studied eight protocols HTTP, FTP, SMTP, eMule,
  BitTorrent, WINRPC, SNMP and DNS as well as their
  vulnerability signatures.
• Pre-construct parsing state machines based on
  parse trees and vulnerability signatures.
• Common relationship among leaf nodes.

29
30
Example for WINRPC

• Rectangles are states
• Parsing variables R0 .. R4
• 0.61 instruction/byte for BIND PDU

30
31
Outline

• Motivation
• High Speed Matching for Large Rulesets.
• High Speed Parsing
• Evaluation
• Research Contributions

31
32
Evaluation Methodology

• Fully implemented prototype
• 11,704 lines of C and 2,706 lines of Python
• Can run on both Linux and Windows
• Deployed at a university DC
• with up to 106Mbps

• 26GB Traces from Tsinghua Univ. (TH),
  Northwestern (NU) and DARPA
• Run on a P4 3.8Ghz single core PC w/ 4GB memory.
• After TCP reassembly and preload the PDUs in
  memory
• For HTTP we have 794 vulnerability signatures
  which covers 973 Snort rules.
• For WINRPC we have 45 vulnerability signatures
  which covers 3,519 Snort rules

32
33
Parsing Results
Trace TH DNS TH WINRPC NU WINRPC TH HTTP NU HTTP DARPA HTTP
Throughput (Gbps) Binpac Our parser 0.31 3.43 1.41 16.2 1.11 12.9 2.10 7.46 14.2 44.4 1.69 6.67
Speed up ratio 11.2 11.5 11.6 3.6 3.1 3.9
Max. memory per connection (bytes) 15 15 15 14 14 14
33
34
Matching Results
Trace TH WINRPC NU WINRPC TH HTTP NU HTTP DARPA HTTP
Throughput (Gbps) Sequential CS Matching 10.68 14.37 9.23 10.61 0.34 2.63 2.37 17.63 0.28 1.85
Matching only time speed up ratio 4 1.8 11.3 11.7 8.8
Avg of Candidates 1.16 1.48 0.033 0.038 0.0023
Max. memory per connection (bytes) 27 27 20 20 20
34
35
Other Results
Rule scaling results
Compare with Regex

• Memory for 973 Snort rules DFA 5.29GB (XFA 863
  rules1.08MB), NetShield 2.3MB
• Per flow memory XFA 36 bytes, NetShield 20
  bytes.
• Throughput XFA 756Mbps, NetShield 1.9Gbps
• XFA SIGCOMM08Oakland08

Performanc Decrease gracefully
36
Research Contributions

• Demonstrate vulnerability signatures can be
  applied to NIDS/NIPS, which can significantly
  improve the accuracy of current NIDS/NIPS
• Propose the candidate selection algorithm for
  matching a large number of vulnerability
  signatures efficiently
• Propose parsing state machine for fast protocol
  parsing
• Implement the NetShield

36
37
Future work

• Working in process
• In collaboration with MSR. Apply the semantic
  rich analysis for cloud Web service profiling. To
  understand why slow and how to improve.
• Future work
• Web security (browser security, web server
  security)
• Data Center security
• High Speed Network Intrusion Prevention System
  with Hardware Support

38
Long Term Research Challenges

• Combat the professional profit-driven attackers.
• Online applications (including Web 2.0
  applications) become more complex and vulnerable.
  
• Network speed keeps increasing, which demands
  highly scalable approaches.

39

• Q A
• Thanks!

40
Backup Slides

41
Measure Snort Rules

• Semi-manually classify the rules.
• Group by CVE-ID
• Manually look at each vulnerability
• Results
• 86.7 of rules can be improved by protocol
  semantic vulnerability signatures.
• Most of remaining rules (9.9) are web DHTML and
  scripts related which are not suitable for
  signature based approach.
• On average 4.5 Snort rules are reduced to one
  vulnerability signature.
• For binary protocol the reduction ratio is much
  higher than that of text based ones.
• For netbios.rules the ratio is 67.6.

