Article

Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

Authors:

Christian KreibichAuthors Info & Claims

SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

Article No.: 9

Published: 13 August 2001 Publication History

Abstract

A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities. We examine a number of tradeoffs in designing a normalizer, emphasizing the important question of the degree to which normalizations undermine end-to-end protocol semantics. We discuss the key practical issues of "cold start" and attacks on the normalizer, and develop a methodology for systematically examining the ambiguities present in a protocol based on walking the protocol's header. We then present norm, a publicly available user-level implementation of a normalizer that can normalize a TCP traffic stream at 100,000 pkts/sec in memory-to-memory copies, suggesting that a kernel implementation using PC hardware could keep pace with a bidirectional 100 Mbps link with sufficient headroom to weather a high-speed flooding attack of small packets.

References

[1]

{1} M. Allman, D. Glover and L. Sanchez, "Enhancing TCP Over Satellite Channels using Standard Mechanisms," RFC 2488, Jan. 1999.

Digital Library

[2]

{2} Anzen Computing, fragrouter, 1999. http://www.anzen.com/research/nidsbench/

[3]

{3} Fyodor, nmap, 2001. http://www.insecure.org/nmap/

[4]

{4} M. Handley, C. Kreibich, and V. Paxson, draft technical report, to appear at http://www.aciri.org/vern/ papers/norm-TR-2001.ps.gz, 2001.

[5]

{5} horizon 〈[email protected]〉, "Defeating Sniffers and Intrusion Detection Systems", Phrack Magazine Volume 8, Issue 54, Dec. 25th, 1998.

[6]

{6} C. Kent and J. Mogul, "Fragmentation Considered Harmful," Proc. ACM SIGCOMM, 1987.

[7]

{7} E. Kohler, R. Morris, B. Chen, J. Jannotti and M.F. Kaashoek, "The Click modular router," ACM Transactions on Computer Systems, 18(3), pp. 263-297, Aug. 2000.

Digital Library

[8]

{8} G. R. Malan, D. Watson, F. Jahanian and P. Howell, "Transport and Application Protocol Scrubbing", Proceedings of the IEEE INFOCOM 2000 Conference, Tel Aviv, Israel, Mar. 2000.

[9]

{9} L. Deri and S. Suin, "Improving Network Security Using Ntop," Proc. Third International Workshop on the Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, Oct. 2000.

[10]

{10} S. McCanne, C. Leres and V. Jacobson, libpcap, 1994. ftp://ftp.ee.lbl.gov/libpcap.tar.Z

[11]

{11} K. Nichols, S. Blake, F. Baker and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, Dec. 1998.

Digital Library

[12]

{12} V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time", Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec 1999.

Digital Library

[13]

{13} V. Paxson and M. Handley, "Defending Against NIDS Evasion using Traffic Normalizers," presented at Second International Workshop on the Recent Advances in Intrusion Detection, Sept. 1999.

[14]

{14} T. H. Ptacek and T. N. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", Secure Networks, Inc., Jan. 1998. http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps

[15]

{15} K. Ramakrishnan and S. Floyd, "A Proposal to add Explicit Congestion Notification (ECN) to IP", RFC 2481, Jan. 1999.

Digital Library

[16]

{16} S. Sanfilippo, "new tcp scan method," Bugtraq, Dec. 18, 1998.

[17]

{17} M. Smart, G.R. Malan and F. Jahanian, "Defeating TCP/IP Stack Fingerprinting," Proc. USENIX Security Symposium, Aug. 2000.

Digital Library

[18]

{18} M. de Vivo, E. Carrasco, G. Isern and G. de Vivo, "A Review of Port Scanning Techniques," Computer Communication Review, 29(2), April 1999.

Digital Library

Cited By

Schmidbauer TWendzel SSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517418(546-560)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517418
Zhu SLi SWang ZChen XQian ZKrishnamurthy SChan KSwami AHan DFeldmann A(2020)You do (not) belong hereProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431311(183-197)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431311
Ovadya AOgen RMallah YGilboa NOren YGantman AMaurice C(2019)Cross-router covert channelsProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359045(2-2)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359043.3359045
Show More Cited By

Index Terms

Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

Recommendations

Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
Network intrusion detection: stepping-stone and masquerader detections
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

August 2001

350 pages

Publisher

USENIX Association

United States

Publication History

Published: 13 August 2001

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

107
Total Citations
View Citations
81
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Schmidbauer TWendzel SSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517418(546-560)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517418
Zhu SLi SWang ZChen XQian ZKrishnamurthy SChan KSwami AHan DFeldmann A(2020)You do (not) belong hereProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431311(183-197)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431311
Ovadya AOgen RMallah YGilboa NOren YGantman AMaurice C(2019)Cross-router covert channelsProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359045(2-2)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359043.3359045
Xing JMorrison AChen ADelimitrou CPorts D(2019)NetWardenProceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing10.5555/3357034.3357037(2-2)Online publication date: 8-Jul-2019
https://dl.acm.org/doi/10.5555/3357034.3357037
Pontarelli SBifulco RBonola MCascone CSpaziani MBruschi VSanvito DSiracusano GCapone AHonda MHuici FBianchi GLorch JYu M(2019)FlowblazeProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323278(531-547)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.5555/3323234.3323278
Wendzel S(2019)Protocol-independent Detection of "Messaging Ordering" Network Covert ChannelsProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3341477(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3341477
Yang WCheng ZCui BWang YChang C(2019)Recombining TCP sessions based on finite state machine to detect cyber attackersProceedings of the 3rd International Conference on Cryptography, Security and Privacy10.1145/3309074.3309084(138-142)Online publication date: 19-Jan-2019
https://dl.acm.org/doi/10.1145/3309074.3309084
Tanasache FSorella MBonomi SRapone RMeacci DHansdah RKrishnaswamy DVaidya N(2019)Building an emulation environment for cyber security analyses of complex networked systemsProceedings of the 20th International Conference on Distributed Computing and Networking10.1145/3288599.3288618(203-212)Online publication date: 4-Jan-2019
https://dl.acm.org/doi/10.1145/3288599.3288618
Krude JStoffers MWehrle K(2018)Circuit Switched VM Networks for Zero-Copy IOProceedings of the 2018 Afternoon Workshop on Kernel Bypassing Networks10.1145/3229538.3229539(1-7)Online publication date: 7-Aug-2018
https://dl.acm.org/doi/10.1145/3229538.3229539
Li FRazaghpanah AKakhki ANiaki AChoffnes DGill PMislove AUhlig SMaennel O(2017)lib•erate, (n)Proceedings of the 2017 Internet Measurement Conference10.1145/3131365.3131376(128-141)Online publication date: 1-Nov-2017
https://dl.acm.org/doi/10.1145/3131365.3131376
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten