|
|
Accelerating Suricata with pattern-matching metadata
Tobolík, David ; Kekely, Lukáš (oponent) ; Šišmiš, Lukáš (vedoucí práce)
Suricata is a network monitoring application inspecting packets using a set of rules to detect malicious activity. One of the main detection mechanisms is pattern-matching, however, it is a resource-intensive process taking up most of the application processing time. This thesis focuses on designing a new component to help reduce the amount of pattern-matching in Suricata. The new component was implemented in an application called DPDK Prefilter used to simulate specialized hardware components using software implementation. It adds detection metadata to packets, which are used in Suricata to potentially skip patterns matching if the packet was checked and no patterns were found. The implementation utilizes DPDK for inter-process communication and sharing data, and Hyperscan was used as a pattern-matching engine. Different types of detection metadata were designed and implemented and some of them have shown improvements in the performance of Suricataby reducing the amount of pattern-matching.
|
|
|
Finding Weaknesses of Hyperscan
Hrabovský, Jiří ; Vojnar, Tomáš (oponent) ; Síč, Juraj (vedoucí práce)
This Bachelor's thesis aims to explain how the open sourced regular expression matcher Hyperscan works, and provide overview of algorithms it uses internally. The second objective is conducting experiments to determine how much can the performance of the matcher be affected by the scanned text. Based on the source code and articles by the authors of Hyperscan the overview of how Hyperscan scans the text for patterns is provided in chapter 3 and the implementations of NFA (Nondeterministic Finite Automata) used by the Hyperscaned are explained in chapter 4. How could the matcher be slowed down by input text is discussed and approach focusing on specific implementation of NFA used by Hyperscan is proposed. Generator using the proposed approach that is able to generate text for some expressions, that when scanned using Hyperscan with the given expression takes significantly longer that normal text. Conducted benchmark showed that for some expressions the generated text caused the Hyperscan to scan significantly longer. The most affected regular expression took more than 8000 times longer when scanning the generated text than the random text.
|
|
|
Rozšiřování jazyka YARA
Kender, Tomáš ; Zobal, Lukáš (oponent) ; Regéciová, Dominika (vedoucí práce)
Táto práca sa zaoberá problematikou vylepšení nástroja YARA slúžiaceho na definovanie vzorového chovania malvéru a následné vyhľadávanie na základe definovaných vlastností v súboroch za účelom detekcie malvéru v prehľadávaných súboroch. Zavádza nové syntaktické konštrukty jazyka na zápis vlastností, načrtáva nový spôsob vyhľadávania reťazca v behaviorálnych informáciach generovaných Cuckoo Sandboxom a vyhodnocuje dopady zmien. Pri riešení budeme pracovať so zápisom lexikálnych a syntaktických pravidiel jazyka, pridáme do YARY nový dátový typ pre dynamické pole, ale budeme sa venovať aj optimalizácii výkonu bajtkódu či implementácii nového bajtkódového príkazu. Výstupom práce je produkt, ktorý umožní malvérovým analytikom písať kratšie a ľahšie čitateľné pravidlá pre detekciu malvérov a skrátiť dobu skenovania behaviorálnych informácií.
|
|
|
Optimization of the Suricata IDS/IPS
Šišmiš, Lukáš ; Fukač, Tomáš (oponent) ; Korček, Pavol (vedoucí práce)
The recent rapid increase of network traffic bandwidth has sprung new challenges in securing the network. It is vital to keep monitoring the traffic to securely identify threats in the network. Systems like IDS (intrusion detection systems) alert us about events in the analyzed traffic. Suricata , as one of the available IDS, was chosen for this thesis. The ultimate goal of the thesis is to tune settings of AF_PACKET capture interface to reach the best performance possible and then suggest and implement an optimization for Suricata . Results of the AF_PACKET should be used as a baseline for comparison with future improvements. Optimization is based on implementing a new capture interface to Suricata that is based on Data Plane Development Kit ( DPDK ). DPDK helps to accelerate packet capture and this implies that it might improve the performance of Suricata . Results that compare AF_PACKET and DPDK performance are evaluated at the end of this master thesis.
|
|
|
Optimization of the Suricata IDS/IPS
Šišmiš, Lukáš ; Fukač, Tomáš (oponent) ; Korček, Pavol (vedoucí práce)
The recent rapid increase of network traffic bandwidth has sprung new challenges in securing the network. It is vital to keep monitoring the traffic to securely identify threats in the network. Systems like IDS (intrusion detection systems) alert us about events in the analyzed traffic. Suricata , as one of the available IDS, was chosen for this thesis. The ultimate goal of the thesis is to tune settings of AF_PACKET capture interface to reach the best performance possible and then suggest and implement an optimization for Suricata . Results of the AF_PACKET should be used as a baseline for comparison with future improvements. Optimization is based on implementing a new capture interface to Suricata that is based on Data Plane Development Kit ( DPDK ). DPDK helps to accelerate packet capture and this implies that it might improve the performance of Suricata . Results that compare AF_PACKET and DPDK performance are evaluated at the end of this master thesis.
|
host ::
RSS.