TY - GEN
T1 - Tearing down the face of algorithmic complexity attacks for DPI Engines
AU - Liu, Likun
AU - Shi, Jiantao
AU - Zhang, Hongli
AU - Yu, Xiangzhan
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/2
Y1 - 2018/7/2
N2 - Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.
AB - Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.
KW - Algorithmic complexity attack
KW - DDos
KW - Deep packet inspection
KW - Task scheduling
UR - https://www.scopus.com/pages/publications/85063885456
U2 - 10.1109/BDCloud.2018.00113
DO - 10.1109/BDCloud.2018.00113
M3 - 会议稿件
AN - SCOPUS:85063885456
T3 - Proceedings - 16th IEEE International Symposium on Parallel and Distributed Processing with Applications, 17th IEEE International Conference on Ubiquitous Computing and Communications, 8th IEEE International Conference on Big Data and Cloud Computing, 11th IEEE International Conference on Social Computing and Networking and 8th IEEE International Conference on Sustainable Computing and Communications, ISPA/IUCC/BDCloud/SocialCom/SustainCom 2018
SP - 751
EP - 758
BT - Proceedings - 16th IEEE International Symposium on Parallel and Distributed Processing with Applications, 17th IEEE International Conference on Ubiquitous Computing and Communications, 8th IEEE International Conference on Big Data and Cloud Computing, 11th IEEE International Conference on Social Computing and Networking and 8th IEEE International Conference on Sustainable Computing and Communications, ISPA/IUCC/BDCloud/SocialCom/SustainCom 2018
A2 - Chen, Jinjun
A2 - Yang, Laurence T.
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 16th IEEE International Symposium on Parallel and Distributed Processing with Applications, 17th IEEE International Conference on Ubiquitous Computing and Communications, 8th IEEE International Conference on Big Data and Cloud Computing, 11th IEEE International Conference on Social Computing and Networking and 8th IEEE International Conference on Sustainable Computing and Communications, ISPA/IUCC/BDCloud/SocialCom/SustainCom 2018
Y2 - 11 December 2018 through 13 December 2018
ER -