A Survey on Deep Packet Inspection for Intrusion Detection Systems

Structure

Abstract

1.Introduction

2.Challenges and Goals

• 2.1.Deep Packet Inspection Challenges

  1.The search algorithm complexity

  2.Increasing number of intruder signature

  3.The overlapping of signatures

  4.The Location of signature unknown

  5.Encrypted Data

• 2.2.DPI Design Objectives

  1.Deterministic performance

  2.Memory efficiency

  3.Dynamic update

  4.Signatures

  5.Scalability

  6.Additional functions

3.Software Deep packet Inspection systems

• 3.1.SNORT Intrusion Detection System

4.Hardware Implementation

• 4.1.Matching Algorithms
• 4.2.Bloom Filter
• 4.3.Content Addressable Memory
• 4.4.TCAM implementations
• 4.5.Multi-core Processors Implementations

5.Finite State Machine

• 5.1.Nondeterministic Finite Automata
• 5.2.Deterministic Finite Automata

6.Comparison between Existing Modules and Implementations

7.Conclusion

References

Abstract and Introduction

Deep packet inspection: for inspecting, deterring and deflecting malicious attacks over the network. => network security

env: the enormous attacks => need to protect data => security methods

viruses + spam … ==attack==> cryptographic system (first defense) ==attack==> IDS and IPS: intrusion prevention systems (second defense)

DPI = essential inspector => inspect attacks in all the layers nowadays

Two main categories in IDS(intrusion detection systems): (1)efficient data structure with optimized memory access rate (2)high throughput algorithm to process intruder signature

Challenges and Goals

Challenges

Five Challenges:

1.The search algorithm complexity

high complexity => low throughput => the main focus point in DPI

2.Increasing number of intruder signature

the verity of attacks => the needs for new intruder signature increase

3.The overlapping of signatures(签名重叠)

the signatures of attacks not general => can be categorized into groups, eg.http pkt has 1096 signatures

=> process the packets before matching process

4.The Location of signature unknown

attacks: verity types on different types of apps => a lot of kinds of attacks

=> intruder pattern not localized => IDS must inspect all the packet payload

5.Encrypted Data

the encrypted data => cannot be inspected by DPI

Two main requirements of DPI system:

(1)high speed of processing => performance

(2)low cost => resources allocation

Design Objectives

1.Deterministic(确定性的) Performance

operate and process traffic stream independently of signature characteristics or traffic characteristics

system have to manage traffic in worst case

2.Memory efficiency: memory access time

The main bottlenecks in DPI sys.

3.Dynamic update

the hardware can be configured at runtime.

4.Signatures

5.Scalability: crucial in hardware based system

6.Additional functions

Software DPI Systems

SNORT, Bro, Linux L7-filter.

• IDS: SNORT, Bro.

• Application: Linux L7-filter.

SNORT: Network intrusion detection system. http://www.snort.org/.

Bro: Intrusion detection system. http://www.bro- ids.org/.

L7-filter: Application layer packet classifier. http://l7-filter.sourceforge.net/.

Hardware Design

See the paper for more informations.

Hardware Implementation; Finite State Machine.

Chen, 2017.3.30