spicy a unified deep packet inspection framework
play

Spicy: A Unified Deep Packet Inspection Framework Dissecting All - PowerPoint PPT Presentation

Jan 22, 2023 •241 likes •931 views

Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer International Computer Science Institute, & Corelight, Inc. robin@icsi.berkeley.edu robin@corelight.io http://www.icir.org/robin Deep Packet

  1. Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer International Computer Science Institute, & Corelight, Inc. robin@icsi.berkeley.edu robin@corelight.io http://www.icir.org/robin

  2. Deep Packet Inspection Tap Local Internet Network IDS 2

  3. Deep Packet Inspection Tap Local Internet Network IDS Example: Finding downloads of known malware. 1. Find and parse all Web traffic. 2. Find and extract binaries. 3. Compute hash and compare with database. 4. Report, and potentially kill, if found. 2

  4. Deep Packet Inspection Tap Local Internet Network IDS Example: Finding downloads of known malware. 1. Find and parse all Web traffic. 2. Find and extract binaries. 3. Compute hash and compare with database. 4. Report, and potentially kill, if found. 2

  5. Protocol Parsing Web Web Request for /x/y/foo.zip Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 3

  6. Protocol Parsing Web Web Request for /x/y/foo.zip Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 ACK ... ... SYN SYN ACK ACK ACK FIN FIN TCP connection established 3

  7. Protocol Parsing Web Web Request for /x/y/foo.zip Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 ACK ... ... SYN SYN ACK ACK ACK FIN FIN TCP connection established TCP stream reassembly for originator GET /x/y/foo.zip HTTP/1.1 … Request for /x/y/foo.zip, protocol version 1.1, HTTP headers 3

  8. Protocol Parsing Web Web Request for /x/y/foo.zip Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 ACK ... ... SYN SYN ACK ACK ACK FIN FIN TCP connection established TCP stream reassembly for originator GET /x/y/foo.zip HTTP/1.1 … Request for /x/y/foo.zip, protocol version 1.1, HTTP headers TCP stream reassembly for responder 200 OK … Reply with page content for further analysis (e.g., hash; unpack & parse files) 3

  9. Protocol Parsing Web Web Request for /x/y/foo.zip Client Server Status OK plus data 5.6.7.8/80 1.2.3.4/4321 ACK ... ... SYN SYN ACK ACK ACK FIN FIN TCP connection established TCP stream reassembly for originator GET /x/y/foo.zip HTTP/1.1 … Request for /x/y/foo.zip, protocol version 1.1, HTTP headers TCP stream reassembly for responder 200 OK … Reply with page content for further analysis (e.g., hash; unpack & parse files) TCP connection tear down 3

  10. Parsing Is Hard ... ... SYN SYN ACK ACK ACK ACK FIN FIN 4

  11. Parsing Is Hard ... ... SYN SYN ACK ACK ACK ACK FIN FIN Must be robust Lots of “crud” in real-world networks Cannot trust input 4

  12. Parsing Is Hard ... ... SYN SYN ACK ACK ACK ACK FIN FIN Must be robust Lots of “crud” in real-world networks Cannot trust input Must be efficient 100,000s of concurrent connections Incremental processing for low latency & memory usage 4

  13. Parsing Is Hard ... ... SYN SYN ACK ACK ACK ACK FIN FIN Must be robust Lots of “crud” in real-world networks Cannot trust input Must be efficient 100,000s of concurrent connections Incremental processing for low latency & memory usage Must be complete Leaving out parts of the protocol opens evasion opportunities Protocols can be really complex (SMB …) 4

  14. There are a lot of protocols out there … Even a simple case involves 5 protocols HTTP TCP IP Ethernet PCAP 5

  15. There are a lot of protocols out there … Even a simple case involves 5 protocols HTTP TCP A few popular protocols account for the bulk of traffic in most environments 
 IP (e.g., TCP/IP , HTTP , TLS, DNS, SMTP , IMAP) Ethernet PCAP 5

  16. There are a lot of protocols out there … Even a simple case involves 5 protocols HTTP TCP A few popular protocols account for the bulk of traffic in most environments 
 IP (e.g., TCP/IP , HTTP , TLS, DNS, SMTP , IMAP) Ethernet Long tail of further protocols, often PCAP environment-specific 
 (e.g., SMB, Modbus, BACnet, more L2) 5

