Design and analysis of a multipacket signature detection system

Worm epidemics in the last few years have shown that manual defences against worm epidemics are not practical. Recently, various automatic worm identification methods have been proposed to be deployed at high-speed network nodes to respond in time to fast infection rates of worms. Unfortunately, these methods can easily be evaded by fragmentation of the worm packets. The straightforward defragmentation method is not applicable for these high-speed nodes due to its high storage (memory) requirement. In this paper, this multipacket signature detection problem is addressed using a defragmentation-free, space-efficient solution. A new data structure Prefix Bloom Filters (PBFs) along with a new heuristic, called the Chain Heuristic (CH) is proposed to significantly reduce the storage requirement of the problem, so that multipacket signature detection becomes feasible for high-speed network nodes.

[1]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[2]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[3]  John W. Lockwood,et al.  Deep packet inspection using parallel Bloom filters , 2003, 11th Symposium on High Performance Interconnects, 2003. Proceedings..

[4]  John W. Lockwood,et al.  SIFT: snort intrusion filter for TCP , 2005, 13th Symposium on High Performance Interconnects (HOTI'05).

[5]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  Pei Cao,et al.  Hash-AV: fast virus signature scanning by cache-resident filters , 2005, GLOBECOM.

[7]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[8]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[9]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[10]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[11]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[12]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[13]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[14]  Wing Cheong Lau,et al.  CYSEP - a cyber-security processor for 10 Gbps networks and beyond , 2004, IEEE MILCOM 2004. Military Communications Conference, 2004..

[15]  John W. Lockwood,et al.  Architecture for a hardware-based, TCP/IP content-processing system , 2004, IEEE Micro.

[16]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[17]  William H. Mangione-Smith,et al.  Deep packet filter with dedicated logic and read only memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[18]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[19]  John Heidemann,et al.  Detecting Early Worm Propagation through Packet Matching , 2004 .

[20]  John W. Lockwood,et al.  Design of a system for real-time worm detection , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[21]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[22]  Evangelos P. Markatos,et al.  : A DOMAIN-SPECIFIC STRING MATCHING ALGORITHM FOR INTRUSION DETECTION , 2003 .

[23]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[24]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[25]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[26]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[27]  Haoyu Song,et al.  Multi-pattern signature matching for hardware network intrusion detection systems , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[28]  John W. Lockwood,et al.  Fast and scalable pattern matching for content filtering , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).