Summary cache: a scalable wide-area Web cache sharing protocol
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Fast hash table lookup using extended bloom filter: an aid to network processing
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Detecting evasion attacks at high speeds without reassembly
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
An improved construction for counting bloom filters
ESA'06 Proceedings of the 14th conference on Annual European Symposium - Volume 14
Efficient and Robust TCP Stream Normalization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Enhancing counting bloom filters through Huffman-coded multilayer structures
IEEE/ACM Transactions on Networking (TON)
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Survey Bloom filter applications in network security: A state-of-the-art survey
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.01 |
Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting Bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.