在網路偵測上可變步伐的樣式比對

Kuang-Min Hsu; 徐光民

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/6938

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	雷欽隆(Chin-Laung Lei)
dc.contributor.author	Kuang-Min Hsu	en
dc.contributor.author	徐光民	zh_TW
dc.date.accessioned	2021-05-17T09:21:43Z	-
dc.date.available	2012-09-03
dc.date.available	2021-05-17T09:21:43Z	-
dc.date.copyright	2012-09-03
dc.date.issued	2012
dc.date.submitted	2012-08-30
dc.identifier.citation	[1] Snort. [Online]. Available: http://www.snort.org/ [2] Bro. [Online]. Available: http://bro-ids.org/ [3] Cisco Adaptive Security Appliance. [Online]. Available: http://www.cisco.com/ [4] Clamav. [Online]. Available: http://www.clamav.net/ [5] M. Becchi and P. Crowley, “An improved algorithm to accelerate regular ex- pression evaluation,” in Proc. of ACM ANCS’07, 2007, pp. 145–154. [6] D. Ficara, S. Giodano, G. Procissi, F. Vitucci, G. Antichi, and A. D. Pietro, “An improved DFA for fast regular expression matching,” ACM SIGCOMM’08 Computer Communication Review, vol. 38, Issue 5, pp. 29–40, Oct. 2008. [7] L. Yang, R. Karim, V. Ganapathy, and R. Smith, “Improving NFA-based sig- nature matching using ordered binary decision diagrams,” in Proc. of RAID’10, 2010, pp. 58–78. [8] B. Brodie, R. Cytron, and D. Taylor, “A scalable architecture for high- throughput regular-expression pattern matching,” in Proc. of ISCA’06, 2006, pp. 191–202. [9] M. Becchi and P. Crowley, “Eﬃcient regular expression evaluation: Theory to practice,” in Proc. of ACM/IEEE ANCS’08, 2008, pp. 50–59. [10] N. Hua, H. Song, and T. Lakshman, “Variable-stride multi-pattern matching for scalable deep packet inspection,” in Proc. of IEEE INFOCOM’09, 2009, pp. 415–423. [11] S. Schleimer, D. S. Wilkerson, and A. Aiken, “Winnowing: Local algorithms for document ﬁngerprinting,” in Proc. of ACM SIGMOD’03 on Management of data, 2003, pp. 76–85. [12] K. Thompson, “Regular expression searching algorithm,” Communication of ACM, vol. 11, Issue 6, pp. 419–422, Jun. 1968. [13] J. E. Hopcroft, R. Motwani, and J. D. Ullman, Inroduction to Automata Theory, Languages,and Computation. Addison Wesly, 1979. [14] A. V. Aho and M. J. Corasick, “Eﬃcient string matching: An aid to biblio- graphic search,” Commucations of the ACM, vol. 18, Issue 6, pp. 333–340, Jun. 1975. [15] Libpcap. [Online]. Available: http://www.tcpdump.org/ [16] S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese, “Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia,” in Proc. of ACM/IEEE ANCS’07, 2007, pp. 155–164. [17] R. Smith, C. Estan, S. Jha, and S. Kong, “Deﬂating the big bang: Fast and scalable deep packet inspection with extended ﬁnite automata,” in Proc. of ACM SIGCOMM’08 conference on Data communication, 2008, pp. 207–218. [18] M. Becchi and P. Crowley, “A hybrid ﬁnite automaton for practical deep packet inspection,” in Proc. of ACM CoNEXT’07, 2007. [19] S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, “Algorithms to accelerate multiple regular expressions matching for deep packet inspection,” in Proc. of ACM SIGCOMM’06, 2006, pp. 339–350. [20] Y. Sun, H. Liu, V. C. Valgenti, and M. S. Kim, “Hybrid regular expression matching for deep packet inspection on multi-core architecture,” in Proc. of 19th International Conference on Computer Communications and Networks, Aug. 2010, pp. 1–7. [21] S. Kumar, J. Turner, and J. Williams, “Advanced algorithms for fast and scal- able deep packet inspection,” in Proc. of ACM/IEEE ANCS’06, 2006, pp. 81– 92. [22] M. Becchi and S. Cadambi, “Memory-eﬃcient regular expression search using state merging,” in Proc. of IEEE INFOCOM’07, May 2007, pp. 