41
42
Motivation

• Network security has been recognized as the
  single most important attribute of their
  networks, according to survey to 395 senior
  executives conducted by ATT
• Many new emerging threats make the situation even
  worse

43
System Framework
Scalability
Scalability
Scalability
Scalability
Accuracy Scalability Coverage
Accuracy Scalability Coverage
Accuracy Scalability Coverage
Accuracy Scalability Coverage
Accuracy adapt fast
Accuracy adapt fast
Accuracy adapt fast
Accuracy adapt fast
Accuracy adapt fast
44
Example of Vulnerability Signatures

• At least 75 vulnerabilities are due to buffer
  overflow
• Sample vulnerability signature
• Field length corresponding to vulnerable buffer gt
  certain threshold
• Intrinsic to buffer overflow vulnerability and
  hard to evade

Overflow!
Protocol message
Vulnerable buffer
45
Old Slides
46
Conclusions

• A novel network-based vulnerability signature
  matching engine
• Through measurement study on Snort ruleset, prove
  the vulnerability signature can improve most of
  the signatures in NIDS/IPS.
• Proposed parsing state machine for fast parsing
• Propose a candidate selection algorithm for
  matching a large number of vulnerability
  signature simultaneously

46
47
Outline

• Motivation
• Feasibility Study a measurement approach
• Problem Statement
• High Speed Parsing
• High Speed Matching for massive vulnerability
  Signatures.
• Evaluation
• Conclusions

48
Outline

• Motivation
• Feasibility Study a measurement approach
• Problem Statement
• High Speed Parsing
• High Speed Matching for massive vulnerability
  Signatures.
• Evaluation
• Conclusions

49
Outline

• Motivation
• Feasibility Study a measurement approach
• Problem Statement
• High Speed Parsing
• High Speed Matching for massive vulnerability
  Signatures.
• Evaluation
• Conclusions

50
Outline

• Motivation
• Feasibility Study a measurement approach
• Problem Statement
• High Speed Parsing
• High Speed Matching for a large number of
  vulnerability Signatures.
• Evaluation
• Conclusions

51
Outline

• Motivation
• Feasibility Study a measurement approach
• Problem Statement
• High Speed Parsing
• High Speed Matching for massive vulnerability
  Signatures.
• Evaluation
• Conclusions

52
Limitations of Regular Expression Signatures
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic attack (worm/botnet) might not have
exact regular expression based signature
53
What we do?

• Build a NIDS/NIPS with much better accuracy and
  similar speed comparing with Regular Expression
  based approaches
• Feasibility Snort ruleset (6,735 signatures)
  86.7 can be improved by vulnerability
  signatures.
• High speed Parsing 2.712 Gbps
• High speed Matching
• Efficient Algorithm for matching massive
  vulnerability rules
• HTTP, 791 vulnerability signatures at 1Gbps

54
Problem Formulation

• Parsing problem formulation
• Given a PDU and the protocol specification as
  input, output the set of fields which required by
  matching.

55
Publications

• Zhichun Li, Lanjia Wang, Yan Chen and Zhi (Judy)
  Fu, Network-based and Attack-resilient Length
  Signature Generation for Zero-day Polymorohic
  Worms, in the Proc. of IEEE ICNP 2007.
• Robert Schweller, Zhichun Li, Yan Chen, Yan Gao,
  Ashish Gupta, Elliot Parons, Yin Zhang, Peter
  Dinda, Ming-Yang Kao, and Gokhan Memik,
  Reversible sketches Enabling monitoring and
  analysis over high speed data streams, in the
  IEEE/ACM Transaction on Networking, Volume 15,
  Issue 5, Oct, 2007
• Zhichun Li, Manan Sanghi, Brian Chavez, Yan Chen
  and Ming-Yang Kao, Hamsa Fast Signature
  Generation for Zero-day Polymorphic Worms with
  Provable Attack Resilience, in Proc. of IEEE
  Symposium on Security and Privacy, 2006
• Zhichun Li, Yan Chen and Aaron Beach, Towards
  Scalable and Robust Distributed Intrusion Alert
  Fusion with Good Load Balacing, in Proc. of ACM
  SIGCOMM LSAD 2006
• Yan Gao, Zhichun Li and Yan Chen, A DoS Resilient
  Flow-level Intrusion Detection Approach for
  High-speed Networks, In Proc. Of IEEE ICDCS 2006
• Robert Schweller, Zhichun Li, Yan Chen, Yan Gao,
  Ashish Gupta, Elliot Parons, Yin Zhang, Peter
  Dinda, Ming-Yang Kao, and Gokhan Memik, Reverse
  Hashing for High-speed Network Monitoring
  Algorithms, Evaluations, and Applications, in the
  Proc. Of IEEE INFOCOM 2006

