Retrofitting networked applications to add autonomic reconfiguration
DEAS '05 Proceedings of the 2005 workshop on Design and evolution of autonomic application software
Architectural impact of stateful networking applications
Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems
| Hi-index | 0.00 |
Modern Network Intrusion Detection Systems (NIDSs) maintain state that helps them accurately detect attacks. Because most NIDSs are signature-based, it is critical to update their rule-sets frequently; unfortunately, doing so can result in downtime that causes state to be lost, leading to vulnerabilities of attack misclassification. In this paper, we show that such vulnerabilities do exist and provide a way to avoid them. Using the open-source NIDS Snort, we present Elephant, an approach and implementation for updating rule-sets that provides a way to cause Snort to enter a safe quiescent point, load the new rules into memory, and remove the old rules from memory-all while preserving the state that is required to make sure that the NIDS does not miss attacks. We provide a critique and performance evaluation of our technique.