approximate reduction of finite automata for high speed
play

Approximate Reduction of Finite Automata for High-Speed Network - PowerPoint PPT Presentation

Oct 08, 2022 •124 likes •789 views

Approximate Reduction of Finite Automata for High-Speed Network Intrusion Detection Milan Ce Vojt Luk a ska ech Havlena s Hol k Ond rej Leng al Tom a s Vojnar Brno University of Technology Czech Republic 18

  1. Approximate Reduction of Finite Automata for High-Speed Network Intrusion Detection Milan ˇ Ceˇ Vojtˇ Luk´ aˇ ska ech Havlena s Hol´ ık Ondˇ rej Leng´ al Tom´ aˇ s Vojnar Brno University of Technology Czech Republic 18 April 2018 (TACAS’18)

  2. Main Points reduction of nondeterministic finite automata (NFAs) ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 2 / 23

  3. Main Points reduction of nondeterministic finite automata (NFAs) the reduction does NOT preserve language ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 2 / 23

  4. Main Points reduction of nondeterministic finite automata (NFAs) the reduction does NOT preserve language BUT guarantees maximum error ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 2 / 23

  5. Main Points reduction of nondeterministic finite automata (NFAs) the reduction does NOT preserve language BUT guarantees maximum error w.r.t. a probabilistic distribution ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 2 / 23

  6. Main Points reduction of nondeterministic finite automata (NFAs) the reduction does NOT preserve language BUT guarantees maximum error w.r.t. a probabilistic distribution application in high-speed network intrusion detection ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 2 / 23

  7. Computer Network Intrusion Detection recently a large number of security incidents, e.g. ◮ WannaCry • ransomware, 1 G$ ◮ Spectre & Meltdown • security vulnerabilities in Intel CPUs exploits often spread via networks ◮ these attacks can be detected ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 3 / 23

  8. Computer Network Intrusion Detection Local Network Malicious User EVIL E V I L Internet E V I L L I V EVIL E NIDS NIDS = Network Intrusion Detection System ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 4 / 23

  9. Computer Network Intrusion Detection S NORT ◮ popular NIDS ◮ RegExes to describe attacks ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 5 / 23

  10. Computer Network Intrusion Detection S NORT ◮ popular NIDS ◮ RegExes to describe attacks /ˆPOST HTTP\/1\.[01]\r\n(\V+\r\n)*\r\n[\x00-\xff]*DROP TABLE/ /ˆHTTP\/1\.[01] 404[\x00-\xff]*(admin|wordpress)/ /ˆPOST HTTP\/1\.[01]\r\n(\V+\r\n)*\r\n[\x00-\xff]*admin:admin/ /ˆPOST HTTP\/1\.[01]\r\n(\V+\r\n)*\r\n[\x00-\xff]*admin:password/ /ˆPOST HTTP\/1\.[01]\r\n(\V+\r\n)*\r\n[\x00-\xff]*YWRtaW46cGFzc3dvcmQ/ /ˆPOST HTTP\/1\.[01]\r\n(\V+\r\n)*\r\n[\x00-\xff]*YWRtaW46YWRtaW4/ /ˆPOST HTTP\/1\.[01]\r\n(\V+\r\n)*\r\n[\x00-\xff]*\/bin\/sh/ ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 5 / 23

  11. Computer Network Intrusion Detection High-speed networks ◮ 100 Gbps, 400 Gbps NIDS 100 Gbps ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 6 / 23

  12. Computer Network Intrusion Detection High-speed networks ◮ 100 Gbps, 400 Gbps NIDS 100 Gbps — max. ∼ 150 Mpkt/s (100 / 84*8) ◮ cf. 56 kbps dial-up — max. ∼ 80 pkt/s ◮ ∼ 10 GB/s (of data) 100 Gbps ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 6 / 23

  13. Computer Network Intrusion Detection High-speed networks ◮ 100 Gbps, 400 Gbps NIDS 100 Gbps — max. ∼ 150 Mpkt/s (100 / 84*8) ◮ cf. 56 kbps dial-up — max. ∼ 80 pkt/s ◮ ∼ 10 GB/s (of data) consider 4 GHz CPU ◮ 0.4 cycle/B ◮ ∼ 27 cycles/pkt cf. DRAM latency ∼ 100 cycles 100 Gbps ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 6 / 23

  14. Computer Network Intrusion Detection High-speed networks ◮ 100 Gbps, 400 Gbps NIDS 100 Gbps — max. ∼ 150 Mpkt/s (100 / 84*8) ◮ cf. 56 kbps dial-up — max. ∼ 80 pkt/s ◮ ∼ 10 GB/s (of data) consider 4 GHz CPU ◮ 0.4 cycle/B ◮ ∼ 27 cycles/pkt cf. DRAM latency ∼ 100 cycles 100 Gbps no hope for SW solutions ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 6 / 23

