FlowSifter: A counting automata approach to layer 7 field extraction for deep flow inspection

Meiners, Chad R.; Norige, Eric; Liu, Alex X.; Torng, Eric

doi:10.1109/infcom.2012.6195547

Cited by 20 publications

(10 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, the flexible definitions result in overlaps between multiple app-specs, since they may be based on the same L7 protocols. Other related works identify and parse protocols separately [8,9]. In particular, they either sequentially parse each app-spec, which is obviously not scalable, or set an inaccurate prior identifier to identify the protocol first, which risks the accuracy of the whole system [7].…”

Section: Fast Kernel Spacementioning

confidence: 99%

Deep semantics inspection over big network data at wire speed

Jiang

et al. 2016

IEEE Network

View full text Add to dashboard Cite

Deep Semantics Inspection (DSI) proposed in this article reveals the semantics behind big network data on the fly. The key idea of DSI is to obtain a sketch for user behavior at wire speed, whose size is several orders of magnitude smaller than that of the raw data. Then, semantics analysis is applied to the obtained sketch. To demonstrate the use of DSI, this article also presents several practical user scenarios leveraging on the DSI system designed.

show abstract

Section: Fast Kernel Spacementioning

confidence: 99%

Deep semantics inspection over big network data at wire speed

Jiang

et al. 2016

IEEE Network

View full text Add to dashboard Cite

show abstract

“…The guard and action denote the constrains and operations on the counters. The production rules can be derived only if the guard is true, and the action will be executed simultaneously [20]. The body consists of the terminals, non-terminals, and the extraction tokens.…”

Section: Dccfg Formulationmentioning

confidence: 99%

“…CCFG extended from CFG can be translated into counting regular grammar (CRG), which can be parsed without a stack, bringing much faster speed [20]. We translate DCCFG into DCRG in a similar way.…”

Section: Dcrg Translationmentioning

confidence: 99%

“…Binpac [24] and Ultrapac [18] requires considerable efforts on specifying new protocols, thus they are preferred to serve as the intrusion detection system (IDS), where fewer protocols are involved. FlowSifter [20] eases the specification and provides higher throughput, but like Binpac and Ultrapac, it focuses on the single protocol parsing, and its scalability becomes the major concern with much more protocols. Simple extensions of these methods by introducing a prior protocol identifier or sequential processing are not valid, as demonstrated later in this paper.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Parsing application layer protocol with commodity hardware for SDN

Hong

et al. 2015

2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS)

View full text Add to dashboard Cite

The de facto implementation of Software Defined Networking (SDN), i.e., OpenFlow, only parses L2-L4 headers, which limits the use of SDN to employ control intelligence in application layer. In this paper, we advocate content parsing to empower SDN with finer grained control ability over traffic. Specifically, we propose a scalable content parser, called COPY, to identify and parse application layer protocols. COPY creates a distinguishable counting context free grammar (DCCFG) to specify the protocol's semantics in application layer, and translates multiple DCCFGs into one distinguishable counting automaton (DCA). DCA is generated without semantic loss from the single DCCFG, and thus provides accurate and scalable parsing ability. Our experiments show that COPY precisely identifies every packet in a labeled trace. When comparing with other six approaches on the real traces, COPY performs 4.2Gb/s and 24.7Gb/s with single-and eight-thread models, respectively, which improves 20%-860% than others, and consumes acceptable offline overhead in time and space.Expressive and distinguishable specification ( §4). We propose a distinguishable counting context free grammar (DCCFG) to specify an application by its L7 header or payload. This expressive and user-friendly grammar can distinguish multiple extracting behaviors across protocols. Our evaluations show that DCCFG can express complex protocols in the application layer within only tens of lines of code.High speed parsing structure for multiple protocols ( §5, §6). We employ a distinguishable counting automaton (DCA) to provide linear-complex parsing on the input 978-1-4673-6633-5/15/$31.00

show abstract

“…Modern IDSes/IPSes become semantics aware by parsing packet payloads to get the value for each application protocol field based on application protocol message formats. Several application protocol parsers, such as FlowSifter [25], UltraPAC [20], binpac [28], and GAPA [4], have been proposed in prior literature.…”

Section: A Motivation and Problem Statementmentioning

confidence: 99%

A semantics aware approach to automated reverse engineering unknown protocols

Wang

Yun

Shafiq

et al. 2012

2012 20th IEEE International Conference on Network Protocols (ICNP)

Self Cite

115

View full text Add to dashboard Cite

Abstract-Extracting the protocol message format specifications of unknown applications from network traces is important for a variety of applications such as application protocol parsing, vulnerability discovery, and system integration. In this paper, we propose ProDecoder, a network trace based protocol message format inference system that exploits the semantics of protocol messages without the executable code of application protocols. ProDecoder is based on the key insight that the n-grams of protocol traces exhibit highly skewed frequency distribution that can be leveraged for accurate protocol message format inference. In ProDecoder, we first discover the latent relationship among n-grams by first grouping protocol messages with the same semantics and then inferring message formats by keyword based clustering and cluster sequence alignment. We implemented and evaluated ProDecoder to infer message format specifications of SMB (a binary protocol) and SMTP (a textual protocol). Our experimental results show that ProDecoder accurately parses and infers SMB protocol with 100% precision and recall. For SMTP, ProDecoder achieves approximately 95% precision and recall.

show abstract

FlowSifter: A counting automata approach to layer 7 field extraction for deep flow inspection

Cited by 20 publications

References 16 publications

Deep semantics inspection over big network data at wire speed

Deep semantics inspection over big network data at wire speed

Parsing application layer protocol with commodity hardware for SDN

A semantics aware approach to automated reverse engineering unknown protocols

Contact Info

Product

Resources

About