Efficient Techniques for Fast Packet Classification Network Reading Group Alok Tongaonkar, R Sekar Stony Brook University Sept 16, 2008
What is Packet Classification? Packet Classification A mechanism that inspects network packets determines how to process a packet based on the values of header fields and/or the payload. Fundamental Operation Identify the rules R i that match a packet p from rules {R 1,..., R n } where R i : condition action e.g., R 1 : dhost = PLUTO && dport = HTTP && content: Bad command DENY
Applications Firewalls Identify highest priority matching rule Intrusion Detection Systems Use unordered rules Identify all matching rules Network Monitoring Packet-filtering whether a packet satisfies any of the conditions
Previous Techniques Naive technique: Berkeley Packet Filter(BPF) Match one rule at a time A test that occurs in multiple rules is tested once on behalf of each of the rules
Previous Techniques Trie-based techniques: PathFinder, Dynamic Packet Filter(DPF) Identify common prefixes and share them {F1, F2} type = IP {F1, F2} proto = T CP {F1, F2} dport = A dport = B {F1} {F2}
Previous Techniques DAG automaton: Berkeley Packet Filter(BPF+) Recognize some equivalent states Use data flow analysis to eliminate tests that are implied by other tests performed previously on the path Shost X? Shost X? T T F Dhost Y? F Dhost Y? Shost Y? F Shost Y? T T T T F Dhost X? F Dhost X? F T F T {F1} {F2} {F1} {F2}
Previous Techniques Adaptive Traversal Change order of testing to promote sharing {p1, p2, p3} {p1, p2, p3} x = a x a {p1, p2, p3} {p1, p3} y = b y = a y a && y b y = b y = a y a && y b y = b y a && y b y = a {p1} x = a {p2, p3} x a φ {p1} {p2, p3} φ {p1} {p3} φ {p2, p3} {p3}
Objective Promote Sharing of Tests Adaptive automata traversal developed in the context of term-matching Restricted to equality tests we need to support inequalities, disequalities, and bit-masking operations Several new techniques in the context of the application domain Flexibility to Support Diverse Applications Ordered (firewalls) and unordered (intrusion detection) rulesets Packet-filtering (network monitoring)
Organization of Talk
Organization of Talk Part I - Packet Field Matching Algorithm Techniques Intrusion Detection Systems Firewalls Evaluation
Organization of Talk Part I - Packet Field Matching Algorithm Techniques Intrusion Detection Systems Firewalls Evaluation Part II - Content Matching Integrating String Matching
Organization of Talk Part I - Packet Field Matching Algorithm Techniques Intrusion Detection Systems Firewalls Evaluation Part II - Content Matching Part III Integrating String Matching Related Work Summary
Techniques for Packet Classification Naive technique A test that occurs in multiple rules is tested once on behalf of each of the rules Automata-based techniques Automaton states used to remember tests Avoids repetition of tests
Deterministic Packet Classification Automaton F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) icmp type = ECHO {F1, F3} {F1, F3} ttl = 1 ttl 1 ttl 1 {F1} {F2, F3} {F1, F2, F3} icmp type = ECHO REP LY ttl = 1 icmp type ECHO REP LY icmp type ECHO φ ttl 1 {F3} ttl = 1 {F3} All but one transitions labeled with test Remaining transition labeled other conjunction of negations of all tests on the rest of the transitions {F2, F3} φ
Deterministic Packet Classification Automaton F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) icmp type = ECHO {F1, F3} {F1, F3} ttl = 1 ttl 1 ttl 1 {F1} {F2, F3} {F2, F3} {F1, F2, F3} icmp type = ECHO REP LY ttl = 1 icmp type ECHO REP LY icmp type ECHO φ ttl 1 φ {F3} ttl = 1 {F3} Transitions are simultaneously distinguishable All tests except other are mutually exclusive Applicable transition can be determined using a single operation O(1) expected time complexity
Deterministic Packet Classification Automaton F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) icmp type = ECHO {F1, F3} ttl = 1 ttl 1 ttl 1 {F2, F3} {F1, F2, F3} icmp type = ECHO REP LY icmp type ECHO REP LY icmp type ECHO {F3} ttl = 1 Each final state S correctly identifies the match set corresponding to any packet satisfying all the tests along a path from the start state to S. {F1, F3} {F1} ttl = 1 φ ttl 1 {F3} {F2, F3} φ
Non-deterministic Packet Classification Automaton F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) {F1, F2, F3} icmp type ECHO REP LY icmp type = ECHO icmp type = ECHO REP LY {F1} {F3} ttl = 1 ttl 1 {F2, F3} φ {F3} ttl = 1 ttl 1 other conjunction of negations of a subset of tests on the rest of the transitions Nondeterminism is simulated using backtracking at runtime {F2, F3} φ
Principal Design Criteria for PCA Operate in real-time on high-speed networks without dropping packets Scale to support thousands of rules typical in intrusion detection systems and firewalls Computational Issues Matching time closely related to path lengths Memory size of automata
Problem Formulation Tests Involve a variable x and one or two constants (denoted by c).