  15. HW-accelerated NIDS HW-accelerated NIDS ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 7 / 23

  16. HW-accelerated NIDS HW-accelerated NIDS cooperation with ANT@FIT ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 7 / 23

  17. HW-accelerated NIDS HW-accelerated NIDS cooperation with ANT@FIT using a COMBO-100G accelerator card ◮ FPGA Xilinx Virtex-7 H580T ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 7 / 23

  18. HW-accelerated NIDS HW-accelerated NIDS cooperation with ANT@FIT using a COMBO-100G accelerator card ◮ FPGA Xilinx Virtex-7 H580T NIDS < 1 Gbps 100 Gbps used as a pre-filter ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 7 / 23

  19. HW-accelerated NIDS HW-accelerated NIDS RegEx matching in HW ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 8 / 23

  20. HW-accelerated NIDS HW-accelerated NIDS RegEx matching in HW ◮ NFAs ! ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 8 / 23

  21. HW-accelerated NIDS HW-accelerated NIDS RegEx matching in HW ◮ NFAs ! ◮ smaller than DFAs ◮ but still too big (even after language-preserving reduction) ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 8 / 23

  22. HW-accelerated NIDS HW-accelerated NIDS RegEx matching in HW ◮ NFAs ! ◮ smaller than DFAs ◮ but still too big (even after language-preserving reduction) ◮ many units in parallel ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 8 / 23

  23. HW-accelerated NIDS HW-accelerated NIDS RegEx matching in HW ◮ NFAs ! ◮ smaller than DFAs ◮ but still too big (even after language-preserving reduction) ◮ many units in parallel ◮ http-backdoor.pcre : 38.4 Gbps ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 8 / 23

  24. HW-accelerated NIDS HW-accelerated NIDS RegEx matching in HW ◮ NFAs ! ◮ smaller than DFAs ◮ but still too big (even after language-preserving reduction) ◮ many units in parallel ◮ http-backdoor.pcre : 38.4 Gbps ◮ � language non-preserving reduction ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 8 / 23

  25. Distance of NFAs Language non-preserving NFA reduction A → A red : ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 9 / 23

  26. Distance of NFAs Language non-preserving NFA reduction A → A red : trivial solutions not satisfactory ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 9 / 23

  27. Distance of NFAs Language non-preserving NFA reduction A → A red : trivial solutions not satisfactory need to quantify the error ◮ distance of NFAs ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 9 / 23

  28. Distance of NFAs Language non-preserving NFA reduction A → A red : trivial solutions not satisfactory need to quantify the error ◮ distance of NFAs Distance of NFAs: Jaccard distance, Ces` aro-Jaccard distance Levenshtein (edit) distance ◮ not suitable for languages . . . ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 9 / 23

  29. Distance of NFAs Language non-preserving NFA reduction A → A red : trivial solutions not satisfactory need to quantify the error ◮ distance of NFAs Distance of NFAs: Jaccard distance, Ces` aro-Jaccard distance Levenshtein (edit) distance ◮ not suitable for languages . . . not suitable! ◮ distribution of network packets is not uniform ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 9 / 23

  30. Distance of NFAs Probabilistic distance of NFAs: ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 10 / 23

  31. Distance of NFAs Probabilistic distance of NFAs: various packets have different likelihood ◮ e.g. Pr ( HTTP ) > Pr ( Gopher ) ◮ e.g. Pr HTTP ( GET ) > Pr HTTP ( POST ) ˇ Ceˇ ska, Havlena, Hol´ ık, Leng´ al , Vojnar Approximate Reduction of Finite Automata TACAS’18 10 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Finite Automata Languages Deterministic Finite Automata Representations of

Introduction to Finite Automata Languages Deterministic Finite Automata Representations of

Introduction to Finite Automata Languages Deterministic Finite Automata Representations of Automata 1 Alphabets An alphabet is any finite set of symbols. Examples: ASCII, Unicode, { 0,1} ( binary alphabet ), { a,b,c} . 2 Strings

397 views • 37 slides
3.7: Simplification of Finite Automata In this section, we: say what it means for a finite

3.7: Simplification of Finite Automata In this section, we: say what it means for a finite

3.7: Simplification of Finite Automata In this section, we: say what it means for a finite automaton to be simplified; study an algorithm for simplifying finite automata; and see how finite automata can be simplified in Forlan. 1 / 17 3.7:

555 views • 51 slides
3.9: Empty-string Finite Automata In this and the following two sections, we will study three

3.9: Empty-string Finite Automata In this and the following two sections, we will study three

