HANDLING NETWORK INTRUSION: NORMALIZATIONS TRAFFIC TRADE-OFF, ATTACKS, AND SECURITY
Publication Date : 01/08/2010
The ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor is a problem for network intrusion detection systems. The viability of addressing this problem by introducing a network forwarding element called a traffic normalizer is discussed. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities. A number of tradeoffs in designing a normalizer is examined. The key practical issues of “cold start” and attacks on the normalizer, and develop a methodology for systematically examining the ambiguities present in a protocol based on walking the protocol’s header is addressed. Presented is implementation of a normalizer that can normalize a TCP traffic stream in memory-to-memory copies, suggesting that a kernel implementation using PC hardware could keep pace with a bidirectional link with sufficient headroom to weather a high-speed flooding attack of packets.
No. of Downloads :