Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Junchen Jiang,Xiaofei Wang,Keqiang He,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501748

2010-01-01

Abstract:Multi-pattern matching is a key technique for implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against predefined attack signatures written in regular expressions (regexes). To this end, Deterministic Finite Automaton (DFA) is widely used for multi-regex matching, but existing DFAbased researches have claimed high throughput at an expenses of extremely high memory cost. In this paper, we propose a parallel architecture of DFA called Parallel DFA (PDFA), using multiple flow aggregations to increase the throughput with nearly no extra memory cost. The basic idea is to selectively store the DFA in multiple memory modules which can be accessed in parallel and to explore the potential parallelism. The memory cost of our system in both the average cases and the worst cases is analyzed, optimized and evaluated by numerical results. The evaluation shows that we obtain an average speedup of about 0.5k to 0.7k where k is the number of parallel memory modules under our synthetic trace and compressed real trace in a statistical average case, compared with the traditional DFA-based matching approaches.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Yi Tang,Junchen Jiang,Xiaofei Wang,Yi Wang,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5683142

2010-01-01

Abstract:Regular expression (Regex) becomes the standard signature language for security and application detection. Deterministic finite automata (DFAs) are widely used to perform regex matching in linear time. Previously researches mostly focus on how to compress DFA to reduce memory requirements in recent years. However, memory requirement is not the only problem caused by DFA explosion when implementation DFA matching system. In this paper, we propose a new issue in DFA matching procedure. We notice that the DFA produced from regex never considers the physical locality of logical neighbor, which results in a low cache hit rate when using cache as matching accelerator. This problem becomes severe for current increasingly complex security regex which producing huge DFA with nearly no locality in physical location. We propose to solve this problem through reordering the state number of existing DFA and further put forward two methods on reordering DFA from different viewpoints. In our algorithms, we achieve more than twice cache hit rate compared with traditional method. Moreover, our methods will not affect the existing matching system. Hence, all the cache hit rate improvement is achieved without any cost in wire speed matching.

Jie Li,Jinshu Su,Xiaofeng Wang,Hao Sun,Shuhui Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_9

2017-01-01

Abstract:Hardware-based middleboxes are ubiquitous in computer networks, which usually incur high deployment and management expenses. A recently arsing trend aims to address those problems by outsourcing the functions of traditional hardware-based middleboxes to high volume servers in a cloud. This technology is promising but still faces a few challenges. First, the widely adopted data encryption techniques contradict with payload inspection needs of some middleboxes such as DPI and IDS devices. Second, the inspection rules of middleboxes may be commercial properties, thus the middlebox providers want to keep their rules confidential under third-party cloud environments, and this creates hindrances for the cloud to perform outsourced middlebox functions. Third, performance of the outsourced middlebox is an inevitable issue that needs deliberate consideration. In this paper, we propose a cloud-based DPI middlebox implementation which performs payload inspection over encrypted traffic while preserving the privacy of both communication data and inspection rules. Our design employs a modified reversible sketch structure which is used for efficient error-free membership testing, and we utilize unkeyed one-way hash functions instead of complex cryptographic protocols to achieve the privacy preservation requirements. CloudDPI supports a wide range of real-world inspection rules, we conduct evaluations on ClamAV rule set and the experiment results demonstrate the effectiveness of our proposal.

Feilu Hang,Linjiang Xie,Zhenhong Zhang,Yuting Liu,Jian Hu

DOI: https://doi.org/10.12694/scpe.v25i4.2904

2024-06-16

Abstract:Compared with traditional computer network security identification techniques, deep learning algorithms are based on their own distributed network structure for storage, processing, classification, comparison, and automatic identification functions. The distribution and dynamism of cloud databases increase the difficulty of route prediction and recognition in the cloud, affecting the efficiency of cloud computing. In response to the above issues, the author proposes a dynamic path optimization process for cloud databases based on adaptive immune grouping polymorphic ant colony algorithm. By setting up two states of ant colony, reconnaissance ant and search ant, and introducing an adaptive polymorphic ant colony competition strategy, the defect of general ant colony algorithms being prone to falling into local optima is improved; On this basis, an artificial immune algorithm with fast global search capability is further integrated to improve the search ant path optimization process, improving search speed and accuracy. Simulation experiments show that the IPANT algorithm outperforms the other three algorithms, maintaining a throughput of 1000 kbps and relatively stable; The data of OSPF, SPF, and FR are not significantly different, significantly lower than IPANT. The immune polymorphic ant colony algorithm (IPANT) has the lowest time delay for packet routing and performs better than the other three algorithms, with FR and SPF having higher latency. It has been proven that this algorithm can better solve convergence speed and global optimization problems, and can quickly and reasonably find the database to be accessed in the cloud.

