Traffic Analysis : From Stateful Firewall to Network Intrusion Detection System

Computer network is already an indispensable part of our mod ern life. To keep our network run smoothly, we need to know its condition. This calls for the necessity of an alyzing the traffic (packets) on the network. In this paper, we investigate traffic analysis techniques need in st ateful firewall and network intrusion detection system (NIDS). Stateful firewall analyzes packets up to their layer 4 headers while NIDS analyzes the whole packet. The key techniques for stateful firewall and NIDS are flow stat e management and string matching. This paper investigates the design of flow state management and several major string matching algorithms. This paper also suggests some improvement over TCP state management and TCP flow normalization.

[1]  Debanjan Saha,et al.  Design, implementation and performance of a content-based switch , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[2]  Evangelos P. Markatos,et al.  : A DOMAIN-SPECIFIC STRING MATCHING ALGORITHM FOR INTRUSION DETECTION , 2003 .

[3]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[4]  Steven Waldbusser Remote Network Monitoring Management Information Base , 1991, RFC.

[5]  Evangelos P. Markatos,et al.  Exclusion-based Signature Matching for Intrusion Detection , 2002 .

[6]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[7]  N. S. Desai Increasing Performance in High Speed NIDS , 2002 .

[8]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[9]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[10]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[11]  Steven Waldbusser Remote Network Monitoring Management Information Base Version 2 using SMIv2 , 1997, RFC.

[12]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[13]  Anja Feldmann BLT: Bi-Layer Tracing of HTTP and TCP/IP , 2000, Comput. Networks.

[14]  Marshall T. Rose,et al.  Management Information Base for network management of TCP/IP-based internets , 1990, RFC.

[15]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[16]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[17]  Cormac J. Sreenan,et al.  mmdump: a tool for monitoring internet multimedia traffic , 2000, CCRV.

[18]  Yanggon Kim,et al.  A Fast Multiple String-Pattern Matching Algorithm , 1999 .

[19]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[20]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[21]  Sotiris Ioannidis,et al.  Efficient packet monitoring for network management , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[22]  S. Hadjiefthymiades,et al.  Hypertext Transfer Protocol (HTTP) , 1996 .

[23]  Evangelos P. Markatos,et al.  Performance analysis of content matching intrusion detection systems , 2004, 2004 International Symposium on Applications and the Internet. Proceedings..

[24]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[25]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[26]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.