Author： Xinming Chen ,Kailin Ge ,Zhen Chen and Jun LiPublisher： ANCS , 2011Presenter： Tsung-Lin HsiehDate： 2011/12/14

1

Introduction

Related Work

Background

Proposed Algorithm ： AC-Suffix-Tree Algorithm

Performance Analysis

2

TCP and IP fragmentation can be used to evade signature detection at IDS / IPS.

The common defense is buffering and reassembling packets. However, buffering of out-of-sequence packets can become impractical on high speed links due to limited fast memory capacity.

3

In this paper, AC-Suffix-Tree, a buffer free scheme for string matching is proposed, which detects patterns across out-of-sequence packets without buffering and reassembly.

This novel algorithm associates the classical AC (ACA) algorithm with a pattern suffix tree to search patterns with only the state numbers of AC automaton and suffix tree stored.

4

What is the current situation of packet reordering in Internet?

In 2005, Dharmapurikar found that packet reordering in TCP traffic only affects 2-3% of the overall traffic[6].

An older paper reports that 90% of the TCP packets were reordered in the trace of Dec. 1997 and Jan. 1998 [3], but Dharmapurikar claims it was because the older generation of router architecture. 5

Pattern Suffix Tree： Let X = {abaaba ,ababab} , suffix set of

X is

{a,ba,aba,aaba,baaba,b,ab,bab,abab,babab}

6

The return value contains the stop state and a “fact” mark. Once the input string is not finished but there is no available next state, fact is false; and once the input string is finished but PST is not finished, fact is true. So fact = true means str is a proper factor of some patterns in X. 7

A simple situation of two packets’ reordering.

When packet y2 comes first, a pattern may exist between the two packets only if some prefix of y2 is one suffix of the patterns.

8

For example ： yi=aaba , yj=abaa

stop at s6

append path(s6)9

What if the pattern x crosses more than two segments?

A information merging mechanism is used to merge the PST state records in successive blocks.

the return value “fact” of PST is used to identify the proper factor of x. fact = true means the entire segment is a proper factor of x, thus needs to merge the PST state with the predecessor segment. 10

Example ： Pattern set X = {abaaba, ababab} Input Y = y1y2y3y4 , where y1 = bbaa ,y2 = baba ,y3 = baab ,y4 =

aabb

11

-> flow number-> sequence number-> length-> state of ACA-> state of PST

First input is y3： (baab) passing y3 to both ACA & PST

Buffer contains (1,8,4,2,11,true)

12

Second input is y1： (bbaa) passing y1 to both ACA & PST

Buffer contains (1,8,4,2,11,true) , (1,0,4,2,11,false)

13

Third input is y4： (aabb) combine y4 with its predecessor (1,8,4,2,11,true) ACA begin with s2 ,PST begin with s11

Buffer contains (1,0,4,1,8,false) , (1,8,8,0,12,false)

14

Fourth input is y2： (baba) combine y2 with (1,0,4,1,8,false) &

(1,8,8,0,12,false) path(12) appended to y2’s tail -> bababaaba ACA match with {abaaba,ababab}

Buffer clean all records with fid = 1. 15

Compression of Suffix Tree： idea - using a suffix array instead of a

tree Pre-processing time will be longer but not

the focus

16

Pattern set is chosen from snort ,released on 2010/07/22. no regular expressions included.

Use traces generated by their own program.

Running on PC Pentium 2-core CPU ,4GB RAM ,32-bit XP

17

Processing speed for different traces with long set

18

Memory usage of AC and suffix tree

19

1,3,2,4,5, 6,7,8,9,10 1,4,5,6,7 8,9,10,2,3 1,3,4,6,7 8,9,2,10,5

20