Likun Liu,Jiantao Shi,Xiangzhan Yu,Hongli Zhang,Dongyang Zhan

DOI: https://doi.org/10.32604/cmc.2020.07736

2020-01-01

Abstract:Deep Packet Inspection (DPI) at the core of many monitoring appliances, such as NIDS, NIPS, plays a major role. DPI is beneficial to content providers and censorship to monitor network traffic. However, the surge of network traffic has put tremendous pressure on the performance of DPI. In fact, the sensitive content being monitored is only a minority of network traffic, that is to say, most is undesired. A close look at the network traffic, we found that it contains many undesired high frequency content (UHC) that are not monitored. As everyone knows, the key to improve DPI performance is to skip as many useless characters as possible. Nevertheless, researchers generally study the algorithm of skipping useless characters through sensitive content, ignoring the high-frequency non-sensitive content. To fill this gap, in this literature, we design a model, named Fast AC Model with Skipping (FAMS), to quickly skip UHC while scanning traffic. The model consists of a standard AC automaton, where the input traffic is scanned byte-by-byte, and an additional sub-model, which includes a mapping set and UHC matching model. The mapping set is a bridge between the state node of AC and UHC matching model, while the latter is to select a matching function from hash and fingerprint functions. Our experiments show promising results that we achieve a throughput gain of 1.32.6 times the original throughput and 1.1-1.3 times Barr's double path method.

Junchen Jiang,Yi Tang,Bin Liu,Yang Xu,Xiaofei Wang

DOI: https://doi.org/10.1109/GLOCOM.2010.5683165

2010-01-01

Abstract:Today's file sharing networks are creating potential security problems to enterprise networks, i.e., the leakage of confidential documents. In order to prevent such leakage, we propose the Data Leakage Prevention System (DLPS) which is applied at the entrance of the enterprise network to filter out the outgoing sensitive information. The DLPS is based on a content scanning engine which defines a new type of matching problem, called longest overlap matching which also exits in many other applications as a basic problem where contents are delivered by small blocks. We study the problem by comparing it with the traditional pattern matching problem in Deep Packet Inspection (DPI) of Network Intrusion Detection Systems (NIDS) whose solutions are based on finite automata. We develop a new finite automata representation called Skip-Finite Automata (Skip-FA) which detects the packets carrying sensitive information by using default transitions to implicitly track the overlapping parts between packets' payloads and sensitive files. The simulation results shows that our system achieves a matching speed of about 10B+ per memory access for small file set (>;20KB) and 100B+ per memory access for large file set (>;2500KB). We also find that the memory consumption of Skip-FA is almost the same to that of the original files.

Hao Xu,Harry Chang,Kun Qiu,Yang Hong,Wenjun Zhu,Xiang Wang,Baoqian Li,Jin Zhao

DOI: https://doi.org/10.1109/tnsm.2024.3354985

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Deep Packet Inspection (DPI) has been one of the most significant network security techniques. It is widely used to identify and classify network traffic in various applications such as web application firewall and intrusion detection. Different from traditional packet filtering that only examines packet headers, DPI detects payloads as well by comparing them with an existing signature database. The literal matching engine, which plays a key role in DPI, is the primary determinant of the system performance. FDR, an engine that utilizes 3 SIMD operations to match 1 character with multiple literals, has been developed and is currently one of the fastest literal matching engines. However, FDR has significant performance drop-off when faced with small-scale literal rule sets, whose proportion is more than 90% in modern databases. In this paper, we designed Teddy, an engine that is highly optimized for small-scale literal rule sets. Compared with FDR, Teddy significantly improves the matching efficiency by a novel shift-or matching algorithm that can simultaneously match up to 64 characters with only 15 SIMD operations. We evaluate Teddy with real-world traffic and rule sets. Experimental results show that its performance is up to 43.07x that of Aho-corasick (AC) and 2.17x that of FDR. Teddy has been successfully integrated into Hyperscan, together with which it is widely deployed in modern popular DPI applications such as Snort and Suricata.

computer science, information systems

Yixuan Zhang,Meiting Xue,Huan Zhang,Shubiao Liu,Bei Zhao

DOI: https://doi.org/10.1587/transfun.2022eap1062

2023-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Network traffic control and classification have become increasingly dependent on deep packet inspection (DPI) approaches, which are the most precise techniques for intrusion detection and prevention. However, the increasing traffic volumes and link speed exert considerable pressure on DPI techniques to process packets with high performance in restricted available memory. To overcome this problem, we proposed dual cuckoo filter (DCF) as a data structure based on cuckoo filter (CF). The CF can be extended to the parallel mode called parallel Cuckoo Filter (PCF). The proposed data structure employs an extra hash function to obtain two potential indices of entries. The DCF magnifies the superiority of the CF with no additional memory. Moreover, it can be extended to the parallel mode, resulting in a data structure referred to as parallel Dual Cuckoo filter (PDCF). The implementation results show that using the DCF and PDCF as identification tools in a DPI system results in time improvements of up to 2% and 30% over the CF and PCF, respectively.

Zhenfang Wang,ZhiHui Lu,Jie Wu,Kang Fan

DOI: https://doi.org/10.1007/978-3-319-26979-5_9

2015-01-01

Abstract:In cloud, resources are virtualized and the software delivery way is becoming something like a \"service\" to provide end user and operator benefits including on-demand self-service, resource pooling, rapid elasticity and service metering capability. As a part of network function virtualization, firewall virtualization can greatly increase the firewall configuration flexibility for the cloud environment. In this paper, we focus on FWaaS Firewall as a Service and we design a parallel firewall system called CPFirewall Cloud Parallel Firewall System. In CPFirewall, the firewall resources are virtualized and multiple tenants can build up their own parallel firewall by renting virtual firewalls. This needs solve some challenges. We adopt a rule-splitting algorithm to build a rule anomaly set We call it Wrapset. for detecting rule anomaly. We design the rule-allocation algorithm to achieve the cloud-native features, including load balance and dynamic scale. And we also improve the system performance using Exponential Smoothing ES forecasting method. Experiment results have verified that CPFirewall has a higher efficiency than other firewall schemes and is much more suitable for the Cloud network environment.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Hao Ren,Hongwei Li,Dongxiao Liu,Guowen Xu,Nan Cheng,Xuemin Shen,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/tcc.2020.2991167

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:With the increasing traffic volume, enterprises choose to outsource their middlebox services, such as deep packet inspection, to the cloud to acquire rich computational and communication resources. However, since the traffic is redirected to the public cloud, information leakages, such as packet payload and inspection rules, arouse privacy concerns of both middlebox owner and packet senders. To address the concerns, we propose an efficient verifiable deep packet inspection (EV-DPI) scheme with strong privacy guarantees. Specifically, a two-layer architecture is designed and deployed over two non-collusion cloud servers. The first layer fast filters out most of legitimate packets and the second layer supports exact rule matching. During the inspection, the privacy of packet payload and the confidentiality of inspection rules are well preserved. To improve the efficiency, only fast symmetric crypto-systems, such as hash functions, are used. Moreover, the proposed scheme allows the network administrator to verify the execution results, which offers a strong control of outsourced services. To validate the performance of the proposed EV-DPI scheme, we conduct extensive experiments on the Amazon Cloud. Large-scale dataset (millions of packets) is tested to obtain the key performance metrics. The experimental results demonstrate that EV-DPI not only preserves the packet privacy, but also achieves high packet inspection efficiency.

computer science, information systems, theory & methods

Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Likun Liu,Jiantao Shi,Hongli Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1109/bdcloud.2018.00113

2018-01-01

Abstract:Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.

Fangyuan Xing,Fei Tong,Jialong Yang,Guang Cheng,Shibo He

DOI: https://doi.org/10.1109/tcc.2024.3480194

IF: 5.697

2024-01-01

IEEE Transactions on Cloud Computing

Abstract:Distributed Denial of Service (DDoS) attacks threaten cloud servers by flooding redundant requests, leading to system resource exhaustion and legitimate service shutdown. Existing DDoS attack mitigation mechanisms mainly rely on resource expansion, which may result in unexpected resource over-provisioning and accordingly increase cloud system costs. To effectively mitigate DDoS attacks without consuming extra resources, the main challenges lie in the compromise between incoming requests and available cloud resources. This paper proposes a resource-aware DDoS attack mitigation framework named RAM, where the mechanism of feedback in control theory is employed to adaptively adjust the interaction between incoming requests and available cloud resources. Specifically, two indicators including request confidence level and maximum cloud workload are designed. In terms of these two indicators, the incoming requests will be classified using proportional-integralderivative (PID) feedback control-based classification scheme with request determination adaptation. The incoming requests can be subsequently processed according to their confidence levels as well as the workload and available resources of cloud servers, which achieves an effective resource-aware mitigation of DDoS attacks. Extensive experiments have been conducted to verify the effectiveness of RAM, which demonstrate that the proposed RAM can improve the request classification performance and guarantee the quality of service.

