~ A Traffic Classification Algorithm for Intrusion Detection

Tarek Abbes Adel Bouhoula Michael Rusinowitch

ISECS SUP'COM - LORIA/INRIA-Lorraine
Rte Menzel Chaker, 30 18 Sfax 2083 Cit El Ghazala, 54602 Villers-lbs-Nancy,
Tunisia Tunisia France
[email protected] [email protected] rusi @loria.fr

Abstract detection method by electing and configuring the suitable

NIDS. The solution ensures load balancing. Besides, we
We propose in this paper a new intrusion detection can forward suspect traffic to a honeypot or undertake re-
method for supporting high speed traflc. As in jrewalls active responses by directly stopping harmful packets at the
and routers, we rely on packet classification to specialize splitting point.
the task of several Network Intrusions Detection Systems Previous works on intrusion detection proposed divid-
(NIDSs). We build several traflc classes regarding the net- ing network traffic to better support high speed connections.
work configuration and the trafJic properties. Then we con- For instance, Kruegel et al. [8] suggest a multi deployment
sider the NIDS characteristics to select for each class the of the same NIDS. Each sensor activates only some attack
suitable intrusion detection method. Our idea oJQers several scenarios whose events space will be considered to divide
advantages such as load balancing,fault tolerance and at- the traffic at a slicer engine. Charistakis et al. [7] define
tack prevention. a number of hash functions to forward each packet to only
We express our traflc classification method by means one NIDS. In our approach we classify IP pack& regard-
of traflc division rules.Then we adequately construct the ing traffic properties and network configuration. For this
paths of these rules to reduce the overlapping cases. We purpose, we introduce traffic division rules that define traf-
transform the rule paths in a prefi trie that we complete by fic classes using fields extracted from network and transport
failure links to finally get a Directed Acyclic Graph (DAG). protocols. Besides, a rule associates to each class a prior-
We believe that our classification method is useful for other ity and an action, for example dropping or forwarding the
problems such asjrewalling, routing and billing. packet. In runtime, we have to find the highest priority rule
that fits each packet.
Many classification methods have been proposed for
1 Introduction routing or filtering purposes. They process separately each
rule dimension which introduces some complexities to deal
Intrusion Detection Systems (IDS) supervise the activi- with overlapping rules. To reduce these cases, we propose
ties inside computer systems. They look for any attempt that in this paper a new approach that divides the different di-
violates enterprise security policies. Since the first intrusion mensions in a sequence of blocks (groups) of bits. Then,
detection model proposed by Denning in 1987, many meth- independently of the dimension, we favor the inspection of
ods have emerged during the last two decades. They are complete blocks (with a full mask of bits) over masked ones
mainly based on two principles, anomaly and misuse detec- (with a partial mask of bits). Thus we decrease the overlap-
tion [3]. The different methods can be applied at a host or a ping cases and we obtain a blocks prefix trie. Furthermore,
network level. We are interested in this paper by the second to ensure the completeness of the classification trie, we add
type of the deployment and we intend to benefit from the failure links to finally get a directed acyclic graph (DAG).
diversity of approaches to better detect intrusions. The remaining of the paper is structured as follows: in
However, intrusion detection is hindered by a high speed Section 2 we explain the advantages of traffic classification
traffic. In fact IDS have to accelerate their analysis in order for intrusion detection. Then, we discuss in Section 3 some
to not drop packets without any inspection. Ensuring load previous works on traffic classification for NIDS. Section 4
balancing is an interesting solution but we have to well di- details our algorithm for dividing the network traffic. Af-
vide traffic in order to specify the task of each NIDS. Our terwards, we describe in Section 5 the experimental results.
idea is to select for each traffic class the adequate intrusion Finally, we conclude the paper in Section 6.

