Get rid of the ambiguities in the traffic stream

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format
Guide to Network Defense and Countermeasures Second Edition
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
TCP/IP Basics A review for firewall configuration.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.
Network Security: Intrusion Detection and Protection Photiou Savvas University of Cyprus.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Honeypot and Intrusion Detection System
KONOE, a toolkit for an object- oriented online environment, with Gate Package M.Abe,Y.Nagasaka,F.Fujiwara, T.Tamura,I.Nakano,H.Sakamoto, Y.Sakamoto,S.Enomoto,
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Chapter 20 – Firewalls The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI.
Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
Risk-Aware Mitigation for MANET Routing Attacks Submitted by Sk. Khajavali.
Forms of Network Attacks Gabriel Owens COSC 352 February 24, 2011.
Cryptography and Network Security
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection:
Very Fast containment of Scanning Worms Presented by Vinay Makula.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Fortinet VoIP Security June 2007 Carl Windsor.
SDN and Security Security as a service in the cloud
Snort – IDS / IPS.
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
DDoS Attacks on Financial Institutions Presentation
Managing Secure Network Systems
Packets & Routing Lower OSI layers (1-3) concerned with packets and the network Packets carry data independently through the network, and into other networks…
Data Streaming in Computer Networking
Who should be responsible for risks to basic Internet infrastructure?
Security in Networking
Network Security: IP Spoofing and Firewall
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Internet of Things Vulnerabilities
DDoS Attack Detection under SDN Context
The Network Layer Network Layer Design Issues:
Red Team Exercise Part 3 Week 4
Topic 5: Communication and the Internet
Congestion Control Reasons:
IP Control Gateway (IPCG)
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Protocol Application TCP/IP Layer Model
Autonomous Network Alerting Systems and Programmable Networks
Presentation transcript:

Get rid of the ambiguities in the traffic stream Normalizer Get rid of the ambiguities in the traffic stream

NIDS: network intrusion detection system Attackers can exploit the ambiguities in the traffic stream to evade the monitoring of the NIDS. There are three major defects of the NIDS that allow them to do that: (1) Lack of complete analysis for the full range of behavior allowed by a particular protocol. For example, an attacker can evade a NIDS that fails to reassemble IP fragments by intentionally transmitting their attack traffic in fragments. Because the NIDS does

not know the end-systems will reassemble the fragments and probably get infected. (2) lack of detailed knowledge of the end-system protocol implementation The same packets may trigger different action in different system. In some system, they may cause trouble. But NIDS don’t know much about the end-system. (How about implement the most strict detection rule?) (3)lack of detailed knowledge of the topology between the NIDS and the end-system. NIDS are not sure about whether some packets will be

(Maybe we can customize NIDS) received or not. This kind of uncertainty is not good. In conclusion, NIDS doesn’t know the end-system it serves very well. That’s where the ambiguities come from. (Maybe we can customize NIDS)

Normalizer: It will get rid of the ambiguities making sure no matter which end-system the NIDS serves the traffic will be interpreted and implemented in the same way. Unlike the firewall, normalizer doesn’t block vicious traffics. It just translate them to normal form and make sure they won’t evade the NIDS’s detection.

What we should be concerned about when design the normalizer: Normalizer should not decompose the traffic to the level that is too basic, otherwise it will hamper the performance of the NIDS and the end-system. Limited capacity to hold states will make the system vulnerable to the kind of the attacks that try to overwhelm the normalizer’s ability to cope states.

Some problems normalizer will face in the real world: Cold start: normalize lacks the knowledge of the already established collection. A patient attacker will wait until the normalizer shut down then do the dirty job and keep unnoticed after the normalizer restart. Normalizer could be attacked by the stateholding attack. Memory monitoring mechanism should be introduced to monitor the states need to be hold and dynamically adjust the state-holding capacity.

CPU overload attack The systematic approach that the normalizer adopted is walking through the packet headers of each protocols that are taken into consideration.

Norm had been implemented Some methods are used to evaluate its performance. Reading from libpcap trace file factor out the cost of getting packets to the normalizer. And three kinds of trace file are used to ensure the completeness and fairness of the evaluation. The results suggested that the normalizer implemented as click module could forward normal traffic at line-speed on a bidirectional 100Mb/s. Link flooding will not cause denial-of-service on

norm system. But the normal system is vulnerable to out-of-order small fragments which will cause the normalizer to perform triage on the attack traffic.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.