  17. There are a lot of protocols out there … Even a simple case involves 5 protocols HTTP TCP A few popular protocols account for the bulk of traffic in most environments 
 IP (e.g., TCP/IP , HTTP , TLS, DNS, SMTP , IMAP) Ethernet Long tail of further protocols, often PCAP environment-specific 
 (e.g., SMB, Modbus, BACnet, more L2) File formats amplify the challenge 5

  18. Example: Bro 2.5 AYIYA Kerberos BitTorrent Login SIP DCE_RPC Modbus SMTP DHCP MySQL SNMP DNP3 NCP SOCKS DNS NFS SSH DTLS NTP SSL FTP NetBIOS Syslog Finger PE TCP GTPv1 POP3 Telnet Gnutella Portmapper Teredo HTTP Radius UDP ICMP RDP X509 IPv4/6 Rlogin ZIP IRC Rsh Ident SMB 6

  19. A Tale of Three Open-Source IDS Suricata 7

  20. A Tale of Three Open-Source IDS Shared parsers? None. Suricata Every DPI application rewrites its parsers — usually in C/C++! 7

  21. Opportunity: Provide Platform for Parsers 8

  22. Opportunity: Provide Platform for Parsers Protocols leverage a rather small set of patterns Readable line-based formats for text protocols Static “prototocol data units” (PDU) for binary protocols Request/response structure Common sub-formats (HTTP/MIME/ASN.1) Fragmentation (even at app layer!) 8

  23. Opportunity: Provide Platform for Parsers Protocols leverage a rather small set of patterns Readable line-based formats for text protocols Static “prototocol data units” (PDU) for binary protocols Request/response structure Common sub-formats (HTTP/MIME/ASN.1) Fragmentation (even at app layer!) But: Potpourri of protocols remains diverse still Every protocol does something different 8

  24. Opportunity: Provide Platform for Parsers Protocols leverage a rather small set of patterns Readable line-based formats for text protocols Static “prototocol data units” (PDU) for binary protocols Request/response structure Common sub-formats (HTTP/MIME/ASN.1) Fragmentation (even at app layer!) But: Potpourri of protocols remains diverse still Every protocol does something different Can we leverage similarities, while remaining flexible? 8

  25. Opportunity: Provide Platform for Parsers Protocols leverage a rather small set of patterns Readable line-based formats for text protocols Static “prototocol data units” (PDU) for binary protocols Request/response structure Common sub-formats (HTTP/MIME/ASN.1) Fragmentation (even at app layer!) But: Potpourri of protocols remains diverse still Every protocol does something different Can we leverage similarities, while remaining flexible? Can we reuse code across applications? 8

  26. Meanwhile, in another domain … There are powerful tools for implementing parsers for programming languages. 9

  27. Meanwhile, in another domain … There are powerful tools for implementing parsers for programming languages. exp: NUM { $$ = $1; } | exp '+' exp { $$ = $1 + $2; } | exp ‘-' exp { $$ = $1 - $2; } | exp ‘*' exp { $$ = $1 * $2; } | exp ‘/' exp { $$ = $1 / $2; } 9

  28. Meanwhile, in another domain … There are powerful tools for implementing parsers for programming languages. exp: NUM { $$ = $1; } | exp '+' exp { $$ = $1 + $2; } | exp ‘-' exp { $$ = $1 - $2; } | exp ‘*' exp { $$ = $1 * $2; } | exp ‘/' exp { $$ = $1 / $2; } Host yyparse() Application Yacc 9

  29. Meanwhile, in another domain … There are powerful tools for implementing parsers for programming languages. These parsers aren’t suitable for DPI, unfortunately. exp: NUM { $$ = $1; } No support for concurrent, incremental processing | exp '+' exp { $$ = $1 + $2; } | exp ‘-' exp { $$ = $1 - $2; } No support for domain-specific idioms | exp ‘*' exp { $$ = $1 * $2; } | exp ‘/' exp { $$ = $1 / $2; } Host yyparse() Application Yacc 9

