Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
نویسندگان
چکیده
A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities. We examine a number of tradeoffs in designing a normalizer, emphasizing the important question of the degree to which normalizations undermine end-to-end protocol semantics. We discuss the key practical issues of “cold start” and attacks on the normalizer, and develop a methodology for systematically examining the ambiguities present in a protocol based on walking the protocol’s header. We then present norm, a publicly available user-level implementation of a normalizer that can normalize a TCP traffic stream at 100,000 pkts/sec in memory-to-memory copies, suggesting that a kernel implementation using PC hardware could keep pace with a bidirectional 100 Mbps link with sufficient headroom to weather a high-speed flooding attack of
منابع مشابه
CS 294 - 28 Network Security - Lecture 10 - Spring 2008 NIDS Evasion
In today’s class, we cover the topic of how to deal evasion problem faced by a Network Intrusion Detection System (NIDS) due to the ambiguity of the monitored network traffic, with emphasis on normalizer [4]. Given that attackers may exploit this ambiguity to avoid detection and cause misleading alarms, our ultimate goal is to remove potential ambiguities and to have NIDS and the end system pro...
متن کاملEnhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context
In the recent past, both networkand host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the b...
متن کاملRemoving Ambiguities of IP Telephony Traffic Using Protocol Scrubbers
Network intrusion detection systems (NIDSs) face the serious challenge of attacks such as insertion and evasion attacks that are caused by ambiguous network traffic. Such ambiguity comes as a result of the nature of network traffic which includes protocol implementation variations and errors alongside legitimate network traffic. Moreover, attackers can intentionally introduce further ambiguitie...
متن کاملActive Mapping: Resisting NIDS Evasion without Altering Traffic
A critical problem faced by a Network Intrusion Detection System (NIDS) is that of ambiguity. The NIDS cannot always determine what traffic reaches a given host nor how that host will interpret the traffic, and attackers may exploit this ambiguity to avoid detection or cause misleading alarms. We present a novel, lightweight solution, Active Mapping, which eliminates TCP/IP-based ambiguity in a...
متن کاملA Hierarchical Secure Ring-Oriented Multicast Protocol over Mobile Ad Hoc Network
In this paper, we propose a novel scheme of Hierarchical Eulerian Ring-Oriented Multicast Protocol over mobile ad hoc network. It has features that concentrate on efficiency and robustness simultaneously. It is also an application-driven proposal for hazard detection. Simulation results show different level of improvements on control traffic, end-to-end delay by comparing with tree-based and me...
متن کامل