NetShield: Matching with a Large Vulnerability Signature Ruleset for High Performance Network Defense

Accuracy and speed are the two most im-portant metrics for Network Intrusion Detection or Pre-vention Systems (NIDS/NIPSes). Due to emerging poly-morphic attacks and the fact that in many cases regu-lar expressions (regexes) cannot capture the vulnerabil-ity conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious prob-lem. In contrast, the recently-proposed vulnerability sig-natures [8, 29] (a.k.a. data patches) can exactly describethe vulnerability conditions and achieve better accuracy.However, when applying vulnerability signatures to highspeed NIDS/NIPS with a large ruleset, how to efficientlymatch them is an untouched but challenging issue. This paper presents the design of NetShield, a vulner-ability signature based NIDS/NIPS which achieves multi-gigabit throughput while offering much better accuracy.This is accomplished because of the following contribu-tions: (i) we propose a candidate selection (CS) algo-rithm which efficiently matches thousands of vulnerabil-ity signatures simultaneously requiring a small amount ofmemory; (ii) we propose a automatic lightweight pars-ing transition state machine achieving fast protocol pars-ing; (iii) we implement the NetShield prototype. Exper-imental results show that the core engine of NetShieldachieves at least 1.9+Gbps signature matching throughputon a 3.8GHz single-core PC, and can scale-up to at least11+Gbps under a 8-core CPU for 794 HTTP vulnerabilitysignatures.