Towards High Performance Network Defense

Zhichun Li
Northwestern


Abstract

Security has become one of the major concerns for today's networks. Network level defense mechanisms are of critical importance. They protect the enterprise as a whole including the users who do not apply host-based schemes for various reasons (reliability, overhead, conflicts, etc.). Three challenges need to be addressed for network level defense mechanisms: 1) highly accurate; 2) scalable to the high speed networks with a large number of users; and 3) adapt fast to the emerging threats. My research is to solve these challenges through building a high performance network defense and forensic system. Particularly, in this talk, I will present the design of NetShield, a new vulnerability signature based NIDS/NIPS which achieves high throughput comparable to that of the state-of-the-art regular expression based systems while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory; (ii) we propose a parsing transition state machine that achieves fast protocol parsing. The core engine of NetShield achieves 1.9Gbps signature matching throughput for 794 HTTP vulnerability signatures on a 3.8GHz PC. We intend to implement the NetShield prototype as a better alternative for the popular NIDS Snort in terms of both accuracy and speed.