SafeCard: a gigabit IPS on the network card

Authors:
Willem de Bruijn;Asia Slowinska;Kees van Reeuwijk;Tomas Hruby;Li Xu;Herbert Bos
Affiliations:
Vrije Universiteit, Amsterdam;Vrije Universiteit, Amsterdam;Vrije Universiteit, Amsterdam;Vrije Universiteit, Amsterdam;Universiteit van Amsterdam;Vrije Universiteit, Amsterdam
Venue:
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Year:
2006

Citing 25
Cited 10

Foundations of computer science

Foundations of computer science
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Implementing a distributed firewall

Proceedings of the 7th ACM conference on Computer and communications security
CCured: type-safe retrofitting of legacy code

POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
NFAs with Tagged Transitions, their Conversion to Deterministic Automata and Application to Regular Expressions

SPIRE '00 Proceedings of the Seventh International Symposium on String Processing Information Retrieval (SPIRE'00)
Randomized instruction set emulation to disrupt binary code injection attacks

Proceedings of the 10th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
Fast and automated generation of attack signatures: a basis for building self-protecting servers

Proceedings of the 12th ACM conference on Computer and communications security
Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
FFPF: fairly fast packet filters

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
FormatGuard: automatic protection from printf format string vulnerabilities

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting format string vulnerabilities with type qualifiers

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
PointguardTM: protecting pointers from buffer overflow vulnerabilities

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Address obfuscation: an efficient approach to combat a board range of memory error exploits

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Improving host security with system call policies

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Towards software-based signature detection for intrusion prevention on the network card

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
FPL-3: towards language support for distributed packet processing

NETWORKING'05 Proceedings of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communication Systems

SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots

Computer Networks: The International Journal of Computer and Telecommunications Networking
Ruler: high-speed packet matching and rewriting on NPUs

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Eudaemon: involuntary and on-demand emulation against zero-day exploits

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Gnort: High Performance Network Intrusion Detection Using Graphics Processors

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
High-Speed Matching of Vulnerability Signatures

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Performance Improvement by Means of Collaboration between Network Intrusion Detection Systems

CNSR '09 Proceedings of the 2009 Seventh Annual Communication Networks and Services Research Conference
Improving the accuracy of network intrusion detection systems under load using selective packet discarding

Proceedings of the Third European Workshop on System Security
GrAVity: a massively parallel antivirus engine

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Application-Tailored I/O with Streamline

ACM Transactions on Computer Systems (TOCS)
We need to talk about NICs

HotOS'13 Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Current intrusion detection systems have a narrow scope. They target flow aggregates, reconstructed TCP streams, individual packets or application-level data fields, but no existing solution is capable of handling all of the above. Moreover, most systems that perform payload inspection on entire TCP streams are unable to handle gigabit link rates. We argue that network-based intrusion detection systems should consider all levels of abstraction in communication (packets, streams, layer-7 data units, and aggregates) if they are to handle gigabit link rates in the face of complex application-level attacks such as those that use evasion techniques or polymorphism. For this purpose, we developed a framework for network-based intrusion prevention at the network edge that is able to cope with all levels of abstraction and can be easily extended with new techniques. We validate our approach by making available a practical system, SafeCard, capable of reconstructing and scanning TCP streams at gigabit rates while preventing polymorphic buffer-overflow attacks, using (up to) layer-7 checks. Such performance makes it applicable in-line as an intrusion prevention system. SafeCard merges multiple solutions, some new and some known. We made specific contributions in the implementation of deep-packet inspection at high speeds and in detecting and filtering polymorphic buffer overflows.