globecom - mens 2011 - characterizing signature sets for testing dpi systems
TRANSCRIPT
CHARACTERIZING SIGNATURE SETS FOR TESTING DPI SYSTEMS
The 3rd IEEE International Workshop on Management of Emerging Networks and Services (IEEE MENS 2011)
Rafael Antonello, Stenio Fernandes, Djamel Sadok, Judith Kelner Federal University of Pernambuco - UFPE Recife, Brazil
Outline
Introduction Motivation Contribution Signature Set Analyzer Framework Experimental Results Concluding Remarks
Introduction
Introduction
Deep Packet Inspection (DPI) Systems key component for accurate network
management Look inside the packet payload trying to find
application signatures Recognizable patterns (similar to an anti-virus
system)
High computational requirements are mainly due high number of regular expressions (RE) in
the signature sets in modern DPI RE are represented as Finite Automata (DFA or NFA)
RegEx to FA
analyze the DFA created for recognizing the regular expression (regex) ^\x01[\x08\x09][\x03\x04]
Size and complexity of signatures sets can lead to space state explosion of the FA It degrades performance
Introduction
Challenges: Growing link speed
40-100 Gbps and beyond Ever increasing number of Internet
applications Research effort on optimizing DPI
systems new packet capture methods Building efficient automata for representing
REs Efficient classifiers
Motivation
Performance analysis for DPI engines has been done without a common ground That’s where the problem arises Selected signature bases present
Different sizes. Example: 1.8Gbps over a 268 signatures set [17] 1.6Gbps over a 2 signatures set [7]
Variable complexity For RE, dot stars (.*) and count constraints (c{n}
constructions) can generate very complex DFAs
Contribution…
A framework for Characterizing the signature sets
commonly used to evaluate DPI systems An in-depth analysis of signature sets
from well-known applications, protocols, and intrusion detection systems
A classification mechanism for signature sets according to their size, number of sub-
patterns, and complexity
SSA Framework - SSAF
Sig-Set Analyzer
SSAF Overview
Firstly Select representative signature sets Extract REs And then apply normalization
web-cgi.rules.pcres1 \Wfrom=[^\x3b&\n]{100}web-cgi.rules.pcres2 pwd=(\!|\%21)CRYPT(\!|\%21)[A-Z0-9]{512}web-cgi.rules.pcres3 evtdump\x3f.*\?\x2525[^\x20]*\?\x20HTTPweb-cgi.rules.pcres4 ShellExample.cgi\?[^\n\r\&]*\x2aweb-cgi.rules.pcres5 update=[^\r\n\x26]+web-cgi.rules.pcres6 awstats.pl?[^\r\n]*configdir=\x7C
SSA generates: Number of signatures Signature size (avg): Average size of signatures Signature max size: Maximum signature size; Signature min size: Minimum signature size; DotStars .* - (count): Number of dot stars (.*)
constructions; DotStars (avg): Average of dot stars per signature; Char Ranges (count): Number of character ranges ([a-
d]) Char Ranges (avg): Average number of character
ranges per signature;
SSA: Count constraints c{n} or c{m.n} (count) Average number of count constraints per signature; Count constraints on ranges [a-d]{n}or{m,n} (count): Number of
count constraints on character ranges. Count constraints on ranges (avg): Average number of count
constraints on character ranges; OR operators | (count): Number of OR operators in a signature set; OR operators (avg): Average number of OR operators per signature; Number of sps (count): Number of sub-patterns present in a
signature set; Number of sps (avg): Average number of sub-patterns per signature; Sp min length: Sub-patterns’ minimum length; Sp max length: Sub-patterns’ maximum length; Sp avg. length: Sub-patterns’ average length.