21st International Conference on

Advanced Information Networking and Applications Workshops (AINAW'O7)
8
CGLPUTER
0-7695-2847-3107$20.00 Q 2007 IEEE SOCIETY
 2 Traffic classification benefits server. Besides, R3 and Rq show two extra forms of over-
lap, between intervals (port-dest field) and prefix bit string
The crucial problem of ever increasing high speed traffic (adr-dest field). We solve these overlaps by respectively us-
encountered by a NIDS can be tackled by classifying the ing a classification matrix and a prefix tree classifier.
traffic to distribute the analysis among several NIDSs. Oth-
ers benefits are progressively explored in this section. 3 State of the art
High speed traffic analysis: dividing the traffic consti- Classification algorithms are well investigated in many
tutes an efficient solution to supervise high rate traffic. areas. For instance, routers look for the longest IP address
The division is based on classifying packets. Then ev- prefix to redirect traffic. Ruiz-Sanchez, Biersack and Dab-
ery class will be forwarded to only one NIDS. bous [lo] give an overview about IP address lookup and
Intrusion prevention: when classifying packets, a split- compare their performance in terms of lookup speed, scal-
ter engine can stop suspected flows. Besides, it can ability and update overhead. They distinguish between the
inspect the load towards some services. In case of an search on values and the search on prefix length. Firewalls
excess in use, the splitter hushes up busy addresses. employ a different strategy. They select the first matched
rule. Gupta and McKeown release a survey on these classi-
Traffic deflection to honeypots: the analysis of intru- fication algorithms [6]. They divide existing methods into
sive activities reveals the attack origins. Consequently, four categories: basic [I 23, geometric [2, 41 , heuristic
the splitter sends suspect traffic to honeypots. [S,111and hardware [ I , 91 algorithms.
Thus packet classification is thoroughly analyzed and
Fault tolerance: the classification process discharges employed in many applications (routing, firewall filtering,
an overloaded NTDS or ignores a collapsed one, by services differentiation). In the same way, intrusion detec-
sending its traffic classes to an equivalent NIDS. tion can benefit from it for selecting for each traffic class
Detection efficiency: a traffic division allows to choose the suitable intrusion detection method. Besides intrusion
for each class the suitable intrusion detection method. detection efficiency, it ensures load balancing that was the
topic of some previous works. Indeed, Kruegel et al. [8]
Log files optimization: packet classification allows a propose a partitioning approach that supports stateful in-
separate analysis of each traffic class. Therefore we trusion detection on high speed links. They reassign the
obtain shorter and independent log files. whole attacks scenarios to different channels and employ
their events space to route frames from a number of slicers.
Consequently, packet classification offers many advan- Charistakis et al. [7] propose a two steps network traffic
tages. We present in Eq. (1) the format of a traffic division division. At the first stage, they perform a pre-filtering to
rule. The left hand side called "header" contains a set of pa- detect general attacks or eliminate empty packets. The sec-
rameters conditions to be matched by the packets. Each pa- ond step relies on some heuristics to hash particular fields
rameter parami takes its value in a domain Di, and refers from IP, TCP or UDP headers and accordingly forwards
to one field extracted from a network protocol. The right each packet to a unique NIDS.
hand side of a rule specifies the rule priority and the action
to be taken when the header part is matched.
4 Our traffic classification algorithm

R : (param1 E Dl ...p aram, E D,) + prio,act (1) We devote this section to explain our traffic classifica-
tion approach. We consider the general case where a traffic
Example 1: division rule has n dimensions, i.e. n parameters to check.
R1 : (port-dest E http-ports,adr-dest E Among them, m parameters domains are defined as inter-
httpservers) + P I , N I D S l vals while the n - m = k remaining ones take the format
R2 : (adr-src E suspednetworks) -+ P2,honeypot of prefixes of bits string. The classification proceeds in two
R3 : (port-dest E [0..1024j7adrdest E steps. First, we construct a m-dimensional matrix in order
193.54.3.0124) + P3,N I D S 3 to cluster rules according to the m parameters represented
R4 : (port-dest E {22,23,80),adrdest E as intervals (see Figure 1). Then, we build for each group of
193.54.3.0126) + P4,N I D S 4 rules gathered in every matrix cell, a directed acyclic graph
(DAG). At runtime, we use the packet content to select a cell
We give in Example 1 four traffic division rules. We from the matrix then we traverse the corresponding DAG.
notice that an overlap occurs between R1 and R2 if an ad- The final nodes of the graph store information about the
dress from the suspect network emits a request to a web suitable action to apply on the packet.

