Print Email Facebook Twitter Efficient pre-filtering techniques for packet inspection Title Efficient pre-filtering techniques for packet inspection Author Arelakis, A. Contributor Gaydadjiev, G.N. (mentor) Sourdis, I. (mentor) Faculty Electrical Engineering, Mathematics and Computer Science Date 2008-12-11 Abstract Network Security is a significant issue nowadays. The information flow is enormous and the attacks have been substantially evolved.Every single packet of the flow must be scanned in deep and checked with all known attack rules (Deep Packet Inspection) to determine whether it is malicious. However, the task of Deep Packet Inspection requires a significant amount of processing, creating a bottleneck to the network. Packet Pre-filtering divides this task into two stages. The first stage (Pre-filtering stage) inspects the packet using a set of subrules and therefore needs less processing. This set is the result of preprocessing the initial rules where a smaller portion of every single rule is selected. In addition, this set of subrules must be efficient enough so that the least possible rules are needed to be processed in the second stage, achieving smaller implementation cost and/or smaller latency. This thesis proposes five techniques which accommodate Pre-filtering to meet these requirements. The three of them are the extraction techniques and create the set of subrules. Each subrule has a header and a part of the content (static pattern) or of the PCRE (type of regular expression). The extraction techniques are: the First Content Prefix which extracts the prefix of the first content of each rule, the PCRE Prefix which exploits the PCRE and extracts a prefix of it, and the Unique Part Rule which creates a set of unique subrules, extracting part of the content(s). Two more techniques have also been proposed. The Rule Correlation correlates the subrules (of the Pre-filtering stage) with similar characteristics to exclude them from the first stage of processing, achieving smaller latency. Secondly, Smart Rule Reuse optimizes the second stage of processing by exploiting the temporal locality of the activated rules between consecutive packets. All the techniques were evaluated using SNORT Network Intrusion Detection System and real attack traffic traces. The most efficient extraction technique is the Unique Part Rule (selected part length to 8 bytes), because only 2 rules on average are activated per packet while the maximum number of them, which indicates the required number of resources in the second stage, is approximately 64. The Rule Correlation achieves to correlate about 1700 rules out of the 9000 rules when used in combination with Unique Part Rule technique, achieving smaller latency or fewer resources in the first stage, while the Smart Rule Reuse uses rules activated by previous packets and hence avoids memory accesses so that the second stage of processing has lower latency. Subject pre-filteringpacket inspectionnetwork intrusion detection systemnetwork security To reference this document use: http://resolver.tudelft.nl/uuid:2632334a-f9ee-41b0-aaad-9f77375fc256 Publisher TU Delft, Electrical Engineering, Mathematics, Computer Science, Computer Engineering Part of collection Student theses Document type master thesis Rights (c) 2008 A. Arelakis Files PDF ewi_arelakis_2008.pdf 1.74 MB Close viewer /islandora/object/uuid:2632334a-f9ee-41b0-aaad-9f77375fc256/datastream/OBJ/view