Architecture-Aware Session Lookup Design for Inline Deep Inspection on Network Processors

Today＇s firewalls and security gateways are required to not only block unauthorized accesses by authenticating packet headers, but also inspect flow payloads against malicious intrusions. Deep inspection emerges as a seamless integration of packet classification for access control and pattern matching for intrusion prevention. The two function blocks are linked together via well-designed session lookup schemes. This paper presents an architecture-aware session lookup scheme for deep inspection on network processors （NPs）. Test results show that the proposed session data structure and integration approach can achieve the OC-48 line rate （2.5 Gbps） with inline stateful content inspection on the Intel IXP2850 NP. This work provides an insight into application design and implementation on NPs and principles for performance tuning of NP-based programming such as data allocation, task partitioning, latency hiding, and thread synchronization.

高速网络环境下的P2P流媒体业务分析和识别方法(英文)

The growing P2P streaming traffic brings a variety of problems and challenges to ISP networks and service providers.A P2P streaming traffic classification method based on sampling technology is presented in this paper.By analyzing traffic statistical features and network behavior of P2P streaming,a group of flow characteristics were found,which can make P2P streaming more recognizable among other applications.Attributes from Netflow and those proposed by us are compared in terms of classification accuracy,and so are the results of different sampling rates.It is proved that the unified classification model with the proposed attributes can identify P2P streaming quickly and efficiently in the online system.Even with 1:50 sampling rate,the recognition accuracy can be higher than 94%.Moreover,we have evaluated the CPU resources,storage capacity and time consumption before and after the sampling,it is shown that the classification model after the sampling can significantly reduce the resource requirements with the same recognition accuracy.

Skipping Undesired High-Frequency Content to Boost DPI Engine

Deep Packet Inspection(DPI)at the core of many monitoring appliances,such as NIDS,NIPS,plays a major role.DPI is beneficial to content providers and censorship to monitor network traffic.However,the surge of network traffic has put tremendous pressure on the performance of DPI.In fact,the sensitive content being monitored is only a minority of network traffic,that is to say,most is undesired.A close look at the network traffic,we found that it contains many undesired high frequency content(UHC)that are not monitored.As everyone knows,the key to improve DPI performance is to skip as many useless characters as possible.Nevertheless,researchers generally study the algorithm of skipping useless characters through sensitive content,ignoring the high-frequency non-sensitive content.To fill this gap,in this literature,we design a model,named Fast AC Model with Skipping(FAMS),to quickly skip UHC while scanning traffic.The model consists of a standard AC automaton,where the input traffic is scanned byte-by-byte,and an additional sub-model,which includes a mapping set and UHC matching model.The mapping set is a bridge between the state node of AC and UHC matching model,while the latter is to select a matching function from hash and fingerprint functions.Our experiments show promising results that we achieve a throughput gain of 1.3-2.6 times the original throughput and 1.1-1.3 times Barr’s double path method.

BSPM:A NEW MECHANISM FOR “OVERLAP-MATCHING EXPRESSIONS”IN DPI

Nowadays, using Deterministic Finite Automata (DFA) or Non-deterministic Finite Automata (NFA) to parse regular expressions is the most popular way for Deep Packet Inspection (DPI), and the research about DPI focuses on the improvement of DFA to reduce memory. However, most of the existing literature ignores a special kind of "overlap-matching expression", which causes states explosion and takes quite a large part in the DPI rules. To solve this problem, in this paper a new mechanism is proposed based on bitmap. We start with a simple regular expression to describe "overlap-matching expressions" and state the problem. Then, after calculating the terrible number of exploded states for this kind of expressions, the procedure of Bitmap-based Soft Parallel Mechanism (BSPM) is described. Based on BSPM, we discuss all the different types of "overlap-matching ex- pressions" and give optimization suggestions of them separately. Finally, experiment results prove that BSPM can give an excellent performance on solving the problem stated above, and the optimization suggestions are also effective for the memory reduction on all types of "overlap-matching expressions".

<i>Inmap-t</i>: Leveraging TTCN-3 to Test the Security Impact of Intra Network Elements

This paper rejuvenates the notion of conformance testing in order to assess the security of networks. It leverages the Testing and Test Control Notation Version 3 (TTCN-3) by applying it to a redefined notion of System under Test (SUT). Instead of testing, as it is classically done, a software/firmware/ hardware element, an intangible object, namely the network, is tested in order to infer some of its security properties. After a brief introduction of TTCN-3 and Titan, its compilation and execution environment, a couple of use cases are provided to illustrate the feasibility of the approach. The pros and cons of using TTCN-3 to implement a scalable and flexible network testing environment are discussed.

Accelerating Application Identification with Two-Stage Matching and Pre-Classification

Modern datacenter and enterprise networks require application identification to enable granular traffic control that eJther Jmproves data transfer rates or ensures network security. Providing application visi- bility as a core network function is challenging due to its performance requirements, including high through- put, low memory usage, and high identification accuracy. This paper presents a payload-based application identification method using a signature matching engine utilizing characteristics of the application identifica- tion. The solution uses two-stage matching and pre-classification to simultaneously improve the throughput and reduce the memory. Compared to a state-of-the-art common regular expression engine, this matching engine achieves 38% memory use reduction and triples the throughput. In addition, the solution is orthogonal to most existing optimization techniques for regular expression matching, which means it can be leveraged to further increase the performance of other matching algorithms.

Analysis on the time-domain characteristics of botnets control traffic

Botnets are networks composed with malware-infect ed computers.They are designed and organized to be controlled by an adversary.As victims are infected through their inappropriate network behaviors in most cases,the Internet protocol（IP） addresses of infected bots are unpredictable.Plus,a bot can get an IP address through dynamic host configuration protocol（DHCP）,so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can＇t be always online.The whole process is carried out under the command and control（C＆C） channel.Our goal is to characterize the network traffic under the C＆C channel on the time domain.Our analysis draws upon massive data obtained from honeynet and a large Internet service provider（ISP） Network.We extract and summarize fingerprints of the bots collected in our honeynet.Next,with the fingerprints,we use deep packet inspection（DPI） Technology to search active bots and controllers in the Internet.Then,we gather and analyze flow records reported from network traffic monitoring equipments.In this paper,we propose a flow record interval analysis on the time domain characteristics of botnets control traffic,and we propose the algorithm to identify the communications in the C＆C channel based on our analysis.After that,we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory.In addition,we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection（DFI） technology.

Timely traffic identification on P2P streaming media

Since the year of 2006, peer-to-peer （P2P） streaming media service has been developing rapidly, the user scale and income scale achieve synchronous growth. However, while people enjoying the benefits of the distributed resources, a great deal of network bandwidth is consumed at the same time. Research on P2P streaming traffic characteristics and identification is essential to Internet service providers （ISPs） in terms of network planning and resource allocation. In this paper, we introduce the current common P2P traffic detection technology, and analyze the payload length distribution and payload length pattern in one flow of four popular P2P streaming media applications. Combining with the deep flow inspection and machine learning algorithm, a nearly real-time The experiments proved that this approach can achieve a high identification approach for P2P streaming media is proposed. accuracy with low false positives.