PowerPoint Poster Template

1

Fast Packet Classification using Condition
Factorization
Alok Tongaonkar and R. Sekar Secure Systems Lab,
Department of Computer Science, Stony Brook
University
iptable rules o eth3 p tcp d NS dport domain
j ACCEPT o eth3 p udp d NS dport domain j
ACCEPT -o eth3 -i !eth3 p icmp j ACCEPT -o eth3
j REJECT
snort rules alert tcp EXT any -gt HOME 600
(flags A ) alert icmp 255.255.255.0/24 any -gt
HOME any (itype0 ) alert icmp 3.3.3.3/32 any
-gt HOME any ( icmp_id 666 ) alert tcp HOME
any -gt EXT 6000 (win 200 )

• Packet classification automaton
• Backtracking automaton - reexamines packet fields
  e.g.. BSD Packet Filter, BPF,
• Dynamic Packet Filter (DPF), PathFinder
• Deterministic automaton - exponential size e.g.
  Snort-NextGeneration (Snort-NG)
• Our technique (using condition factorization)
• polynomial size
• near optimal matching time

• Evaluation
• Snort Rules
• Default Snort rules 305 unique rules (after
  removing string matching components)
• 10 days of packet data from MIT Lincoln Labs 1999
  intrusion detection evaluation data set

• Automaton Size
• Snort-NG 148151 nodes for 300 rules
• Condition Factorization 1026 nodes for 300 rules
• Matching Time

B. Deterministic automaton
A. Backtracking automaton
C. Condition Factorization Reorder tests,
decompose complex tests, and eliminate
semantically redundant tests
1. Select optimal ordering of tests to minimize
size
3. Introduce non-deterministic edges
2. Generate DAG to reduce number of states
This research is supported by an ONR grant
N000140110967 and an NSF grant CCR-0208877.



http//www.seclab.cs.stonybrook.ed
u