Problem Formulation Tests Involve a variable x and one or two constants (denoted by c). Equality tests x = c tcp sport = 80
Problem Formulation Tests Involve a variable x and one or two constants (denoted by c). Equality tests x = c tcp sport = 80 Equality tests with bitmasks x&c 1 = c tcp flags & 0x03 = 0x03
Problem Formulation Tests Involve a variable x and one or two constants (denoted by c). Equality tests x = c tcp sport = 80 Equality tests with bitmasks x&c 1 = c tcp flags & 0x03 = 0x03 Disequality tests x c tcp sport 80
Problem Formulation Tests Involve a variable x and one or two constants (denoted by c). Equality tests x = c tcp sport = 80 Equality tests with bitmasks x&c 1 = c tcp flags & 0x03 = 0x03 Disequality tests x c tcp sport 80 Disequality tests with bitmasks x&c 1 c tcp flags & 0x03 0x03
Problem Formulation Tests Involve a variable x and one or two constants (denoted by c). Equality tests x = c tcp sport = 80 Equality tests with bitmasks x&c 1 = c tcp flags & 0x03 = 0x03 Disequality tests x c tcp sport 80 Disequality tests with bitmasks x&c 1 c tcp flags & 0x03 0x03 Inequality tests x c or x c tcp dport 1024
Filters and Priorities A filter F is a conjunction of tests. (dport = 22) (sport 1024) (flags&0xb = 0x3) A set F of filters may be partially ordered by a priority relation. The priority of F is denoted as Pri(F).
Filters and Priorities A filter F is a conjunction of tests. (dport = 22) (sport 1024) (flags&0xb = 0x3) A set F of filters may be partially ordered by a priority relation. The priority of F is denoted as Pri(F). A filter F matches a packet p, if: the packet satisfies F, i.e., F(p) is true the packet does not satisfy any rule that has higher priority than F
Filters and Priorities A filter F is a conjunction of tests. (dport = 22) (sport 1024) (flags&0xb = 0x3) A set F of filters may be partially ordered by a priority relation. The priority of F is denoted as Pri(F). Match Set of p consists of all filters that match p, with the exception that among equal priority filters, at most one is retained.
Example of Prioritized Matching F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) p 1 : icmp echo packet with ttl of 1 p 2 : icmp reply packet with ttl of 1
Example of Prioritized Matching F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) p 1 : icmp echo packet with ttl of 1 p 2 : icmp reply packet with ttl of 1 Multi-matching (intrusion detection systems) set incomparable priorities M(p 1 ) = {F 1, F 3 } M(p 2 ) = {F 2, F 3 }
Example of Prioritized Matching F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) p 1 : icmp echo packet with ttl of 1 p 2 : icmp reply packet with ttl of 1 Ordered matching (firewalls) assign monotonically decreasing priorities Pri(F 1 ) > Pri(F 2 ) > Pri(F 3 ) M(p 1 ) = {F 1 } M(p 2 ) = {F 2 }
Example of Prioritized Matching F 1 : (icmp type = ECHO) F 2 : (icmp type = ECHO REPLY ) (ttl = 1) F 3 : (ttl = 1) p 1 : icmp echo packet with ttl of 1 p 2 : icmp reply packet with ttl of 1 Packet-filtering (network monitoring) set equal priorities Pri(F 1 ) = Pri(F 3 ) = Pri(F 2 ) p 1 can match either F 1 or F 3 p 2 can match either F 2 or F 3
Matching Automata Construction Key New Idea Decompose and reorder tests to increase sharing of tests among rules Example F 1 : (x = 5), F 2 : (x & 0x03 1)