1064–1072. [23] N. Cascarano, P. Rolando, F. Risso, and R. Sisto, “iNFAnt: NFA pattern matching on GPGPU devices,” ACM SIGCOMM’10 Computer Communication Review, vol. 40, Issue 5, pp. 20–26, Oct. 2010. [24] R. Smith, N. Goyal, J. Ormont, K. Sankaralingam, and C. Estan, “Evaluating GPUs for network packet signature matching,” in Proc. of IEEE International Symposium on Performance Analysis of Systems and Software, Apr. 2009, pp. 175–184. [25] G. Vasiliadis and S. Ioannidis, “GrAVity: a massively parallel antivirus engine,” in Proc. of Proceedings of the 13th international conference on Recent advances in intrusion detection, 2010, pp. 79–96. [26] Y. Zu, M. Yang, Z. Xu, L. Wang, X. Tian, K. Peng, and Q. Dong, “Gpu- based nfa implementation for memory eﬃcient high speed regular expression matching,” in Proc. of the 17th ACM SIGPLAN symposium on Principles and Practice of Parallel Programming, 2012, pp. 129–140. [27] J. van Lunteren, “High-performance pattern-matching for intrusion detection,” in Proc. of INFOCOM’06, Apr. 2006, pp. 1–13. [28] W. Lin and B. Liu, “Pipelined parallel AC-based approach for multi-string matching,” in Proc. of 14th IEEE International Conference on Parallel and Distributed Systems, Dec. 2008, pp. 665–672. [29] I. Bonesana, M. Paolieri, and M. D. Santambrogio, “An adaptable FPGA-based system for regular expression matching,” in Proc. of Design, Automation and Test in Europe, Mar. 2008, pp. 1262–1267. [30] N. Yamagaki and R. S. S. Kamiya, “High-speed regular expression match- ing engine using multi-character nfa,” International Conference on Field Pro- grammable Logic and Applications, pp. 131–136, Sep. 2008. [31] A. Mitra, W. Najar, and L. Bhuyan, “Compiling PCRE to FPGA for acceler- ating SNORT IDS,” in Proc. of ANCS’07, Dec. 2007, pp. 127–136. [32] Mansoor and M. M. V. Kumar, “High speed pattern matching for network IDS/IPS,” in Proc. of the 2006 14th IEEE International Conference on Network Protocols, Nov. 2006, pp. 187–196. [33] A. Bremler-Barr, D. Hay, and Y. Koral, “Compactdfa: Generic state machine compression for scalable pattern matching,” in Proc. of IEEE INFOCOM’10, Mar. 2010, pp. 1–9. [34] F. Yu, R. H. Katz, and T. V. Laksman, “Gigabit rate packet pattern-matching using TCAM,” in Proc. of the 12th IEEE International Conference on Network Protocols, Oct. 2004, pp. 174–183. [35] Y. Sun, V. C. Valgenti, and M. S. Kim, “NFA-based pattern matching for deep packet inspection,” in Proc. of 20th International Conference on Computer Communications and Networks, Jul. 2011, pp. 1–6.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/6938	-
dc.description.abstract	樣式比對是研究如何從文章中找出特定樣式的字串。在網路中，電腦之間的溝通可以視為雙方互相傳遞一些字串，所以樣式比對便可以用來偵測網路之間的溝通內容，而其中一種應用便是網路入侵偵測和預防。網路入侵偵測和預防是試著找出由外面網路進來的惡意封包，為了找到這些封包定義了一些關於惡意封包的規則，在偵測封包時會將這些規則轉為自動狀態機，而自動狀態機的效能通常決定了整個系統的效能。可變步伐是一個基於Winnowing演算法的方法，這個方法被應用在字串辨識上能在保持和多步伐策略一樣的偵測速度下使用較少的記憶體。使用可變步伐策略下的自動狀態機每一次狀態轉換時都會一次處理不定數量的符號，而不是只有一個符號，如此減少了狀態轉換的次數而增加偵測速度，然而這個方法只被使用在字串辨識，這片論文擴展可變步伐的策略到樣式比對，同時保持其原來的優點。	zh_TW
dc.description.abstract	Pattern matching is a research topic that focuses on how to efficiently find strings of expected form in some text. In the network, the communication between the computers can be view as sending string to each other, so the knowledge of pattern matching is used to detect the content of communication in network. The network instruction detection and prevention, one of application used pattern matching in the network, is try to find the malicious data from the incoming data stream which come from outside network. To find malicious data, the rules that present how malicious data look like are converted into automata. The