Xiaoli Zhang,Wei Geng,Yiqiao Song,Hongbing Cheng,Ke Xu,Qi Li

DOI: https://doi.org/10.1109/tnet.2023.3282100

2024-01-01

Abstract:In the trend of network middleboxes as a service, enterprise customers adopt in-the-cloud deep packet inspection (DPI) services to protect networks. As network misconfigurations and hardware failures notoriously exist, recent efforts envision to ensure the execution integrity of DPI services in untrusted clouds. However, they either require enterprise customers to know proprietary DPI rulesets of cloud providers or introduce forbidden overhead in the network context. In the paper, we propose a privacy-preserving and lightweight verification scheme that efficiently checks whether in-the-cloud DPI services run correctly without leaking private DPI rulesets. Particularly, our design introduces one trusted third party to perform privacy-preserving and trustworthy ruleset evaluation and DPI execution verification. Meanwhile, it devises a novel DPI ruleset authentication method that enables tamper-proof DPI operations and facilitates fast proof generation. The proofs can be verified without requiring the verifier to always maintain all rulesets. To further reduce the verification costs while resisting cloud cheating behaviors like bias treatments of packets, it employs a commitment-based delayed sampling mechanism which requires the DPI services to first demonstrate that all packets have been processed before receiving sampling decisions. Moreover, extensive experiments are conducted based on Click modules. The results show that the proposed scheme is practical and only incurs the real-time overhead of 10-20 microseconds.

Junho Choi,Chang Choi,Byeongkyu Ko,Pankoo Kim

DOI: https://doi.org/10.1007/s00500-014-1250-8

IF: 3.732

2014-03-11

Soft Computing

Abstract:Cloud computing is a more advanced technology for distributed processing, e.g., a thin client and grid computing, which is implemented by means of virtualization technology for servers and storages, and advanced network functionalities. However, this technology has certain disadvantages such as monotonous routing for attacks, easy attack method, and tools. This means that all network resources and operations are blocked all at once in the worst case. Various studies such as pattern analyses and network-based access control for infringement response based on Infrastructure as a Service, Platform as a Service and Software as a Service in cloud computing services have therefore been recently conducted. This study proposes a method of integration between HTTP GET flooding among Distributed Denial-of-Service attacks and MapReduce processing for fast attack detection in a cloud computing environment. In addition, experiments on the processing time were conducted to compare the performance with a pattern detection of the attack features using Snort detection based on HTTP packet patterns and log data from a Web server. The experimental results show that the proposed method is better than Snort detection because the processing time of the former is shorter with increasing congestion.

computer science, artificial intelligence, interdisciplinary applications

Jian Li,Bin Zhang,Yabiao Wang,Ying Tai,Zhenyu Zhang,Chengjie Wang,Jilin Li,Xiaoming Huang,Yili Xia

DOI: https://doi.org/10.1145/3474085.3475372

2022-01-01

Abstract:Along with current multi-scale based detectors, Feature Aggregation and Enhancement (FAE) modules have shown superior performance gains for cutting-edge object detection. However, these hand-crafted FAE modules show inconsistent improvements on face detection, which is mainly due to the significant distribution difference between its training and applying corpus, i.e. COCO vs. WIDER Face. To tackle this problem, we essentially analyse the effect of data distribution, and consequently propose to search an effective FAE architecture, termed AutoFAE by a differentiable architecture search, which outperforms all existing FAE modules in face detection with a considerable margin. Upon the found AutoFAE and existing backbones, a supernet is further built and trained, which automatically obtains a family of detectors under the different complexity constraints. Extensive experiments conducted on popular benchmarks, i.e. WIDER Face and FDDB, demonstrate the state-of-the-art performance-efficiency trade-off for the proposed automatic and scalable face detector (ASFD) family. In particular, our strong ASFD-D6 outperforms the best competitor with AP 96.7/96.2/92.1 on WIDER Face test, and the lightweight ASFD-D0 costs about 3.1 ms, i.e. more than 320 FPS, on the V100 GPU with VGA-resolution images.