Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics

نویسندگان

  • Mark Handley
  • Vern Paxson
  • Christian Kreibich
چکیده

A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities. We examine a number of tradeoffs in designing a normalizer, emphasizing the important question of the degree to which normalizations undermine end-to-end protocol semantics. We discuss the key practical issues of “cold start” and attacks on the normalizer, and develop a methodology for systematically examining the ambiguities present in a protocol based on walking the protocol’s header. We then present norm, a publicly available user-level implementation of a normalizer that can normalize a TCP traffic stream at 100,000 pkts/sec in memory-to-memory copies, suggesting that a kernel implementation using PC hardware could keep pace with a bidirectional 100 Mbps link with sufficient headroom to weather a high-speed flooding attack of

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

CS 294 - 28 Network Security - Lecture 10 - Spring 2008 NIDS Evasion

In today’s class, we cover the topic of how to deal evasion problem faced by a Network Intrusion Detection System (NIDS) due to the ambiguity of the monitored network traffic, with emphasis on normalizer [4]. Given that attackers may exploit this ambiguity to avoid detection and cause misleading alarms, our ultimate goal is to remove potential ambiguities and to have NIDS and the end system pro...

متن کامل

Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context

In the recent past, both networkand host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the b...

متن کامل

Removing Ambiguities of IP Telephony Traffic Using Protocol Scrubbers

Network intrusion detection systems (NIDSs) face the serious challenge of attacks such as insertion and evasion attacks that are caused by ambiguous network traffic. Such ambiguity comes as a result of the nature of network traffic which includes protocol implementation variations and errors alongside legitimate network traffic. Moreover, attackers can intentionally introduce further ambiguitie...

متن کامل

Active Mapping: Resisting NIDS Evasion without Altering Traffic

A critical problem faced by a Network Intrusion Detection System (NIDS) is that of ambiguity. The NIDS cannot always determine what traffic reaches a given host nor how that host will interpret the traffic, and attackers may exploit this ambiguity to avoid detection or cause misleading alarms. We present a novel, lightweight solution, Active Mapping, which eliminates TCP/IP-based ambiguity in a...

متن کامل

A Hierarchical Secure Ring-Oriented Multicast Protocol over Mobile Ad Hoc Network

In this paper, we propose a novel scheme of Hierarchical Eulerian Ring-Oriented Multicast Protocol over mobile ad hoc network. It has features that concentrate on efficiency and robustness simultaneously. It is also an application-driven proposal for hazard detection. Simulation results show different level of improvements on control traffic, end-to-end delay by comparing with tree-based and me...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2001