  30. Domain-specific Parser Generation IMC 2006 10

  31. Domain-specific Parser Generation IMC 2006 type ClientHello(rec: HandshakeRecord) = record { client_version: uint16; gmt_unix_time : uint32; random_bytes : bytestring &length = 28; session_len : uint8; session_id : uint8[session_len]; dtls_cookie : case client_version of { DTLSv10, DTLSv12 -> cookie : ClientHelloCookie(rec); default -> nothing: bytestring &length=0; }; […] TLS v3 Client Hello (Source: Bro’s TLS analyzer) } 10

  32. Domain-specific Parser Generation IMC 2006 type ClientHello(rec: HandshakeRecord) = record { client_version: uint16; gmt_unix_time : uint32; random_bytes : bytestring &length = 28; session_len : uint8; session_id : uint8[session_len]; dtls_cookie : case client_version of { DTLSv10, DTLSv12 -> cookie : ClientHelloCookie(rec); default -> nothing: bytestring &length=0; }; […] TLS v3 Client Hello (Source: Bro’s TLS analyzer) } Host class binpac:: Application ConnectionAnalyzer BinPAC 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley (Work under submission). Intrusion Prevention Deep Packet Inspection Parental Filtering (DPI) In-network

851 views • 42 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

Bram C.M. Cappers Jarke J. van Wijk b.c.m.cappers@tue.nl j.j.v.wijk@tue.nl SEMANTIC NETWORK TRAFFIC ANALYSIS USING DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced Persistent Threats (APTs)

240 views • 5 slides
Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy

Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy

CPS-SR CPS-IoT Week 2019 April 15 - 18, 2019 Montreal, Canada Intrusion Detection of Networked Cyber-Physical Systems via Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy Technology (INET)

611 views • 32 slides
Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk Julien Schmidt May 30, 2016 Chair for

384 views • 16 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik Pete , Systems Engineer 28 th March, 2018 Car Hacking Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the

371 views • 35 slides
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang Junchen Jiang Yi Tang Yi Wang Bin Liu Xiaojun Wang School of Electronic Engineering, Dublin City University, Dublin, Ireland

81 views • 5 slides
Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017 May 2017 Background Main uses for network traffic analysis Operations & management Capacity planning Performance troubleshooting

520 views • 24 slides
Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and Attack-Resilient Performance* Yi-Hua E. Yang Viktor K. Prasanna Chenqian Jiang Ming Hsieh Dept. of Electrical Eng. Ming Hsieh Dept. of Electrical Eng. Ming

432 views • 11 slides
SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department

SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department

SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department of Computer Science Department of Electrical and Computer Engineering University of Illinois at Springfield Southern Illinois University

181 views • 6 slides
A Unified Approximation Framework for Compressing and Accelerating Deep Neural Networks Yuzhe Ma 1

A Unified Approximation Framework for Compressing and Accelerating Deep Neural Networks Yuzhe Ma 1

A Unified Approximation Framework for Compressing and Accelerating Deep Neural Networks Yuzhe Ma 1 , Ran Chen 1 , Wei Li 1 , Fanhua Shang 2 , Wenjian Yu 3 , Minsik Cho 4 , Bei Yu 1 1 CUHK, 2 Xidian Univ., 3 Tsinghua Univ. 4 IBM T. J. Watson 1 / 23

542 views • 23 slides
The Common Inspection Framework A briefing for Plymouth headteachers Sue Frater HMI Thursday 3

The Common Inspection Framework A briefing for Plymouth headteachers Sue Frater HMI Thursday 3

The Common Inspection Framework A briefing for Plymouth headteachers Sue Frater HMI Thursday 3 March 2016 The Future of Education Inspection What is changing? The Common Inspection Framework Short Inspections Principles of inspection reform

784 views • 40 slides
Area Inspection Preparation Victor Roman 1. Focus of the Inspection This framework will

Area Inspection Preparation Victor Roman 1. Focus of the Inspection This framework will

A Quick Guide to the SEND Local Area Inspection Preparation Victor Roman 1. Focus of the Inspection This framework will inspect the Local Area (a Partnership Inspection), concentrating on 3 questions : Question A: How effectively does the

