Security '01 Abstract
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
Mark Handley and Vern Paxson,
AT&T Center for Internet Research at ICSI (ACIRI); and
Christian Kreibich, Institut für Informatik
A fundamental problem for network intrusion detection systems is the
ability of a skilled attacker to evade detection by exploiting
ambiguities in the traffic stream as seen by the monitor. We discuss the
viability of addressing this problem by introducing a new network forwarding
element called a traffic normalizer. The normalizer sits directly
in the path of traffic into a site and patches up the packet stream to
eliminate potential ambiguities before the traffic is seen by the monitor,
removing evasion opportunities. We examine a number of tradeoffs in
designing a normalizer, emphasizing the important question of the degree
to which normalizations undermine end-to-end protocol semantics.
We discuss the key practical issues of ``cold start'' and attacks
on the normalizer, and develop a methodology for systematically examining
the ambiguities present in a protocol based on walking the protocol's
header. We then present norm, a publicly available user-level
implementation of a normalizer that can normalize a TCP traffic
stream at 100,000 pkts/sec in memory-to-memory copies, suggesting
that a kernel implementation using PC hardware could keep pace with
a bidirectional 100 Mbps link with sufficient headroom to weather a
high-speed flooding attack of small packets.
- View the full text of this paper in
The Proceedings are published as a collective work, © 2001 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.