ATCP+: an adaptive TCP-trunking flow control scheme for video streaming
Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly
Enhancing research into usable privacy and security
Proceedings of the 27th ACM international conference on Design of communication
Counting bloom filters for pattern matching and anti- evasion at the wire speed
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Carousel: scalable logging for intrusion prevention systems
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Automated testing of industrial control devices: the delphi database
Proceedings of the 6th International Workshop on Automation of Software Test
AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Let's parse to prevent pwnage invited position paper
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
Re-examining the performance bottleneck in a NIDS with detailed profiling
Journal of Network and Computer Applications
Scap: stream-oriented network traffic capture and analysis for high-speed networks
Proceedings of the 2013 conference on Internet measurement conference
Hi-index | 0.00 |
Network intrusion detection and prevention systems are vulnerable to evasion by attackers who craft ambiguous traffic to breach the defense of such systems. A normalizer is an inline network element that thwarts evasion attempts by removing ambiguities in network traffic. A particularly challenging step in normalization is the sound detection of inconsistent TCP retransmissions, wherein an attacker sends TCP segments with different payloads for the same sequence number space to present a network monitor with ambiguous analysis. Normalizers that buffer all unacknowledged data to verify the consistency of subsequent retransmissions consume inordinate amounts of memory on high-speed links. On the other hand, normalizers that buffer only the hashes of unacknowledged segments cannot verify the consistency of 20-30% of retransmissions that, according to our traces, do not align with the original transmissions. This paper presents the design of RoboNorm, a normalizer that buffers only the hashes of unacknowledged segments, and yet can detect all inconsistent retransmissions in any TCP byte stream. RoboNorm consumes 1-2 orders of magnitude less memory than normalizers that buffers all unacknowledged data, and is amenable to a high-speed implementation. RoboNorm is also robust to attacks that attempt to compromise its operation or exhaust its resources.