TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems(Dependable Computing)
スポンサーリンク
概要
- 論文の詳細を見る
Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Layer7 context enables us to inspect message formats and the message exchanged order. Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP and IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. Complete prevention means that the NIDS/NIPS should prevent malicious messages from reaching target applications. Application transparency means not requiring any modifications to and/or reconfiguration of server and client applications. Transport transparency is not to disrupt the end-to-end semantics of TCP/IP. To the best of our knowledge, none of the existing approaches meet all of these requirements. We have developed an efficient mechanism for layer7-aware NIDS/NIPSs that does meet the above requirements. Our store-through does this by forwarding each out-of-order or IP-fragmented packet immediately after copying the packet even if it has not been checked yet by an NIDS/NIPS sensor. Although the forwarded packet might turn out to be a part of an attack message, the store-through mechanism can successfully defend against the attack by blocking one of the subsequent packets that contain another part of attack message. Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order and IP-fragmented packets. In addition, the experimental results suggest that the CPU and memory usage incurred by our store-through is not significant.
- 社団法人電子情報通信学会の論文
- 2007-12-01
著者
-
KONO Kenji
Keio Univ.
-
HANAOKA Miyuki
School for Open and Envionmental Systems, Graduate School of Science and Technology, Keio University
-
Hanaoka Miyuki
Graduate School Of Science And Technology Keio University
-
Shimamura Makoto
School For Open And Envionmental Systems Graduate School Of Science And Technology Keio University
-
SHIMAMURA Makoto
Graduate School of Science and Technology, Keio University
-
KONO Kenji
Faculty of Science and Technology, Keio University
関連論文
- 「手段」としての仮想マシン技術の研究(平成21年度論文賞の受賞論文紹介)
- Reducing Security Policy Size for Internet Servers in Secure Operating Systems
- Reducing Security Policy Size for Internet Servers in Secure Operating Systems
- Filtering False Positives Based on Server-Side Behaviors
- Windows PC をグリッド環境で利用するための軽量 Linux バイナリ実行システム
- User-level Enforcement of Appropriate Background Process Execution
- TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems(Dependable Computing)
- Using a Virtual Machine Monitor to Slow Down CPU Speed for Embedded Time-Sensitive Software Testing
- Using a Virtual Machine Monitor to Slow Down CPU Speed for Embedded Time-Sensitive Software Testing
- A State-Aware Protocol Fuzzer Based on Application-Layer Protocols
- Clustering Performance Anomalies Based on Similarity in Processing Time Changes
- MashCache: Taming Flash Crowds by Using Their Good Features
- Lightweight Recovery from Kernel Failures Using Phase-based Reboot
- Lightweight Recovery from Kernel Failures Using Phase-based Reboot
- MashCache: Taming Flash Crowds by Using Their Good Features
- Using Fault Injection to Analyze the Scope of Error Propagation in Linux
- Honeyguide: A VM Migration-Aware Network Topology for Saving Energy Consumption in Data Center Networks
- Automatically Checking for Session Management Vulnerabilities in Web Applications
- DiscNice: User-level Regulation of Disk Bandwidth