Matching Automata Construction Key New Idea Decompose and reorder tests to increase sharing of tests among rules Example F 1 : (x = 5), F 2 : (x & 0x03 1) {F1, F2} x = 5 x 5 {F1, F2} x & 0x03 = 1 x & 0x03 1 x & 0x03 = 1 {F2} x & 0x03 1 {F1} {F1, F2} φ {F2}
Matching Automata Construction Key New Idea Decompose and reorder tests to increase sharing of tests among rules Example F 1 : (x = 5), F 2 : (x & 0x03 1) {F1, F2} x&0x03 = 1 x & 0x03 1 {F2} x & 0xfc = 4 x & 0xfc 4 {F2} φ
Condition Factorization Decomposing filters into combination of more primitive tests Similar to factorization of integers Based on the residue operation analogous to integer division Residue We want to determine if there is a match for a filter C 1 We have so far tested a condition C 2 A residue captures the additional tests that need to be performed at this point to verify C 1
Residue Operation Definition (Residue) The residue C 1 /C 2 is another condition C 3 such that: 1 C 2 C 3 C 1 2 C 1 C 2 C 3 Examples C 1 : x [1, 20], C 2 : x [15, 25] C 1 : x [1, 20], C 2 : x = 15 C 1 : x [1, 20], C 2 : x = 35 C 1 : x [1, 20], C 2 : y = 15 C 3 : x 20 C 3 : true C 3 : false C 3 : x [1, 20]
Residue Operation Definition (Residue) The residue C 1 /C 2 is another condition C 3 such that: 1 C 2 C 3 C 1 2 C 1 C 2 C 3 Ideally C 3 would be the weakest condition such that (1) holds
Residue Operation Definition (Residue) The residue C 1 /C 2 is another condition C 3 such that: 1 C 2 C 3 C 1 2 C 1 C 2 C 3 In Practice We might not want minimal condition since Expensive to compute Inefficient to use contains many disjunctions
Residue Operation Definition (Residue) The residue C 1 /C 2 is another condition C 3 such that: 1 C 2 C 3 C 1 2 C 1 C 2 C 3 Example of Approximation C 1 : x [1, 20], C 2 : x 15 C 3 : x [1, 14] x [16, 20] C 3 : x [1, 20]
Residue Operation Definition (Residue) The residue C 1 /C 2 is another condition C 3 such that: 1 C 2 C 3 C 1 2 C 1 C 2 C 3 Need for (2) C 3 shouldn t be too strong, or else we may miss matches for C 1 C 1 : x [1, 20], C 2 : x [10, 30] C 3 : x [10, 15] C 3 satisfies (1) but not (2) Will miss match for x [1, 9] or x [16, 20]
Computing Residue on Tests T1 T2 T1/T2 Conditions T T true T T false T x = c T [x c] x = c x & c1 = c2 x & c1 = c & c1 c & c1 = c2 false c & c1 c2 x = c x & c1 c2 false c & c1 = c2 x = c x [c1, c2] false c [c1, c2] x c x & c1 = c2 x & c1 c & c1 c & c1 = c2 true c & c1 c2 x c x & c1 c2 true c & c1 = c2 x c x [c1, c2] true (c < c1) (c > c2) x [c1, c2] x [c3, c4] true c1 c3 c4 c2 x [, c2] c1 c3 c2 c4 x [c1, ] c3 c1 c4 c2 x [c1, c2] c3 c1 c2 c4 false (c2 < c3) (c4 < c1) x [c1, c2] x & c3 = c4 false c4 > c2 x & c1 = c2 x & c3 = c4 x & (c1 & c3) = (c2 & c3) c2 & c3 = c1 & c4 false otherwise x & c1 = c2 x [c3, c4] false c2 > c4 x & c1 c2 x & c3 = c4 x & (c1 & c3) (c2 & c3) c2 & c3 = c1 & c4 true otherwise x & c1 c2 x [c3, c4] true c2 > c4 T T T
Build Algorithm Recursive procedure Takes an automaton state s as its first parameter Builds the subautomaton that is rooted at s It takes two other parameters C s, the candidate set of the state s M s, the match set of s Candidate Set C s filters that haven t completed a match, but future matches can t be ruled out either. Match Set M s all filters for which a match can be announced at s.