21st InternationalConference on
Advanced Information Networkingand Applications Workshops (AINAW107) C~MPUTER
0-7695-2847-3107 $20.00 O 2007 IEEE SOCIETY
 2. mask is the number of leftmostfied bits.
DAG

We distinguish between two types of block patterns:

1. Masked block: the number of fixed bits to 0 or 1 is less
than the block size.
2. Complete block: all bits are fixed to 0 or 1.
To simplify the presentation, we consider in our further
examples and figures that a block is a byte. The masked
blocks are equivalent to intervals and therefore are source of
rules overlaps. As far as we know, classification algorithms
Figure 1. Network traffic classification process separately each rule dimension. However, if two
rules intersect on one dimension (due to masked blocks),
4.1 Construction of the classification ma- they may no overlap on other dimensions, due to distinct
trix complete blocks (Figure 2, dim2). Hence, our novel idea is
to divide the dimensions into a set of blocks and to organize
them in order to favor the inspection of complete blocks
The first step is to construct a matrix that clusters candi-
over masked ones (Figure 2).
date rules according to their m parameters values. Given a
product of m intervals we associate to it the set of rules that dim1 dim2 & -
are satisfied when we take the m parameters values in these Rule 1: 1.016.' 1.2.3.4 = 1.[0..3].* 1.2.3.4
intervals respectively. Source and destination ports can be
taken among the m parameters since their domains are de- Rule 2: 1.217.' 3.* = 1.[2..3].* 3.*
fined using simple values, sets and intervals. However using
Without bytes sorting:
intervals often leads to overlaps between parameter ranges.
We solve this problem by dividing ranges into elementary
ranges.

4.2 Construction of the directed acyclic

graph
With bytes sorting:
The second step in our classification approach is to con-
struct a DAG for each cell in the matrix. This DAG repre-
sents a set of k-dimensional candidate rules whose param-
eters domains are defined using prefixes of bits string. We
frequently use this notation to express network addresses. Figure 2. Sorting complete and masked bytes
In the following, we present the needed datastructures be-
fore giving the construction and the lookup processes.
Our main idea is to reorder blocks. To keep track of their
initial positions, we introduce the datastructure i n f o .
4.2.1 Datastructures
Definition 4.2 (info) Each block occuring in the represen-
Traffic division rules employ bits string representation to tation of a rule parameter domain can be identified by a
express a set of values. For example, an IPv4 address is de- triple (pat,ord,pos) where:
fined as a 32 bits string. We define a block to be a sequence
of bits to be inspected per step. We assume that it has a con- I . pat is the pattern of the considered block.
stant length s but a variable number of fixed bits to 0 or 1.
Formally, we describe a block as follows: 2. ord is the dimension (a number between I and k) of the
rule parameter containing the block.
Definition 4.1 (block pattern) A block pattern is a couple 3. pos is the block position in the rule paramete,:
(value,mask)where
For suitably organizing the blocks we use a total order
I . value is the decimal value of the block after replacing =$ on the corresponding i n f o . In addition, we introduce the
free bits with 0. relation C to express inclusion between two i n f 0s.

21st International Conference on

Advanced Information Networking and Applications Workshops (AINAW'07) CO~PUTER
0-7695-2847-3107$20.00 O 2007 IEEE SOCIETY
 Definition 4 3 (relations 4, C) Let inf oi, i E Definition 4.7 (classificationDAG) A classiJicationgraph
{1,2) be two info datastructures. We denote by B(N,p) over the trafic division rules is a DAG with a set of
maski=infoi.pat.mask ordi=infoi.ord and posi= infoi.pos. nodes N and a labelling function p on the set of its edges,
Let Ii be the interval specijied by the block pattern that satisjes the three following conditions:
infoi.pat. Then we dejne the binary relations =$ and C as :
1. the DAG has a unique root node No (i.e without in-
infol +i n f a iff coming edges). No stores all traflc division rules in
mask2 < mask1 = 8 (= A ) or l1 candidate rule list. It refers to the verijcation posi-
not A and ordl < ord2 or tion extracted from the minimum info datastructure in
not A and ordl = ord2 and posl < p0s2 l1 candidate rules (according to 6).

