High-speed matching of vulnerability signatures

Nabil Schear, David R. Albrecht, Nikita Borisov

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Vulnerability signatures offer better precision and flexibility than exploit signatures when detecting network attacks. We show that it is possible to detect vulnerability signatures in high-performance network intrusion detection systems, by developing a matching architecture that is specialized to the task of vulnerability signatures. Our architecture is based upon: i) the use of high-speed pattern matchers, together with control logic, instead of recursive parsing, ii) the limited nature and careful management of implicit state, and iii) the ability to avoid parsing large fragments of the message not relevant to a vulnerability. We have built a prototype implementation of our architecture and vulnerability specification language, called VESPA, capable of detecting vulnerabilities in both text and binary protocols. We show that, compared to full protocol parsing, we can achieve 3x or better speedup, and thus detect vulnerabilities in most protocols at a speed of 1 Gbps or more. Our architecture is also well-adapted to being integrated with network processors or other special-purpose hardware. We show that for text protocols, pattern matching dominates our workload and great performance improvements can result from hardware acceleration.

Original languageEnglish (US)
Title of host publicationRecent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings
Pages155-174
Number of pages20
DOIs
StatePublished - 2008
EventRecent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings - Cambridge, MA, United States
Duration: Sep 15 2008Sep 17 2008

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5230 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

OtherRecent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings
CountryUnited States
CityCambridge, MA
Period9/15/089/17/08

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'High-speed matching of vulnerability signatures'. Together they form a unique fingerprint.

Cite this