TCP reassembler for layer7-aware network intrusion detection/prevention systems

IEICE Transactions on Information and Systems

Volumn E90-D, Issue 12, 2007, Pages 2019-2032

  Hanaoka, Miyuki ^a   Shemamura, Makoto ^a   Kono, Kenji ^a  

^a KEIO UNIVERSITY   (Japan)

Author keywords

Layer7 aware NIDS NIPS; Network intrusion detection prevention systems; Network security; Tcp reassembler

Indexed keywords

COMPUTER OPERATING SYSTEMS; INTERNET PROTOCOLS; MERCURY (METAL); NETWORK SECURITY; SEMANTICS; TRANSMISSION CONTROL PROTOCOL; TRANSPARENCY;

CLIENT APPLICATIONS; EFFECTIVE APPROACHES; LAYER7-AWARE NIDS/NIPS; LINUX KERNEL; MESSAGE FORMAT; NETWORK INTRUSION DETECTION; TARGET APPLICATION; TCP REASSEMBLER;

INTRUSION DETECTION;

EID: 68249140232     PISSN: 09168532     EISSN: 17451361     Source Type: Journal    
DOI: 10.1093/ietisy/e90-d.12.2019     Document Type: Article

References (34)

1. "Microsoft security bulletin MS01-033," Nov. 2003. http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
2. "Apache HTTP request smuggling vulnerability," Sept. 2006. http://www.securityfocus.com/bid/14106/
3. H.J. Wang, C. Guo, D.R. Simon, and A. Zugenmaier, "Shield: Vulnerability-driven network filters for preventing known vulnerability exploits," Proc. ACM SIGCOMM 2004, pp. 193-204, Portland, USA, Aug. 2004.
4. R. Sommer and V. Paxson, "Enhancing byte-level network intrusion detection signatures with context," Proc. 10th ACM Conf. on Computer and Communications Security (CCS '03), pp. 262-271, Washington, USA, Oct. 2003.
5. M. Roesch, "Snort - lightweight intrusion detection for networks," Proc. 13th Systems Administration Conf. (LISA '99), pp. 229-238, Seattle, USA, Nov. 1999.
6. G. Vigna, W. Robertson, V. Kher, and R.A. Kemmerer, "A stateful intrusion detection system for world-wide web servers," Proc. 19th Annual Computer Security Applications Conf. (ACSAC '03), pp. 34-43, Las Vegas, USA, Dec. 2003.
7. C. Kruegel and G. Vigna, "Anomaly detection of Web-based attacks," Proc. 10th ACM Conf. on Computer and Communications Security (CCS '03), pp. 251-261, Washington, USA, Oct. 2003.
8. Check Point Software Technologies Ltd., Application Intelligence. http://www.checkpoint.com/products/downloads/applicationintelligence-whitepaper. pdf
9. McAfee, Inc., IntruShield Network IPS Appliances. http://www.mcafee.com/ japan/products/pdf/IntruVert-NextGenerationIDSWhitePaper.en.pdf
10. V. Paxson, "Bro: A system for detecting network intruders in realtime," Comput. Netw., vol. 31, no. 23-24, pp. 2435-2463, Dec. 1999.
11. S. Dharmapurikar and V. Paxson, "Rubust TCP stream reassembly in the presence of adversaries," Proc. 14th USENIX Security Symp., pp. 65-80, Baltimore, USA, Aug. 2005.
12. "Common vulnerabilities and exposures," http://www.cve.mitre. org/
13. "CERT advisory CA-2002-27 Apache/mod-ssl worm," Oct. 2002. http://www.cert.org/advisories/CA-2002-27.html
14. "RFC793 - transmission control protocol," 1981. http://rfc.net/rfc793.html
15. T.H. Ptacek and T.N. Newsham, "Insertion, evasion, and denial of service: Eluding network intrusion detection," Tech. Rep., Secure Networks, Inc., Jan. 1998.
16. G.R. Malan, D. Watson, F. Jahanian, and P. Howell, "Transport and application protocol scrubbing," Proc. IEEE INFOCOM 2000, pp. 1381-1390, Tel-Aviv, Israel, March 2000.
17. M. Handley, V. Paxson, and C. Kreibich, "Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics," Proc. 10th USENIX Security Symposium, Washington, USA, Aug. 2001.
18. U. Shankar and V. Paxson, "Active mapping: Resisting nids evasion without altering traffic," Proc. 2003 IEEE Symp. on Security and Privacy (S&P '03), pp. 44-61, Oakland, USA, May 2003.
19. K. Kono, T. Shinagawa, and M.R. Kabir, "Improving internet server security by filtering on tcp streams," IPSJ Trans. Advanced Computing Systems, vol. 46, no. SIG4 (ACS 9), pp. 33-44, March 2005.
20. Mindcraft, Inc., "WebStone." http://www.mindcraft.com/webstone/
21. C. Shannon, D. Moore, and kxlaffy, "Characteristics of fragmented ip traffic on internet links," Proc. 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 83-97, San Francisco, USA, Nov. 2001.
22. S. Shenker and J. Wroclawaki, "Network element service specification template," RFC2216, 1997. http://rfc.net/rfc2216.html
23. W. Robertson, G. Vigna, C. Kruegel, and R.A. Kemmerer, "Using generalization and characterization techniques in the anomaly-based detection of web attacks," Proc. 13th Network and Distributed System Security Symp. (NDSS '06), San Diego, USA, Feb. 2006.
24. E. Tombini, H. Debar, L. Me, and M. Ducasse, "A serial combination of anomaly and misuse idses applied to http traffic," Proc. 20th Annual Computer Security Applications Conf. (ACSAC '04), pp. 428-437, Tucson, USA, Dec. 2004.
25. D.V. Schuehler and J.W. Lockwood, "TCP-Splitter: A TCP/IP flow monitor in reconfigurable hardware," Proc. 10th on High Performance Interconnects Hot Interconnects (HotI '02), pp. 127-131, Stanford, USA, Aug. 2002.
26. D.V. Schuehler and J.W. Lockwood, "TCP Splitter: A TCP/IP flow monitor in reconfigurable hardware," IEEE Micro, vol. 23, no. 1, pp. 54-59, Jan. 2003.
27. C. Clark, W. Lee, D. Schimmel, D. Contis, M. Koné, and A. Thomas, "A hardware platform for network intrusion detection and prevention," Proc. 3rd Workshop on Network Processors & Applications (NP3), Madrid, Spain, Feb. 2004.
28. K. Xinidis, I. Charitakis, S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, "An active splitter architecture for intrusion detection and prevention," IEEE Trans. Dependable and Secure Computing, vol. 3, no. 1, pp. 31-44, Jan. 2006.
29. S. Li, J. Torresen, and O. Søråsen, "Exploiting reconfigurable hardware for network security," Proc. 11th IEEE Symp. on Field-Programmable Custom Computing Machines (FCCM '03), pp. 292-293, Napa, USA, April 2003.
30. The NSS Group. http://www.nss.co.uk/
31. Symantec Corporation. http://www.symantec.com/
32. Cisco Systems, Inc. http://www.cisco.com/
33. Juniper Networks, Inc. http://www.juniper.net/
34. Westline Security Ltd. http://www.west-line.net/