Build Algorithm 1. procedure Build(s, C s, M s ) 2. if C s is empty 3. then match[s] = M s 4. else 5. (D, T ) = select(c s ) 6. T o = { d i D d i =true T i} 7. for each T i (T {T o }) do 8. C i = C s /T i 9. if ((T i T o ) d i ) then C i = C i C/T o endif 10. compute M si and C si from C i and M s 11. if a state s i corresponding to (C si, M si ) isn t present 12. create a new state s i 13. Build(s i, C si, M si ) 14. endif 15. create a transition from s to s i on T i 16. end 17. endif
Improving Automata Size Key Idea Pick tests which avoid duplication of filters in next states T = {x = 5, x = 6, (x 5) (x 6)} C = {x = 5, x = 6, x > 7} C = {x = 6, x > 4} {C1, C2, C3} X = 5 X = 6 X 5 X 6 X = 5 X = 6 X 5 X 6 {C1} {C2} {C3} {C2} {C1, C2} {C2}
Improving Automata Size Key Idea Pick tests which avoid duplication of filters in next states T = {x = 5, x = 6, (x 5) (x 6)} C = {x = 5, x = 6, x > 7} C = {x = 6, x > 4} Definition (Discriminating Set) A set T of conditions is said to be a discriminating set for a filter set F iff for every F F there exists at most one T T such that F belongs to the candidate set of F/T. Concept of discriminating tests is similar to the concept of index in the context of term matching.
Ensuring Polynomial-Size Automata Breadth of subautomaton rooted at s k B( C s ) = B( C si ), i=1 P(n) the desired polynomial on n that bounds the automaton size. k P( C s ) P( C si ) (1) i=1 Pick tests that satisfy the bounds Pick a test that comes closest to satisfying this constraint and make some outgoing transitions nondeterministic
Benign Nondeterminism Two filters F 1 and F 2 are said to be independent of each if they do not have a common test Build separate automaton for each independent set Match packets against each automaton non-determinism without incurring any performance penalties
Effect of Benign Nondeterminism on Automata Size Leads to dramatic reduction in automata size especially for intrusion detection systems. If F 1 and F 2 are independent, packet may match F 1, F 2, both, or neither. Number of states of automaton for F 1 is k 1, for F 2 is k 2. Number of states of automaton for F 1 F 2 is k 1 k 2. Combined number of states of independent automata for F 1 and F 2 is k 1 + k 2.
Improving Matching Time Utility How much a test goes towards checking a filter Based on notion of assigning costs to tests and filters Compare cost of a filter with combined cost of a test and the residue of a filter w.r.t the test select strategy Size reduction more important than matching time 1 Pick discriminating test when available Pick test with higher utility 2 Examine opportunities for benign-nondeterminism 3 Pick tests that satisfy polynomial bound
Measuring Matching Time Implementation-independent metric for matching time Suppose we could guess the set of rules that match a packet The match verification cost is lower bound for any algorithm that tries to identify the matching rules We use the ratio of actual matching cost to the lower bound for match verification as a metric for matching time
Experiments Setup for IDS Snort open source Comprehensive default signatures Signatures consist of packet field tests and content-matching operation Snort Next Generation (Snort-NG) matches packet fields in parallel Snort version 2 (Snort v2) tries to parallelize matching for some fields Used 1635 default rules that come with Snort combined rules with same packet field tests to get 305 rules System: 1.70Ghz pentium 4 processor, 520MB, CentOS-4.2 (Linux kernel 2.6)
Automaton Size 20000 15000 Condition Factorization Snort-NG No. of states 10000 5000 0 0 50 100 150 200 250 300 Number of Filtering Rules
Effect of Optimizations on Size No. of states 40000 35000 30000 25000 20000 15000 10000 5000 LR Tree LR DAG Adaptive Tree Adaptive DAG Adaptive DAG w/ benign non-det 0 0 50 100 150 200 250 300 Number of Filtering Rules
Matching Time Lower Bound Avg. Path Length (in terms of tests) 25 20 15 10 5 0 Adaptive Traversal Lower Bound 0 50 100 150 200 250 300 Number of Filtering Rules
Matching Time Matching Time (in s) 90 80 70 60 50 40 30 20 10 Snort 2 Snort-NG Condition Factorization 0 0 50 100 150 200 250 300 Number of Filtering Rules