3.9: Empty-string Finite Automata In this and the following two sections, we will study three progressively more restricted kinds of finite automata: empty-string finite automata (EFAs); nondeterministic finite automata (NFAs); and

273 views • 16 slides
Finite Automata For lexical analysis: Specification Regular expression

Finite Automata For lexical analysis: Specification Regular expression

10/7/2012 Finite Automata For lexical analysis: Specification Regular expression Implementation Finite automata A finite automata consists of 5 components: ( , S, n, F , Im plem enting Lexical 1. An input alphabet,

101 views • 7 slides
3.10: Nondeterministic Finite Automata In this section, we study the second of our more restricted

3.10: Nondeterministic Finite Automata In this section, we study the second of our more restricted

3.10: Nondeterministic Finite Automata In this section, we study the second of our more restricted kinds of finite automata: nondeterministic finite automata. 1 / 22 Definition of NFAs A nondeterministic finite automaton (NFA) M is a finite

978 views • 22 slides
B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and Formal Languages Wolfgang Ahrendt 22nd April 2013 B uchi Automata: TMV027/DIT321 / GU 130423 1 / 25 Motivating Temporal Logic? But How to

832 views • 64 slides
3.5: Isomorphism of Finite Automata Let M and N be the finite automata 0 0 C 0 1 Start A

3.5: Isomorphism of Finite Automata Let M and N be the finite automata 0 0 C 0 1 Start A

3.5: Isomorphism of Finite Automata Let M and N be the finite automata 0 0 C 0 1 Start A B and Start A B 1 1 0 1 C B C ( M ) ( N ) How are M and N related? Although they are not equal, they do have the same structure,

169 views • 12 slides
Finite Automata A finite automaton has a finite set of states with which it accepts or rejects

Finite Automata A finite automaton has a finite set of states with which it accepts or rejects

Finite Automata A finite automaton has a finite set of states with which it accepts or rejects strings. A Finite Automaton An FA has three components: 1. input tape contains single string; 2. head reads input string one symbol at a time; and 3.

646 views • 22 slides
Finite Automata: Informal Finite Automata: Informal p.1/20 Computational models The

Finite Automata: Informal Finite Automata: Informal p.1/20 Computational models The

Finite Automata: Informal Finite Automata: Informal p.1/20 Computational models The theory of computation should begin with the question: what is a computer? Finite Automata: Informal p.2/20 Computational models The theory of

1.39k views • 74 slides
Synchronizing Finite Automata Lecture I: Cern y conjecture, Pin-Frankls bound and

Synchronizing Finite Automata Lecture I: Cern y conjecture, Pin-Frankls bound and

Synchronizing Finite Automata Lecture I: Cern y conjecture, Pin-Frankls bound and recent advances Mikhail Volkov Ural Federal University Mikhail Volkov Synchronizing Finite Automata 1. Definitions Deterministic finite automata

2.11k views • 123 slides
Synchronizing Finite Automata Lecture IV. Synchronizing Automata and Markov Chains Mikhail Volkov

Synchronizing Finite Automata Lecture IV. Synchronizing Automata and Markov Chains Mikhail Volkov

Synchronizing Finite Automata Lecture IV. Synchronizing Automata and Markov Chains Mikhail Volkov Ural Federal University Mikhail Volkov Synchronizing Finite Automata 1. Linearization We associate a natural linear structure with each

1.29k views • 97 slides
CSC 473 Automata, Grammars &amp; Languages 9/29/10 Automata, Grammars and Languages Discourse 03

CSC 473 Automata, Grammars &amp; Languages 9/29/10 Automata, Grammars and Languages Discourse 03

CSC 473 Automata, Grammars &amp; Languages 9/29/10 Automata, Grammars and Languages Discourse 03 Finite Automata C SC 473 Automata, Grammars &amp; Languages Finite Automata / Switching Theory (CS) / (CE) Boolean operators / Gates

519 views • 32 slides
Languages Recall. Non deterministic finite automata What is a language? with

Languages Recall. Non deterministic finite automata What is a language? with

Languages Recall. Non deterministic finite automata What is a language? with transitions What is a class of languages? Finite Automata First there was the DFA Consists of Deterministic Finite Automata A set of

345 views • 7 slides
Finite state automata Finite graphs with labels on edges/nodes Lecture 2 a set of nodes

Finite state automata Finite graphs with labels on edges/nodes Lecture 2 a set of nodes

Finite state automata Finite graphs with labels on edges/nodes Lecture 2 a set of nodes (states) Model-Checking Finite-State Systems a set of edges (transitions) (untimed systems) a set of labels (alphabet) Finite Automata, CTL,

273 views • 10 slides
Finite Automata - basic computational model: limited amount of memory - example: controller for

