| Publisher | ICIR (The ICSI Center for Internet Research) | ||
|---|---|---|---|
| Format | HTML | Date added | 22 May 2001 |
| Topics | Anti-Hacking, Network Security | ||
| Downloads | 8 | ||
A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities. We examine a number of tradeoffs in designing a normalizer, emphasizing the important question of the degree to which normalizations undermine end-to-end protocol semantics. We discuss the key practical issues of "cold start" and attacks on the normalizer, and develop a methodology for systematically examining the ambiguities present in a protocol based on walking the protocol's header. We then present norm, a publicly available user-level implementation of a normalizer that can normalize a TCP traffic stream at 100,000 pkts/sec in memory-to-memory copies, suggesting that a kernel implementation using PC hardware could keep pace with a bidirectional 100 Mbps link with sufficient headroom to weather a high-speed flooding attack of small packets.
Did you find this white paper useful?
13 out of 37 users found this white paper useful
Related white papers
Cyber Security Standards for the Power Industry
This webcast explains the basis of vulnerabilities in power companies' information systems, requirements imposed by the new NERC standards, and how to get started on compliance activities.
Navigate the new financial landscape
The landscape of the financial services industry is evolving, and financial institutions must adapt to the changing marketplace in order to succeed. This complimentary portfolio from IBM provides innovative thinking...
Risk, compliance and security: Can your financial institution weather the storm?
Learn how preemptive security can help stop Internet threats before they affect the network. IBM provides a variety of smart solutions tailored specifically for mid-sized financial institutions. Start with a...
Webcast: Homeland Security Industry Conference
In these difficult times, the task of protecting citizens is greater than ever, making homeland security a very large expenditure in President Bush's most recent budget plan. With overall spending...
Certification and Accreditation of Client Systems and Applications
A U.S. Navy organization responsible for development, deployment, and administration of logistics-related systems and applications required security engineering guidance and security Certification and Accreditation (C&A) support in accordance with Department...
Understanding California's Identity Theft Laws
While federal regulations calling for the protection of personal data in the digital age have garnered the vast majority of compliance-related news coverage in recent years, it's important to note...
MSDN Webcast: Remediation: Design Consideration for Architecting a Secure Web-Based Application (Level 200)
This webcast explains how to design systems that do not incorporate common architectural security defects and vulnerabilities. The webcast covers the major security risks affecting Web-based application architecture including session...