119 views • 10 slides
Education inspection framework: Inspecting the substance of education The consultation outcomes

Education inspection framework: Inspecting the substance of education The consultation outcomes

Education inspection framework: Inspecting the substance of education The consultation outcomes Early years Education inspection framework: July LED events Slide 1 Todays session Education inspection framework (EIF) The consultation

769 views • 30 slides
Post-Layout Simulation Analog and Digital Turbo Simulator (ADiT) Analog &Digital Turbo

Post-Layout Simulation Analog and Digital Turbo Simulator (ADiT) Analog &Digital Turbo

Post-Layout Simulation Analog and Digital Turbo Simulator (ADiT) Analog &Digital Turbo Simulator (ADiT) Extracted from schematic: design.lvs.netlist Extracted from layout: design.pex.netlist design.pex.netlist.design.pxi Analog

713 views • 34 slides
SML Spice Manipulation Language Ron Alleyne Rob Toth Spencer Greenberg Michael Apap What is

SML Spice Manipulation Language Ron Alleyne Rob Toth Spencer Greenberg Michael Apap What is

SML Spice Manipulation Language Ron Alleyne Rob Toth Spencer Greenberg Michael Apap What is SPICE? S imulation P rogram with I ntegrated C ircuit E mphasis Uses complex systems of equations to solve for voltages at circuit nodes and

637 views • 24 slides
Last year our team at HP transitioned to Agile. A lot of people asked me what QA does in Scrum. It

Last year our team at HP transitioned to Agile. A lot of people asked me what QA does in Scrum. It

Last year our team at HP transitioned to Agile. A lot of people asked me what QA does in Scrum. It was a great question! And I quickly discovered my we werent the only one asking it! It turns out there wasnt much information out there to

637 views • 29 slides
The Consolidated Agreement Agreement between DPH and Local Health Departments

The Consolidated Agreement Agreement between DPH and Local Health Departments

The Consolidated Agreement Agreement between DPH and Local Health Departments Incorporates all environmental health requirements and funding as a part of DPH/DHHS Contains general terms and conditions for activities related to any

604 views • 13 slides
Challenges & Strategies for the SPICE Model Extraction & Simulation of the PD-SOI

Challenges & Strategies for the SPICE Model Extraction & Simulation of the PD-SOI

Challenges & Strategies for the SPICE Model Extraction & Simulation of the PD-SOI Technology Jung- Suk Goo Compact Modeling & Characterization Group Microprocessor Solutions Sector, Sunnyvale, CA Advanc e d Mic r o De vic e s

761 views • 33 slides
SPICE Testbed A DTN Testbed for Satellite and Space Communications Motivation A prototype

SPICE Testbed A DTN Testbed for Satellite and Space Communications Motivation A prototype

Ioannis Komnios, Ioannis Alexiadis, Nikolaos Bezirgiannidis, Sotiris Diamantopoulos, Sotirios-Angelos Lenas, Giorgos Papastergiou and Vassilis Tsaoussidis SPICE Testbed A DTN Testbed for Satellite and Space Communications Motivation A

339 views • 16 slides
Desktop Virtualization with SPICE Gerd Hoffmann <kraxel@redhat.com> Linux Kongress, Sep 23

Desktop Virtualization with SPICE Gerd Hoffmann <kraxel@redhat.com> Linux Kongress, Sep 23

Desktop Virtualization with SPICE Gerd Hoffmann <kraxel@redhat.com> Linux Kongress, Sep 23 th 2010 1 SPICE | Gerd Hoffmann What is SPICE Virtual Desktop Infrastructure. S imple P rotocol for I ndependent C omputing E nvironments.

353 views • 13 slides
A Benchmark Suite for Formal Verification of Analog Circuits Felix Salfelder, Lars Hedrich

A Benchmark Suite for Formal Verification of Analog Circuits Felix Salfelder, Lars Hedrich

A Benchmark Suite for Formal Verification of Analog Circuits Felix Salfelder, Lars Hedrich Introduction MCNC benchmark Analog simulation Numerical challenges Big circuits ISCAS'89 benchmark Digital circuits Simulation,

269 views • 14 slides

More recommend