Efficient and robust TCP stream normalization

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2008, Pages 96-110

  Vutukuru, Mythili ^a   Balakrishnan, Hari ^a   Paxson, Vern ^b  

^a MASSACHUSETTS INSTITUTE OF TECHNOLOGY   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BYTE STREAMS; HIGH SPEEDS; HIGH-SPEED LINKS; NETWORK ELEMENTS; NETWORK INTRUSION DETECTION; NETWORK MONITORING; NETWORK TRAFFICS; ORDERS-OF-MAGNITUDE; RETRANSMISSIONS; SECURITY AND PRIVACY; SEQUENCE NUMBERS; SOUND DETECTION;

INTERNET; SPEED; TRANSMISSION CONTROL PROTOCOL; WEIGHT CONTROL;

INTRUSION DETECTION;

EID: 50249136649     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2008.27     Document Type: Conference Paper

References (20)

1. M. Roesch, "Snort: Lightweight intrusion detection for networks," in Proc. USENIX LISA, November 1999.
2. V. Paxson, "Bro: a System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, no. 23-24, pp. 2435.2463, 1999.
3. T. H. Ptacek and T. N. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection," Secure Networks, Inc., Tech. Rep., Jan. 1998, http://insecure.org/stf/secnet_ids/secnet_ids.html.
4. G. R. Malan, D. Watson, F. Jahanian, and P. Howell, "Transport and Application Protocol Scrubbing," in Proc. IEEE INFOCOM, Apr. 2000.
5. M. Handley, V. Paxson, and C. Kreibich, "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics," in Proc. USENIX Security Symposium, Aug. 2001.
6. G. Varghese, J. A. Fingerhut, and F. Bonomi, "Detecting Evasion Attacks at High Speeds Without Reassembly," in Proc. ACM SIGCOMM, Sept. 2006.
7. Dug Song, "fragroute," http://monkey.org/~dugsong/fragroute/.
8. Sean Kerner, "Open Source Metasploit Improves Evasion," Aug. 2006, http://www.internetnews.com/dev-news/article.php/3624501.
9. Federico Biancuzzi, "Metasploit 3.0 day," May 2007, http://www.securityfocus.com/columnists/439.
10. J. Postel, RFC 793: Transmission Control Protocol, Sept. 1981.
11. H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, "Operational Experiences with High-Volume Network Intrusion Detection," in Proceedings of CCS, 2004.
12. F. Bonomi, M. Mitzenmacher, R. Panigrah, S. Singh, and G. Varghese, "Beyond Bloom Filters: From Approximate Membership Checks to Approximate State Machines," in Proc. ACM SIGCOMM, Sept. 2006.
13. J. L. Carter and M. N. Wegman, "Universal classes of hash functions (extended abstract)," in Proc. of ACM Symposium on Theory of computing, 1977, pp. 106-112.
14. Y. Sugawara, M. Inaba, and K. Hiraki, "High-speed and Memory Efficient TCP Stream Scanning Using FPGA," in Proc. International Conference on Field Programmable Logic and Applications, Aug. 2005.
15. OpenBSD, "PF: Scrub (Packet Normalization)," 2006, http://www.openbsd.org/faq/pf/scrub.html.
16. Cisco Systems, Inc., "Configuring TCP/IP Normalization and IP Reassembly Parameters," 2006, www.cisco.com/univercd/cc/td/doc/product/lan/ cat6000/mod icn/ace/ace 301/securgd/tcpipnrm.pdf.
17. _, "Configuring TCP Normalization," 2006, http://www.cisco.com/ en/US/products/ps6120/products_configuration_guide_chapter09186a008054ecb8. html#wp1051891.
18. U. Shankar and V. Paxson, "Active Mapping: Resisting NIDS Evasion Without Altering Traffic," in Proc. IEEE Symposium on Security and Privacy, May 2003.
19. K. Levchenko, R. Paturi, and G. Varghese, "On the Difficulty of Scalably Detecting Network Attacks," in Proc. ACM CCS, Oct. 2004.
20. S. Dharmapurikar and V. Paxson, "Robust TCP Stream Reassembly in the Presence of Adversaries," in Proc. USENIX Security Symposium, Aug. 2005.