Counting bloom filters for pattern matching and anti- evasion at the wire speed

Authors:
Gianni Antichi;Domenico Ficara;Stefano Giordano;Gregorio Procissi;Fabio Vitucci
Affiliations:
University of Pisa;University of Pisa;University of Pisa;University of Pisa;University of Pisa
Venue:
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Year:
2009

Citing 7
Cited 3

Summary cache: a scalable wide-area Web cache sharing protocol

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Fast hash table lookup using extended bloom filter: an aid to network processing

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Detecting evasion attacks at high speeds without reassembly

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
An improved construction for counting bloom filters

ESA'06 Proceedings of the 14th conference on Annual European Symposium - Volume 14
Efficient and Robust TCP Stream Normalization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Deep Packet Inspection using Parallel Bloom Filters

IEEE Micro

Enhancing counting bloom filters through Huffman-coded multilayer structures

IEEE/ACM Transactions on Networking (TON)
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal
Survey Bloom filter applications in network security: A state-of-the-art survey

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.01

Visualization

Abstract

Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting Bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.