automated parser generation for high-speed nids
DESCRIPTION
Hongyu Gao Clint Sbisa. Automated Parser Generation for High-Speed NIDS. Motivation. Processing speed is crucial concern for NIDS/NIPS Limited by rate of parsing packets Inefficient parsing leads to slow speeds and bottlenecks. Current Solutions. Binpac Declarative language and compiler - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/1.jpg)
Hongyu GaoClint Sbisa
![Page 2: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/2.jpg)
Processing speed is crucial concern for NIDS/NIPS
Limited by rate of parsing packets
Inefficient parsing leads to slow speeds and bottlenecks
![Page 3: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/3.jpg)
Binpac Declarative language and compiler Designed to simplify task of
constructing complex protocol parsers Constructs a full parsing tree
![Page 4: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/4.jpg)
Netshield Integrate high-speed protocol parser
to provide fast parsing speed Parsers are manually written, which is
tedious work and error-prone
![Page 5: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/5.jpg)
A protocol parser generator Read the protocol specification Output the parser for the specific
protocol The parser is aware of matching The parser focuses on the fields needed
by matching and skip unnecessary fields
![Page 6: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/6.jpg)
Comparison table Automated parser generation?
Yes No
Fast parsing
Yes Our solution
Netshield parser
No Binpac parser
![Page 7: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/7.jpg)
The parsing process should avoid recursive calls Parse trees are not used in parsing
phase Skip unneeded information
After parsing one field, the parser should be able to quickly jump to the next necessary field
![Page 8: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/8.jpg)
The parser consists of three parts• A pair of buffer pointers• A field table ( key data structure)• A table pointer
![Page 9: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/9.jpg)
Metadata
Field type
Field length
Garbage length
Next field
Field 1
Field 2
…
Field n
![Page 10: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/10.jpg)
![Page 11: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/11.jpg)
Basic approach: Fixed driver Fixed data structure Protocol-specific table content
![Page 12: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/12.jpg)
![Page 13: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/13.jpg)
• Determine the size of field table– Start with one root node in protocol parse
tree– Iteratively substitute complex field with
multiple simpler fields• Determine the FieldLength function• Retrieve the information from Type class• Type::attr_length_expr_,• Type::attr_oneline_,• etc.
![Page 14: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/14.jpg)
• Determine the GarbageLength function–Before compression, GarbageLength returns “0” for every field
• Compress the table• Look forward for consequent fields• Merge the length of unused fields into garbage
fields of the field that precedes them
![Page 15: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/15.jpg)
![Page 16: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/16.jpg)
![Page 17: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/17.jpg)
![Page 18: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/18.jpg)
![Page 19: Automated Parser Generation for High-Speed NIDS](https://reader035.vdocuments.site/reader035/viewer/2022081421/568145df550346895db2e2cf/html5/thumbnails/19.jpg)
Questions? Suggestions?