Making DPI Engines Resilient to Algorithmic Complexity Attacks

Yehuda Afek, Anat Bremler-Barr, Yotam Harchol, David Hay, Yaron Koral

Research output: Contribution to journalArticlepeer-review

16 Scopus citations

Abstract

This paper starts by demonstrating the vulnerability of Deep Packet Inspection (DPI) mechanisms, which are at the core of security devices, to algorithmic complexity denial of service attacks, thus exposing a weakness in the first line of defense of enterprise networks and clouds. A system and a multi-core architecture to defend from these algorithmic complexity attacks is presented in the second part of the paper. The integration of this system with two different DPI engines is demonstrated and discussed. The vulnerability is exposed by showing how a simple low bandwidth cache-miss attack takes down the Aho-Corasick (AC) pattern matching algorithm that lies at the heart of most DPI engines. As a first step in the mitigation of the attack, we have developed a compressed variant of the AC algorithm that improves the worst case performance (under an attack). Still, under normal traffic its running-Time is worse than classical AC implementations. To overcome this problem, we introduce rm MCA2-Multi-Core Architecture to Mitigate Complexity Attacks, which dynamically combines the classical AC algorithm with our compressed implementation, to provide a robust solution to mitigate this cache-miss attack. We demonstrate the effectiveness of our architecture by examining cache-miss algorithmic complexity attacks against DPI engines and show a goodput boost of up to 73%. Finally, we show that our architecture may be generalized to provide a principal solution to a wide variety of algorithmic complexity attacks.

Original languageAmerican English
Article number7393623
Pages (from-to)3262-3275
Number of pages14
JournalIEEE/ACM Transactions on Networking
Volume24
Issue number6
DOIs
StatePublished - Dec 2016

Bibliographical note

Publisher Copyright:
© 1993-2012 IEEE.

Keywords

  • Complexity attack
  • DoS
  • deep packet inspection
  • multi-core

Fingerprint

Dive into the research topics of 'Making DPI Engines Resilient to Algorithmic Complexity Attacks'. Together they form a unique fingerprint.

Cite this