56
Current Status

• Part I Sketch based monitoring detection
• Robert Schweller, Zhichun Li, Yan Chen, Yan Gao,
  Ashish Gupta, Elliot Parons, Yin Zhang, Peter
  Dinda, Ming-Yang Kao, and Gokhan Memik,
  Reversible sketches Enabling monitoring and
  analysis over high speed data streams, in the
  IEEE/ACM Transaction on Networking, Volume 15,
  Issue 5, Oct, 2007
• Robert Schweller, Zhichun Li, Yan Chen, Yan Gao,
  Ashish Gupta, Elliot Parons, Yin Zhang, Peter
  Dinda, Ming-Yang Kao, and Gokhan Memik, Reverse
  Hashing for High-speed Network Monitoring
  Algorithms, Evaluations, and Applications, in the
  Proc. Of IEEE INFOCOM 2006 (252/140018)
• Yan Gao, Zhichun Li and Yan Chen, A DoS Resilient
  Flow-level Intrusion Detection Approach for
  High-speed Networks, In Proc. Of IEEE
  International Conference on Distributed Computing
  Systems (ICDCS) 2006 (75/53614) (Alphabetical
  order)
• Part II Polymorphic worm signature generation
• TOSG Zhichun Li, Manan Sanghi, Brian Chavez, Yan
  Chen and Ming-Yang Kao, Hamsa Fast Signature
  Generation for Zero-day Polymorphic Worms with
  Provable Attack Resilience, in Proc. of IEEE
  Symposium on Security and Privacy, 2006
  (23/2519)
• LESG Zhichun Li, Lanjia Wang, Yan Chen and Zhi
  (Judy) Fu, Network-based and Attack-resilient
  Length Signature Generation for Zero-day
  Polymorohic Worms, in the Proc. of IEEE
  International Conference on Network Protocols
  (ICNP) 2007 (32/22014)

57
Current Status

• Part III Signature matching engines
• Work in progress, will be focus of this talk
• Zhichun Li, Gao Xia, Yi Tang, Jian Chen, Ying He,
  Yan Chen and Bin Liu, NetShield Towards High
  Performance Network-based Semantic Signature
  Matching, in submission
• Part IV Network Situational Awareness
• Work in process
• Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson,
  Towards Situational Awareness of Large-Scale
  Botnet Events using Honeynets, in preparation
• Zhichun Li, Anup Goyal, Yan Chen and Aleksandar
  Kuzmanovic, P2P Doctor Measurement and Diagnosis
  of Misconfigured Peer-to-Peer Traffic, in
  submission

58
Current Status

• Part I Sketch based monitoring detection
• Result in Infocom06,ToN,ICDCS06
• Part II Polymorphic worm signature generation
• Result in Oakland06,ICNP07
• Part III Signature matching engines
• Work in progress, will be focus of this talk
• Part IV Network Situational Awareness
• Work in process

59
Limitations of Exploit Based Signature
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worm might not have exact exploit
based signature
60
Vulnerability Signature
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability

• Work for polymorphic worms
• Work for all the worms which target the
• same vulnerability