Matching Time Matching Time (in s) 90 80 70 60 50 40 30 20 10 Snort 2 Snort-NG Condition Factorization 0 0 50 100 150 200 250 300 Number of Filtering Rules
Experiments Setup for Firewall Department firewall rules Firewall rules in the form of iptable rules for a Linux machine Network divided into different subnets 140 filtering rules System: 1.70Ghz pentium 4 processor, 520MB, CentOS-4.2 (Linux kernel 2.6)
Automaton Size No. of states 4000 Adaptive Traversal DAG 3500 3000 2500 2000 1500 1000 500 0 0 20 40 60 80 100 120 140 Number of Filtering Rules
Matching Time Lower Bound Avg. Path Length (in terms of tests) 14 12 10 8 6 4 2 0 Lower Bound Actual Path Length 0 20 40 60 80 100 120 140 Number of Filtering Rules
Extending Our Techniques for Content Matching Key Idea Use boolean variables corresponding to strings being matched Test boolean variables to check presence of corresponding string in payload Treat tests on these boolean variables just like tests on other packet fields F 1 : (tcp sport = 80) (content = Command complete ) F 2 : (tcp sport = 80) (content = Bad command ) (content = Bad filename ) F 3 : (tcp sport = 25) (content = Command complete )
Extending Our Techniques for Content Matching Key Idea Use boolean variables corresponding to strings being matched Test boolean variables to check presence of corresponding string in payload Treat tests on these boolean variables just like tests on other packet fields F 1 : (tcp sport = 80) (content = Command complete ) F 2 : (tcp sport = 80) (content = Bad command ) (content = Bad filename ) F 3 : (tcp sport = 25) (content = Command complete ) F 1 : C 1 (X 1 = 1) F 2 : C 2 (X 2 = 1) (X 3 = 1) F 3 : C 3 (X 1 = 1)
Interesting Questions When to Perform String Matching? Perform string matching before passing packet to packet classification automata Lazy evaluation perform string matching only when packet classification automata can not proceed How to Handle Regular Expressions? Use combined packet-field and string matching as prefilter for RE matching How can we include parts of RE in string matching to get maximize gains from prefiltering?
Related Work Left-to-right traversal based techniques PathFinder, DPF share common prefix BPF+ uses global data flow techniques to eliminate redundant tests Can not reason about semantic redundancies in presence of complex test Adaptive traversal Sekar et al, Adaptive Binary Matching [Gustafsson] Do not handle inequalities, disequalities, bit-fields Automata has exponential worst case space complexity Linears size guarded sequential automata require runtime manipulation of match sets Dynamic reordering techniques DPF, Al-Shaer et al maintain statistics regarding traffic Techniques for routers work on fixed number of fields Srinivasan et al, Lakshman et al multidimensional searching problem Woo et al, Gupta et al decision tree based techniques
Conclusion and Future Work Summary Developed a new technique for fast packet classification Flexible support diverse applications in a uniform framework Promotes sharing of tests Developed novel techniques for generating packet classification automata that Have polynomial size Virtually constant matching time Demonstrated the gains from our technique for intrusion detection systems and firewalls Future Work Complete the integration and then evaluate the combined content matching operation and packet field matching
Thank You Acknowledgement: Sreenath Vasudevan Questions?
Computing Match and Candidate Sets P s denotes the conjunction of tests on the path from the start state to s Maintain only the residuals of the original filters in C s and M s with respect to P s
Computing Match and Candidate Sets P s denotes the conjunction of tests on the path from the start state to s Maintain only the residuals of the original filters in C s and M s with respect to P s Match Set M 1 = {M F/P s (M = true)} M 2 = {M M 1 M F/P s Pri(M ) > Pri(M)} M s is obtained by considering filters with equal priorities in M 2, and deleting all but one of them.
Computing Match and Candidate Sets P s denotes the conjunction of tests on the path from the start state to s Maintain only the residuals of the original filters in C s and M s with respect to P s Candidate Set C(F, M) = {C F M M with Pri(M ) Pri(C)} C s = C(F/P s, M s )