1. CHARACTERIZING SIGNATURE
SETS FOR TESTING DPI
SYSTEMS
The 3rd IEEE International Workshop on
Management of Emerging Networks and
Services (IEEE MENS 2011)
Rafael Antonello, Stenio Fernandes, Djamel Sadok, Judith
Kelner
Federal University of Pernambuco - UFPE
Recife, Brazil

2. Outline
 Introduction
 Motivation
 Contribution
 Signature Set Analyzer Framework
 Experimental Results
 Concluding Remarks

3. Introduction

4. Introduction
 Deep Packet Inspection (DPI) Systems
 key component for accurate network
management
 Look inside the packet payload trying to find
application signatures
 Recognizable patterns (similar to an anti-virus
system)
 High computational requirements are
mainly due
 high number of regular expressions (RE) in
the signature sets in modern DPI

5. RegEx to FA
 analyze the DFA created for recognizing the regular
expression (regex) ^x01[x08x09][x03x04]
 Size and complexity of signatures sets can lead to
space state explosion of the FA
 It degrades performance

6. Introduction
 Challenges:
 Growing link speed
 40-100 Gbps and beyond
 Ever increasing number of Internet applications
 Research effort on optimizing DPI systems
 new packet capture methods
 Building efficient automata for representing REs
 Efficient classifiers

7. Motivation
 Performance analysis for DPI engines has been
done without a common ground
 That’s where the problem arises
 Selected signature bases present
 Different sizes. Example:
 1.8Gbps over a 268 signatures set [17]
 1.6Gbps over a 2 signatures set [7]
 Variable complexity
 For RE, dot stars (.*) and count constraints (c{n}
constructions) can generate very complex DFAs

8. Contribution…
 A framework for
 Characterizing the signature sets commonly
used to evaluate DPI systems
 An in-depth analysis of signature sets
 from well-known applications, protocols, and
intrusion detection systems
 A classification mechanism for signature
sets
 according to their size, number of sub-
patterns, and complexity

9. SSA Framework - SSAF
Sig-Set Analyzer

10. SSAF Overview

11.  Firstly
 Select representative signature sets
 Extract REs
 And then apply normalization
web-cgi.rules.pcres1 Wfrom=[^x3b&n]{100}
web-cgi.rules.pcres2 pwd=(!|%21)CRYPT(!|%21)[A-Z0-9]{512}
web-cgi.rules.pcres3 evtdumpx3f.*?x2525[^x20]*?x20HTTP
web-cgi.rules.pcres4 ShellExample.cgi?[^nr&]*x2a
web-cgi.rules.pcres5 update=[^rnx26]+
web-cgi.rules.pcres6 awstats.pl?[^rn]*configdir=x7C

13.  SSA generates:
 Number of signatures
 Signature size (avg): Average size of signatures
 Signature max size: Maximum signature size;
 Signature min size: Minimum signature size;
 DotStars .* - (count): Number of dot stars (.*) constructions;
 DotStars (avg): Average of dot stars per signature;
 Char Ranges (count): Number of character ranges ([a-d])
 Char Ranges (avg): Average number of character ranges per
signature;

14.  SSA:
 Count constraints c{n} or c{m.n} (count)
 Average number of count constraints per signature;
 Count constraints on ranges [a-d]{n}or{m,n} (count): Number of count
constraints on character ranges.
 Count constraints on ranges (avg): Average number of count constraints
on character ranges;
 OR operators | (count): Number of OR operators in a signature set;
 OR operators (avg): Average number of OR operators per signature;
 Number of sps (count): Number of sub-patterns present in a signature set;
 Number of sps (avg): Average number of sub-patterns per signature;
 Sp min length: Sub-patterns’ minimum length;
 Sp max length: Sub-patterns’ maximum length;
 Sp avg. length: Sub-patterns’ average length.