performance of the automata always determines the performance of detecting system. Variable-stride is base on Winnowing algorithm, and this scheme has more memory efficiency than multi-stride method when it has the same throughput improvement. Every transition in the automata applied variable stride may deal with a variable number of symbols, and reduce number of state transition when detecting, so make detecting process faster. However, this scheme is only applied in string matching. Thus this dissertation extends variable-stride to NFA, and keeps its advantage at the same time.	en
dc.description.provenance	Made available in DSpace on 2021-05-17T09:21:43Z (GMT). No. of bitstreams: 1 ntu-101-R98921073-1.pdf: 473816 bytes, checksum: 63954d35bc1b97ca4dfe6759ca248478 (MD5) Previous issue date: 2012	en
dc.description.tableofcontents	1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Background 4 2.1 NFA and DFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1 String Matching and NFA . . . . . . . . . . . . . . . . . . . . 5 2.2 Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3 PCRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Related work 10 3.1 Hardware-Based Method . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.1 Software-Based Method . . . . . . . . . . . . . . . . . . . . . 11 3.1.2 ASIC-Based Method . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.3 FPGA-Based Method . . . . . . . . . . . . . . . . . . . . . . 12 3.1.4 TCAM-Based Method . . . . . . . . . . . . . . . . . . . . . . 12 3.2 General Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2.1 History FA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2.2 XFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2.3 Hybrid-FA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.3 Compression Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.3.1 Default Transition . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4 Multi Stride . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.4.1 Winnowing Algorithm . . . . . . . . . . . . . . . . . . . . . . 15 3.5 Variable Stride DFA . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4 The proposed scheme 18 4.1 Converting NFA to Variable-Stride . . . . . . . . . . . . . . . . . . . 18 4.2 Considered Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.3 Basic Idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.4 Limit of a Pivot State . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.5 Choose a Processed State . . . . . . . . . . . . . . . . . . . . . . . . 23 4.6 Accepting State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.7 Alphabet Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.8 Combine Single Symbol Blocks . . . . . . . . . . . . . . . . . . . . . 25 5 Implementation and Result 27 5.1 Rule Set and Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.2 Implementation of NFA . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6 Conclusion 32 Bibliography 33
dc.language.iso	en
dc.title	在網路偵測上可變步伐的樣式比對	zh_TW
dc.title	Variable-Stride Pattern Matching for Network Intrusion Detection	en
dc.type	Thesis
dc.date.schoolyear	100-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	顏嗣鈞(Hsu-Chun Yen),郭斯彥(Sy-Yen Kuo),黃秋煌(Chua-Huang Huang),楊中皇(Chung-Huang Yang)
dc.subject.keyword	樣式比對,正規表式法,自動機,入侵偵測,多步伐,	zh_TW
dc.subject.keyword	pattern matching,regular expression,automata,intrusion detection,multi-stride,	en
dc.relation.page	37
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2012-08-30
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-101-1.pdf	462.71 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。