Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
ACM Transactions on Computer Systems (TOCS)
A review of port scanning techniques
ACM SIGCOMM Computer Communication Review
Defeating TCP/IP stack fingerprinting
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
A generic proxy system for networked computer games
NetGames '02 Proceedings of the 1st workshop on Network and system support for games
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Design and Performance of the OpenBSD Stateful Packet Filter (pf)
Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
XORP: an open platform for network research
ACM SIGCOMM Computer Communication Review
Active Mapping: Resisting NIDS Evasion without Altering Traffic
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Addressing reality: an architectural response to real-world demands on the evolving Internet
FDNA '03 Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
On the performance of middleboxes
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Conversation Exchange Dynamics for Real-Time Network Monitoring and Anomaly Detection
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Protocol scrubbing: network security through transparent flow modification
IEEE/ACM Transactions on Networking (TON)
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Strategies for sound internet measurement
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
On the difficulty of scalably detecting network attacks
Proceedings of the 11th ACM conference on Computer and communications security
IP covert timing channels: design and detection
Proceedings of the 11th ACM conference on Computer and communications security
An Active Splitter Architecture for Intrusion Detection and Prevention
IEEE Transactions on Dependable and Secure Computing
Mitigating denial of service attacks: a tutorial
Journal of Computer Security
Detecting evasion attacks at high speeds without reassembly
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
binpac: a yacc for writing application protocol parsers
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Protomatching network traffic for high throughputnetwork intrusion detection
Proceedings of the 13th ACM conference on Computer and communications security
Scalable network-based buffer overflow attack detection
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Protecting mobile devices from TCP flooding attacks
Proceedings of first ACM/IEEE international workshop on Mobility in the evolving internet architecture
Learning DFA representations of HTTP for protecting web applications
Computer Networks: The International Journal of Computer and Telecommunications Networking
Design and implementation of netdude, a framework for packet trace manipulation
ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Tracking the role of adversaries in measuring unwanted traffic
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Robust TCP stream reassembly in the presence of adversaries
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Proceedings of the 14th ACM conference on Computer and communications security
Highly efficient techniques for network forensics
Proceedings of the 14th ACM conference on Computer and communications security
Toward undetected operating system fingerprinting
WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies
ACM Transactions on Information and System Security (TISSEC)
Design and analysis of a multipacket signature detection system
International Journal of Security and Networks
Hierarchical multi-pattern matching algorithm for network content inspection
Information Sciences: an International Journal
Deflating the big bang: fast and scalable deep packet inspection with extended finite automata
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Protecting privacy with protocol stack virtualization
Proceedings of the 7th ACM workshop on Privacy in the electronic society
Fast Signature Matching Using Extended Finite Automaton (XFA)
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
ACM Transactions on Information and System Security (TISSEC)
TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems
IEICE - Transactions on Information and Systems
Counting bloom filters for pattern matching and anti- evasion at the wire speed
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
SecSip: a stateful firewall for SIP-based networks
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Multi-byte Regular Expression Matching with Speculation
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
New payload attribution methods for network forensic investigations
ACM Transactions on Information and System Security (TISSEC)
An overview of network evasion methods
Information Security Tech. Report
Proceedings of the Third European Workshop on System Security
Evaluation of the diagnostic capabilities of commercial intrusion detection systems
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Performance adaptation in real-time intrusion detection systems
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Analyzing network-aware active wardens in IPv6
IH'06 Proceedings of the 8th international conference on Information hiding
TokDoc: a self-healing web application firewall
Proceedings of the 2010 ACM Symposium on Applied Computing
Listen too closely and you may be confused
Proceedings of the 13th international conference on Security protocols
Embedding a covert channel in active network connections
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Protocol normalization using attribute grammars
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
CLACK: a network covert channel based on partial acknowledgment encoding
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
An approach towards anomaly based detection and profiling covert TCP/IP channels
ICICS'09 Proceedings of the 7th international conference on Information, communications and signal processing
A Framework for Large-Scale Detection of Web Site Defacements
ACM Transactions on Internet Technology (TOIT)
SANS: a scalable architecture for network intrusion prevention with stateful frontend
Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Improving NFA-based signature matching using ordered binary decision diagrams
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
VM-based security overkill: a lament for applied systems security research
Proceedings of the 2010 workshop on New security paradigms
Proceedings of the 26th Annual Computer Security Applications Conference
The case for ubiquitous transport-level encryption
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Enhancing counting bloom filters through Huffman-coded multilayer structures
IEEE/ACM Transactions on Networking (TON)
Evaluating the transmission rate of covert timing channels in a network
Computer Networks: The International Journal of Computer and Telecommunications Networking
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Fast, memory-efficient regular expression matching with NFA-OBDDs
Computer Networks: The International Journal of Computer and Telecommunications Networking
Low-attention forwarding for mobile network covert channels
CMS'11 Proceedings of the 12th IFIP TC 6/TC 11 international conference on Communications and multimedia security
Research challenges towards the Future Internet
Computer Communications
AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Is it still possible to extend TCP?
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
An asynchronous covert channel using spam
Computers & Mathematics with Applications
Intrusion detection: introduction to intrusion detection and security information management
Foundations of Security Analysis and Design III
Enhancing the accuracy of network-based intrusion detection with host-based context
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Embedding covert channels into TCP/IP
IH'05 Proceedings of the 7th international conference on Information Hiding
FLIPS: hybrid adaptive intrusion prevention
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Towards software-based signature detection for intrusion prevention on the network card
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Towards an information-theoretic framework for analyzing intrusion detection systems
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
SafeCard: a gigabit IPS on the network card
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
PET'05 Proceedings of the 5th international conference on Privacy Enhancing Technologies
Tetherway: a framework for tethering camouflage
Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Using active intrusion detection to recover network trust
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
How hard can it be? designing and implementing a deployable multipath TCP
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Deep packet inspection tools and techniques in commodity platforms: Challenges and trends
Journal of Network and Computer Applications
Cloak: a ten-fold way for reliable covert communications
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
GPP-Grep: high-speed regular expression processing engine on general purpose processors
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Systematic engineering of control protocols for covert channels
CMS'12 Proceedings of the 13th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security
International Journal of Information Security and Privacy
Scap: stream-oriented network traffic capture and analysis for high-speed networks
Proceedings of the 2013 conference on Internet measurement conference
Seamless TCP mobility using lightweight MPTCP proxy
Proceedings of the 11th ACM international symposium on Mobility management and wireless access
ScrambleSuit: a polymorphic network protocol to circumvent censorship
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society
From an IP address to a street address: using wireless signals to locate a target
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
PHY covert channels: can you see the idles?
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
| Hi-index | 0.00 |
A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities. We examine a number of tradeoffs in designing a normalizer, emphasizing the important question of the degree to which normalizations undermine end-to-end protocol semantics. We discuss the key practical issues of "cold start" and attacks on the normalizer, and develop a methodology for systematically examining the ambiguities present in a protocol based on walking the protocol's header. We then present norm, a publicly available user-level implementation of a normalizer that can normalize a TCP traffic stream at 100,000 pkts/sec in memory-to-memory copies, suggesting that a kernel implementation using PC hardware could keep pace with a bidirectional 100 Mbps link with sufficient headroom to weather a high-speed flooding attack of small packets.