Abstract
Vulnerability signatures offer better precision and flexibility than exploit signatures when detecting network attacks. We show that it is possible to detect vulnerability signatures in high-performance network intrusion detection systems, by developing a matching architecture that is specialized to the task of vulnerability signatures. Our architecture is based upon: i) the use of high-speed pattern matchers, together with control logic, instead of recursive parsing, ii) the limited nature and careful management of implicit state, and iii) the ability to avoid parsing large fragments of the message not relevant to a vulnerability.
We have built a prototype implementation of our architecture and vulnerability specification language, called VESPA, capable of detecting vulnerabilities in both text and binary protocols. We show that, compared to full protocol parsing, we can achieve 3x or better speedup, and thus detect vulnerabilities in most protocols at a speed of 1 Gbps or more. Our architecture is also well-adapted to being integrated with network processors or other special-purpose hardware. We show that for text protocols, pattern matching dominates our workload and great performance improvements can result from hardware acceleration.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Pang, R., Paxson, V., Sommer, R., Peterson, L.: binpac: A yacc for Writing Application Protocol Parsers. In: Proceedings of the Internet Measurement Conference (2006)
Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: ACM SIGCOMM Computer Communications Review (2004)
CERT: “Code Red” Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. CERT Advisory CA-2001-19 (July 2001), www.cert.org/advisories/CA-2001-19.html
Friedl, S.: Analysis of the New “Code Red II” Variant (August 2001), http://www.unixwiz.net/techtips/CodeRedII.html
Microsoft: Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server. Microsoft Security Bulletin MS01-033 (June 2001), www.microsoft.com/technet/security/bulletin/ms01-023.mspx
Rescorla, E.: Security Holes... Who Cares?. In: Paxson, V. (ed.) USENIX Security Symposium (August 2003)
Borisov, N., Brumley, D.J., Wang, H.J., Dunagan, J., Joshi, P., Guo, C.: A Generic Application-Level Protocol Parser Analyzer and its Language. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (2007)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-time. Comput. Netw. 31(23-24), 2435–2463 (1999)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)
CVE: Common Vulnerabilities and Exposures, http://cve.mitre.org/
Aho, A.V., Corasick, M.J.: Efficient String Matching: an Aid to Bibliographic Search. Commun. ACM 18(6), 333–340 (1975)
Wu, S., Manber, U.: A Fast Algorithm for Multi-Pattern Searching. Technical Report TR-94-17, Department of Computer Science, University of Arizona (1994)
Clark, C., Lee, W., Schimmel, D., Contis, D., Koné, M., Thomas, A.: A Hardware Platform for Network Intrusion Detection and Prevention. In: Proceedings of the Third Workshop on Network Processors and Applications (2004)
Brodie, B.C., Taylor, D.E., Cytron, R.K.: A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching. In: ISCA, pp. 191–202 (2006)
Dreger, H., Feldmann, A., Mai, M., Paxson, V., Sommer, R.: Dynamic Application-layer Protocol Analysis for Network Intrusion Detection. In: USENIX-SS 2006: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, p. 18. USENIX Association (2006)
Dominus, M.J.: Higher Order Perl: Transforming Programs with Programs. Morgan Kaufmann, San Francisco (2005)
Sourcefire, Inc.: Snort, www.snort.org
Watson, B.W., Cleophas, L.: SPARE Parts: a C++ Toolkit for String Pattern Recognition. Softw. Pract. Exper. 34(7), 697–710 (2004)
Cui, W., Peinado, M., Wang, H.J., Locasto, M.E.: ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing. In: Pfitzmann, B., McDaniel, P. (eds.) IEEE Symposium on Security and Privacy, May 2007, pp. 252–266 (2007)
NISCC: Vulnerability Advisory 589088/NISCC/DNS (May 2005), http://www.cpni.gov.uk/docs/re-20050524-00432.pdf
Clark, C.R., Schimmel, D.E.: Scalable Pattern Matching for High-Speed Networks. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, California, pp. 249–257 (2004)
Intel: Intel Network Processors, www.intel.com/design/network/products/npfamily/index.htm
Turner, J.S., Crowley, P., DeHart, J., Freestone, A., Heller, B., Kuhns, F., Kumar, S., Lockwood, J., Lu, J., Wilson, M., Wiseman, C., Zar, D.: Supercharging PlanetLab: A High Performance, Multi-application, Overlay Network Platform. SIGCOMM Computing Communications Review 37(4), 85–96 (2007)
Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-protecting Servers. In: Meadows, C. (ed.) ACM Conference on Computer and Communications Security, November 2005, pp. 213–222. ACM, New York (2005)
Brumley, D., Wang, H., Jha, S., Song, D.: Creating Vulnerability Signatures Using Weakest Pre-conditions. In: Proceedings of the 2007 Computer Security Foundations Symposium, Venice, Italy (July 2007)
Slowinska, A., Bos, H.: The Age of Data: Pinpointing Guilty Bytes in Polymorphic Buffer Overflows on Heap or Stack. In: Samarati, P., Payne, C. (eds.) Annual Computer Security Applications Conference (December 2007)
Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Commun. ACM 20(10), 762–772 (1977)
Flex: The Fast Lexical Analyzer, http://www.gnu.org/software/flex
PCRE: Perl Compatible Regular Expression Library, http://www.pcre.org
Smith, R., Estan, C., Jha, S.: XFA: Faster Signature Matching with Extended Automata. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)
Rubin, S., Jha, S., Miller, B.P.: Protomatching Network Traffic for High Throughput Network Intrusion Detection. In: Proceedings of the 13th ACM conference on Computer and communications security (2006)
Li, Z., Xia, G., Tang, Y., He, Y., Chen, Y., Liu, B., West, J., Spadaro, J.: NetShield: Matching with a Large Vulnerability Signature Ruleset for High Performance Network Defense (manuscript) (2008)
Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc., Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-0Y6 (1998)
Roesch, M.: Snort—Lightweight Intrusion Detection for Networks. In: Parter, D. (ed.) Proceedings of the 1999 USENIX LISA Systems Administration Conference, Berkeley, CA, USA, November 1999, pp. 229–238. USENIX Association (1999)
de Bruijn, W., Slowinska, A., van Reeuwijk, K., Hruby, T., Xu, L., Bos, H.: SafeCard: A Gigabit IPS on the Network Card. In: Proceedings of the 9th International Symposium On Recent Advances in Intrusion Detection (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schear, N., Albrecht, D.R., Borisov, N. (2008). High-Speed Matching of Vulnerability Signatures. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-87403-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)