Logistic Function
Normalization Size Sub-patterns Complexity
x: signature set size, # of sub-patterns, complexity metric
y: [0-1]
Complexity
x is the sum of three variables: the average number of count constraints
on ranges, the average number of count
constraints, and the average number of dot star
constructions per signature
Metric Levels
Base Size Small Medium Large
Avg. Number of Sub-
PatternsLow
Medium High
Complexity LowModerat
e
High
Signature Sets’ Characterization:Based on the output of the logistic function (for normalization purposes)
Experimental Results
Signature Bases
L7-Filter Bro Snort-Web Snort-ActiveX Snort-Spyware
L7-Filter
Metric ValuesNumber of signatures 123Signature size (avg) 61.756096Signature max size 438Signature min size 6DotStars .* - (count) 35
DotStars (avg) 0.284553Char Ranges [a-d] (count) 265
Char Ranges (avg) 2.154472Count constraints c{n} or c{m.n}
(count) 0
Count constraints on ranges (count) 0OR operators | (count) 150
OR operators (avg) 1.219512Number of sps (count) 470Number of sps (avg) 3.821138
Sp min length 1Sp max length 46Sp avg. length 5.859574
Bro
Metric ValuesNumber of signatures 268Signature size (avg) 30.772388Signature max size 211Signature min size 1
DotStars (count) 8DotStars (avg) 0.029851
Char Ranges (count) 0Count constraints (count) 10Count constraints (avg) 0.037313
Count constraints on ranges (count) 4Count constraints on ranges (avg) 0.014925
OR operators (count) 6OR operators (avg) 0.022388
Number of sps (count) 382Number of sps (avg) 1.425373
Sp min length 1Sp max length 46Sp avg. length 4.028796
Snort-Web
Metric ValuesNumber of signatures 336Signature size (avg) 57.327381Signature max size 486Signature min size 3
DotStars (count) 56DotStars (avg) 0.166667
Char Ranges (count) 103Char Ranges (avg) 0.306548
Count constraints (count) 233Count constraints (avg) 0.693452
Count constraints on ranges (count) 18Count constraints on ranges (avg) 0.053571
OR operators (count) 402OR operators (avg) 1.196429
Number of sps (count) 1668Number of sps (avg) 4.964286
Sp min length 1Sp max length 64Sp length (avg) 4.573741
Snort-ActiveX
Metric ValuesNumber of signatures 2385Signature size (avg) 321.137115Signature max size 867Signature min size 34
DotStars (count) 1599DotStars (avg) 0.67044
Char Ranges (count) 2Char Ranges (avg) 0.000839
Count constraints (count) 0Count constraints on ranges
(count) 0
OR operators (count) 10654OR operators (avg) 4.467086
Number of sps (count) 54981Number of sps (avg) 23.05283
Sp min length 1Sp max length 83Sp avg. length 6.119805
Snort-Spyware
Metric ValuesNumber of signatures 431Signature size (avg) 48.308586Signature max size 324Signature min size 12
DotStars (count) 37DotStars (avg) 0.085847
Char Ranges (count) 18Char Ranges (avg) 0.041763
Count constraints (count) 25Count constraints (avg) 0.058005
Count constraints on ranges (count) 1Count constraints on ranges (avg) 0.00232
OR operators (count) 72OR operators (avg) 0.167053
Number of sps (count) 1315Number of sps (avg) 3.051044
Sp min length 1Sp max length 175Sp length (avg) 9.01673
Signature Sets’ Main Characteristics
Sig-Set Base Size Sub-Pattern
number
Overall Complexity
L-7 Filter Small (0.31) Medium (0.37) Moderated (0.38)
Bro Medium (0.35) Low (0.30) Low (0.22)
Snort-Web Medium (0.37) Medium (0.41) High (0.84)
Snort-ActiveX
Large (0.9) High (0.9) High (0.71)
Snort-Spyware
Medium (0.4) Medium (0.35) Low (0.27)
Concluding Remarks
Concluding Remarks
Different signature sets to compare different DPI techniques might lead to inaccurate results
We developed a mechanism for characterizing signature sets according to their size number of sub-patterns overall complexity
By knowing the characteristics of the signature sets (size and complexity) It puts DFA-based DPI engines under different stress
conditions It allows comparable performance analysis
CHARACTERIZING SIGNATURE SETS FOR TESTING DPI SYSTEMS