15. Logistic Function
 Normalization
 Size
 Sub-patterns
 Complexity
 x: signature set size, # of sub-patterns, complexity
metric
 y: [0-1]

16. Complexity
 x is the sum of three variables:
 the average number of count constraints on
ranges,
 the average number of count constraints, and
 the average number of dot star constructions
per signature

17. Metric Levels
Base Size Small Medium Large
Avg. Number of Sub-
Patterns
Low
Medium High
Complexity Low Moderate High
Signature Sets’ Characterization:
Based on the output of the logistic function (for normalization purposes)

18. Experimental Results

19. Signature Bases
 L7-Filter
 Bro
 Snort-Web
 Snort-ActiveX
 Snort-Spyware

20. L7-Filter
Metric Values
Number of signatures 123
Signature size (avg) 61.756096
Signature max size 438
Signature min size 6
DotStars .* - (count) 35
DotStars (avg) 0.284553
Char Ranges [a-d] (count) 265
Char Ranges (avg) 2.154472
Count constraints c{n} or c{m.n} (count) 0
Count constraints on ranges (count) 0
OR operators | (count) 150
OR operators (avg) 1.219512
Number of sps (count) 470
Number of sps (avg) 3.821138
Sp min length 1
Sp max length 46
Sp avg. length 5.859574

21. Bro
Metric Values
Number of signatures 268
Signature size (avg) 30.772388
Signature max size 211
Signature min size 1
DotStars (count) 8
DotStars (avg) 0.029851
Char Ranges (count) 0
Count constraints (count) 10
Count constraints (avg) 0.037313
Count constraints on ranges (count) 4
Count constraints on ranges (avg) 0.014925
OR operators (count) 6
OR operators (avg) 0.022388
Number of sps (count) 382
Number of sps (avg) 1.425373
Sp min length 1
Sp max length 46
Sp avg. length 4.028796

22. Snort-Web
Metric Values
Number of signatures 336
Signature size (avg) 57.327381
Signature max size 486
Signature min size 3
DotStars (count) 56
DotStars (avg) 0.166667
Char Ranges (count) 103
Char Ranges (avg) 0.306548
Count constraints (count) 233
Count constraints (avg) 0.693452
Count constraints on ranges (count) 18
Count constraints on ranges (avg) 0.053571
OR operators (count) 402
OR operators (avg) 1.196429
Number of sps (count) 1668
Number of sps (avg) 4.964286
Sp min length 1
Sp max length 64
Sp length (avg) 4.573741

23. Snort-ActiveX
Metric Values
Number of signatures 2385
Signature size (avg) 321.137115
Signature max size 867
Signature min size 34
DotStars (count) 1599
DotStars (avg) 0.67044
Char Ranges (count) 2
Char Ranges (avg) 0.000839
Count constraints (count) 0
Count constraints on ranges (count) 0
OR operators (count) 10654
OR operators (avg) 4.467086
Number of sps (count) 54981
Number of sps (avg) 23.05283
Sp min length 1
Sp max length 83
Sp avg. length 6.119805

24. Snort-Spyware
Metric Values
Number of signatures 431
Signature size (avg) 48.308586
Signature max size 324
Signature min size 12
DotStars (count) 37
DotStars (avg) 0.085847
Char Ranges (count) 18
Char Ranges (avg) 0.041763
Count constraints (count) 25
Count constraints (avg) 0.058005
Count constraints on ranges (count) 1
Count constraints on ranges (avg) 0.00232
OR operators (count) 72
OR operators (avg) 0.167053
Number of sps (count) 1315
Number of sps (avg) 3.051044
Sp min length 1
Sp max length 175
Sp length (avg) 9.01673

25. Signature Sets’ Main
Characteristics
Sig-Set Base Size Sub-Pattern number Overall Complexity
L-7 Filter Small (0.31) Medium (0.37) Moderated (0.38)
Bro Medium (0.35) Low (0.30) Low (0.22)
Snort-Web Medium (0.37) Medium (0.41) High (0.84)
Snort-ActiveX Large (0.9) High (0.9) High (0.71)
Snort-Spyware Medium (0.4) Medium (0.35) Low (0.27)

26. Concluding Remarks

27. Concluding Remarks
 Different signature sets to compare different DPI
techniques might lead to inaccurate results
 We developed a mechanism for characterizing
signature sets
 according to their size
 number of sub-patterns
 overall complexity
 By knowing the characteristics of the signature
sets (size and complexity)
 It puts DFA-based DPI engines under different stress
conditions
 It allows comparable performance analysis

28. CHARACTERIZING
SIGNATURE SETS FOR
TESTING DPI SYSTEMS