i n f o l C i n f a iff 2. the jnal nodes (i.e. without outcoming edges) are of

ordl = ord2 and posl = pos2 and Il E I2 type E They indicate the highest priority rule satisjied
from the candidate rules set Cand.
A traffic division rule can be viewed as an i n f o list. In 3. Ifthere is an edgefrom a node N to a node M then N
the following we sort this list using =$ to get a rule path. has a lower verijcation position than M.
Definition 4.4 (rule path) Let r be a traflc division rule. We introduce the path of a node in the graph.
The path of r is a sequence of its infos datastructures
increasingly sorted according to +. Definition 4.8 (node path) The path of a node N is the
infos list built from the initial node No to N. Each info
We shall organize the rules paths in a prefix trie in or- element is computed from the verijcation position of an
der to factor common i n f o datastructures of several rules. intermediate node and the label of its -outputedge.
A node in the trie refers to a unique verification position.
We mean by verification position the next location in the We notice that the nodes and rules paths are represented
packet where we check whether the data content matches by means of info lists. To compare them, we extend the total
one of the rules block patterns. Formally, we represent a order =$ initially defined on i n f o to handle i n f o list.
node datastructure as follows:
Definition 4.9 (relation +,) Let listl and list2 two info
Definition 4.5 (node) A node is a 4-tuple (Type, Dim, lists then:
Rec, Cand) where:
1. The operator 4, is dejned recursively by:
1. Type has a value C, M or E It indicates whether the
next blocks to be checked at the veriJication position 1.1 [ ] 4, (inf ol :: listl)
are complet (type C) or masked (type M). Otherwise 1.2 (infol :: listl) 4, (inf :: list2) iff inf ol <
the node is of type K inf 02 or (inf 01 = inf oz and listl 4, list2),
2. Dim is the dimension (i-e. the parameter to be exam- 2. listz is a prefi of listl z f f for each element i n f %
ined). in list2, there is an element infol in listl such that
inf ol = inf 0 2 .
3. R e c is a linear array indexed by the dimension (hence
from 1 to k) and storingfor each dimension the number 3. list2 is a subsequence of listl iff for each element
of already checked blocks positions. inf % in list2, there is an element inf ol in listl such
that inf ol C inf 0 2 .
4. Cand=(11,12)is a set of candidate rules decomposed
into two lists l1 and 12 to be explained latec Using the path node, we differentiate in each node be-
tween two types of candidate rules, primary and secondary
We denote by N the set of nodes. We define in the fol-
rules that we save respectively in l1 and 12.
lowing the edge label datastructure.
Definition 4.10 (primary and secondary rule) Let N be a
Definition 4.6 (edge label) Let s be the length of a block.
An edge label is either a couple (1-value, lmask) where node on the graph and r be a candidate rule then:
1-value E [0..28-1 - l j and lmask E [l..sj or a special 1. r is a pr&ary rule in N @the path of N is a preJix of
symbol 6 used to label a failure link. the path of r
We denote by L the set of edges labels. Then we define 2. r is a secondary rule in N i f r is not a primary rule and
the classijication graph as follows: the path of N is a subsequence of the path of c

21st InternationalConference on
Advanced Information Networkingand Applications Workshops (AINAW'07) CO~PUTER
0-7695-2847-3107 $20.00 O 2007 IEEE SOCIETY
 4.2.2 Classification DAG construction ,--..d4~-.--
dimension 1
\, {----A----
dmemsnsion 2

We construct the classification DAG in two steps. First, we Rule1 is J4asl .1 I 125 1 on 1 - I . I piority 3
start from the root node No to build recursively a prefix trie
representing only primary candidate rules paths. Then, be- 19 1 5 4 1 3 1 ' I 125 1O/6I I ' I toiDSZ;
L'riwnv 2

cause we have considered only primary rules, we have to Rule3 1 19 1 * 1 ' I . 1 1 25 1 015 1 .I . I 81DS3'
priority 1
complete the trie in the second stage.
The path of rule 1 I 19 / 25 1 4815 1 on
Prefix trie construction Thepathofrule2 119 1 5 4 1 3 125 1016 I
During the first step, we employ a recursive function he path of rule 3 la I 25 1 015
Build that takes a node and processes it to generate a trie. 121.l1.31