Finite Automata - basic computational model: limited amount of memory - example: controller for

[Section 1.1] Finite Automata - basic computational model: limited amount of memory - example: controller for an automatic door [Section 1.1] Finite Automata Formal definition: A finite automaton (FA) is a 5-tuple (Q, , ,q 0 ,F), where -

423 views • 11 slides
DFAs are usefultheyre everywhere! All-DNA finite-state automata with finite memory Zhen-Gang

DFAs are usefultheyre everywhere! All-DNA finite-state automata with finite memory Zhen-Gang

DFAs are usefultheyre everywhere! All-DNA finite-state automata with finite memory Zhen-Gang Wang a,1 , Johann Elbaz a,1 , F. Remacle b , R. D. Levine a,c,2 , and Itamar Willner a,2 a Institute of Chemistry, Hebrew University of Jerusalem,

778 views • 18 slides
LINEAR AR INDUCTION TION MOTOR OR Electrical and Computer Engineering Tyler Berchtold, Mason

LINEAR AR INDUCTION TION MOTOR OR Electrical and Computer Engineering Tyler Berchtold, Mason

1 LINEAR AR INDUCTION TION MOTOR OR Electrical and Computer Engineering Tyler Berchtold, Mason Biernat and Tim Zastawny Project Advisor: Steven Gutschlag 10/1/2015 2 Outline of Presentation Background Information Design Approach

707 views • 69 slides
Integration in the Global Context Achieving buy in for travel behaviour change campaigns How to

Integration in the Global Context Achieving buy in for travel behaviour change campaigns How to

Integration in the Global Context Achieving buy in for travel behaviour change campaigns How to Keep a City Moving During Planned Disruption Travel Planning comes of age Effectively Influencing Travel Behaviour Making friends and influencing

400 views • 29 slides
The Value of Source Credibility and Trust in Emergencies and Disasters Angela Clendenin, PhD

The Value of Source Credibility and Trust in Emergencies and Disasters Angela Clendenin, PhD

The Value of Source Credibility and Trust in Emergencies and Disasters Angela Clendenin, PhD Public Information Officer, Texas A&amp;M Veterinary Emergency Team Instructional Assistant Professor, Public Health Studies, Texas A&amp;M School of

424 views • 29 slides
Information Meeting June 10, 2009 Fiscal 2009 First Informational Meeting Table of Contents

Information Meeting June 10, 2009 Fiscal 2009 First Informational Meeting Table of Contents

Fiscal 2009 First Information Meeting June 10, 2009 Fiscal 2009 First Informational Meeting Table of Contents Title Page No. Extreme Environmental Changes Originating From Financial Crisis : MSIGs Response 1 Results for FY2008 2 MSIG

579 views • 46 slides
NORTH WEST PROVINCIAL LEGISLATURE Legislature Building Dr James Moroka Drive Private Bag X20I8

NORTH WEST PROVINCIAL LEGISLATURE Legislature Building Dr James Moroka Drive Private Bag X20I8

NORTH WEST PROVINCIAL LEGISLATURE Legislature Building Dr James Moroka Drive Private Bag X20I8 MMABATHO 2735 PORTFOLIO COMMITTEE ON FINANCE REPORT ON PRESENTATION BY DEPARTMENT OF FINANCE ON THEIR STRATEGIC PLAN - 2 0 0 9 / 1 0 . BRIEF

312 views • 15 slides
COSITU The ITU model for the calculation of telephone service costs, tariffs and interconnection

COSITU The ITU model for the calculation of telephone service costs, tariffs and interconnection

COSITU The ITU model for the calculation of telephone service costs, tariffs and interconnection charges COSITU - The ITU tariff model 1 Note: The views expressed in this paper are those of the author and do not necessarily represent the

1.24k views • 105 slides
Home Gateway Initiative Vision A Service Providers perspective Roger Clark BT Group CTO

Home Gateway Initiative Vision A Service Providers perspective Roger Clark BT Group CTO

Home Gateway Initiative Vision A Service Providers perspective Roger Clark BT Group CTO January 2006 Drivers for home networking WiFi enablement of the home More than one PC in use Music and Video going on line Future two way

162 views • 15 slides
Team 2013 Weekly Presentation #1 9/29/2019 - 10/05/2019 Weekly Progress Submitted Problem

Team 2013 Weekly Presentation #1 9/29/2019 - 10/05/2019 Weekly Progress Submitted Problem

Team 2013 Weekly Presentation #1 9/29/2019 - 10/05/2019 Weekly Progress Submitted Problem Statement on September 30th Beginning research on IoT testing/verification (in general terms) The Problem Many IoT devices - need one way

407 views • 13 slides

More recommend