The space complexity of approximating the frequency moments
STOC '96 Proceedings of the twenty-eighth annual ACM symposium on Theory of computing
The structuring of systems using upcalls
Proceedings of the tenth ACM symposium on Operating systems principles
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Efficient string matching: an aid to bibliographic search
Communications of the ACM
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
On the difficulty of scalably detecting network attacks
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Robust TCP stream reassembly in the presence of adversaries
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Towards high-performance flow-level packet processing on multi-core network processors
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Targeting spam control on middleboxes: Spam detection based on layer-3 e-mail content classification
Computer Networks: The International Journal of Computer and Telecommunications Networking
Counting bloom filters for pattern matching and anti- evasion at the wire speed
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Carousel: scalable logging for intrusion prevention systems
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Enhancing counting bloom filters through Huffman-coded multilayer structures
IEEE/ACM Transactions on Networking (TON)
AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Packet-level open-digest fingerprinting for spam detection on middleboxes
International Journal of Network Management
Dismantling intrusion prevention systems
Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
Dismantling intrusion prevention systems
ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
Scap: stream-oriented network traffic capture and analysis for high-speed networks
Proceedings of the 2013 conference on Internet measurement conference
| Hi-index | 0.00 |
Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic defense is for the IPS to reassemble TCP and IP packets,and to consistently normalize the output stream. Current IPS standards require keeping state for 1 million connections. Both the state and processing requirements of reassembly and normalization are barriers to scalability for an IPS at speeds higher than 10 Gbps.In this paper, we suggest breaking with this paradigm using an approach we call Split-Detect. We focus on the simplest form of signature, an exact string match, and start by splitting the signature into pieces. By doing so the attacker is either forced to include at least one piece completely in a packet, or to display potentially abnormal behavior (e.g., several small TCP fragments or out-of-order packets) that cause the attacker's flow to be diverted to a slow path. We prove that under certain assumptions this scheme can detect all byte-string evasions. We also show using real traces that the processing and storage requirements of this scheme can be 10% of that required by a conventional IPS, allowing reasonable cost implementations at 20 Gbps. While the changes required by Split-Detect may be a barrier to adoption, this paper exposes the assumptions that must be changed to avoid normalization and reassembly in the fast path.