The Build function is initially applied to the root node No

whose fields Rec and Dim refer to the minimum verifica-
tion position extracted from the rules paths. The function
pursues the prefix trie construction until being applied to a
final node (i.e with type F). We distinguish three cases:
Applied to a complete node N (i.e. with type C),the
Build function issues new links labelled by complete
blocks extracted from primary candidate rules at the
verification position of N. Each link is oriented to-
wards a new node N'. Thus, we define the function
p ( N , N ' ) introduced in Definition 5.7. We compute Figure 3. Traffic classification DAG
for every node N' the four fields Cand= ( 11,12),
Dim,Rec and t y p e . Once achieved, we can apply
again the Build function on N'. Definition 4.11 (fail function) Let N be a node in the the.
The function fail applied on N returns a node M in the trie
Applied to a masked node N (i.e with type M), the that has the minimum path regarding d,, satisfying the fol:
Build function introduces some adjustments when lowing properties :
issuing links. Indeed, the edges are now labelled by
'
masked blocks (i.e. intervals) of primary candidate I . The M path is a subsequence of the Npath
rules (see node A in Figure 3). However, a masked
2. M is not an antecedent of N
block of a primary rule (e.g. 016 = [0..3]) can be more
general than a block of a secondary rule (e.g. 017 = 3. The M output edges are not included in the N ones
[O..l]). Thus we cannot know, when only using pri-
mary candidates rules blocks, if secondary rules are
still verified at the new node N' ([0..3]+ [O..l]). To
4.2.3 Run time search algorithm
solve this problem, we decompose a masked block of During the graph traversal, we favour edges with complete
a primary rule with respect to interleaving blocks of blocks over e labelled ones. Besides, we prioritize longer
secondary rules. mask as they refer smaller intervals. This is the natural way
to proceed since only the verification of a smaller interval
Applied to a final node N (i.e with type F), the Build (longer mask) can imply the verification of a larger interval
function assigns to N the highest priority satisfied rule. (shorter mask).
Our DAG classification method presents a linear time
complexity. Indeed, let r be a traffic division rule, R the
Prefix trie completion whole set of rules, N the total number of rules, pi the ith
The prefix trie construction is only based on primary rules. parameter of a rule, k the number of dimensions and s the
However, if we fail to fire at one node all edges labelled by block size. Besides, we use lb to compute the number I
primary rules blocks, then we have to pursue the verifica- of blocks of a parameter. Then the worse search time is
L
tion on other nodes where secondary rules become primary
ones. We will define the fail function that ensures the trie max
TER
(X(Ir.pi
i=l
lb +rnin(N,2 s ) ) ) . In addition the space
completion. For each node N, this function returns a node
M connected from N by a failure link. Thus, we transform
the trie to a graph.
complexity is in the worse case equal to I r.pi lb.
T E R i=l

21st International Conference on

Advanced Information Networking and Applications Workshops (AINAW107)
Q
C~~PUTER
0-7695-2847-3107$20.00 O 2007 IEEE SOCIETY
 5 Experimental results bits string representation we propose a novel algorithm that
divides each parameter domain into a set of complete and
We implement our traffic classifier using the C lan- masked bits blocks. The main idea is to postpone the anal-
guage. Since the classification matrix is generally sparse, ysis of masked blocks considered as intervals. As a con-
we choose to represent it as a multi-dimensional list. To sequence we construct a Direct Acyclic Graph (DAG) that
each cell, we associate a DAG to consider parameters of does not process separately each dimension but picks up
candidate traffic division rules using a bits string represen- from each dimension complete blocks.
tation. We deploy the solution on a standard laptop Pen- We are investigating on the dynamic update of the DAG.
tium IV,1500MHz, with a 512 KB cache. We use a linux The feature is very important when we supervise the NIDSs
version 2.6. Besides, we create a VLAN architecture using activities in order to detect overloaded ones. In such condi-
the vconfig utility . On each virtual interface we deploy one tions, we dynamically modify the DAG to balance traffic to
instance of Snort 2.2. equivalent NIDSs.
The main goal of our experiment is to establish the per-
formance of the traffic classifier. The rate network is defined References
as the network traffic speed. Similarly, the rate classifier is
defined as the amount of traffic handled by the classifier at a [I] E Baboescu and G. Varghese. Scalable packet classification.
given network traffic speed. We depict in Figure 4 the evo- IEEWACM Trans. Netw., 13(1):2-14,2005.
lution of the rate classifier with the rate network. Ideally, (21 M. M. Buddhikot, S. Suri, and M. Waldvogel. Space de-
we should obtain a plot with a gradient equal to 1. However composition techniques for fast layer-4 switching. In Pro-
the experiment shows that the plot tends to have a smaller ceedings of the IFIP TC6 WG6.1 & WG6.4 / IEEE Com-
gradient when the traffic exceeds 3,l Gbls. This means that Soc TC on Gigabit Networking Sixth International Work-
under our experimental context, the packet loss begins to shop on Protocols for High Speed Networks VI, pages 25-
42. Kluwer, B.V., 2000.
happen at a rate of 3,l Gbls. [3] H. Debar, M. Dacier, and A. Wespi. A revised taxonomy for
intrusion-detection systems. Annals of Telecommunications,
55(7-8):361-378,2000.
[4] A. Feldmann and S. Muthukrishnan. Tradeoffs for packet
classification. In INFOCOM (3),pages 1193-1202, march
2000.
[S] P. Gupta and N. McKeown. Packet classification using hi-
erarchical intelligent cuttings. In Proceedings Hot Intercon-
nects VII, Stanford, pages 147-160, August 1999.
[6] P. Gupta and N. McKeown. Algorithms for packet classifi-
cation. IEEE Network, vol. 15, no. 2, pp. 24-32,2001.
Figure 4. Classification performance [7] I.Charitakis, K.Anagnostakis, and E.Markatos. An ac-
tive traffic splitter architecture for intrusion detection. In
Proceedings of 11th IEEWACM International Symposium
on Modeling, Analysis and Simulation of Computer and
6 Conclusion Telecommunication Systems (MASCOTS 2003), Orlando,
pages 238-24 1, October 2003.
[8] C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful
Packet classification has been well investigated in many Intrusion Detection for High-Speed Networks. In Proceed-
areas such as routing, firewalling and services differentia- ings of the IEEE Symposium on Research on Security and
tion. Intrusion detection systems can benefit from it in order Privacy, Oakland, CA, May 2002. IEEE Press.
to tackle the challenging problem of ever increasing high [9] T. V. Lakshman and D. Stiliadis. High-speed policy-based
speed traffic. Besides the load balancing advantage, the packet forwarding using efficient multi-dimensional range
method offers the opportunity to conduct intrusion preven- matching. In Proceedings of ACM SIGCOMM '98, pages
tion and traffic deflection to honeypot. It also ensures fault 203-214, 1998.
tolerance, detection efficiency and log files optimization. [lo] M. Ruiz-Sanchez, E. Biersack, and W. Dabbous. Survey and
In order to classify IP packets, we have introduced multi- taxonomy of ip address lookup algorithms. IEEE Network
Magazine, pages pp. &23, march/April2001.
dimensional traffic division rules. We associate to each [l 11 V. Srinivasan, S. Suri, and G. Varghese. Packet classification
rule a priority and the suitable intrusion detection method using tuple space search. In SIGCOMM, pages 135-146,
to supervise the network activity. However, overlaps be- 1999.
tween rules complicate the classification process. Hence, [12] P. F. Tsuchiya. A search algorithm for table entries with
we propose to conduct a geometric search for rules param- non-contiguous wildcarding. unpublished paper, 1991.
eters using interval representation. For parameters using a

21st International Conference on

Advanced Information Networking and Applications Workshops (AINAW'07) CO~PUTER
0-7695-2847-3107$20.00 O 2007 IEEE SOCIETY