Attacks in the cyberspace is becoming more and more diverse and complex. Many attackers divide the payload in a TCP package into a set of IP packets. Though traditional attack detecting methods designed based on feature matching algorithm can only analyze a single IP packet, the cannot comprehensively analyze multi-packets. Therefore, the traditional methods cannot effectively detect the attackers' payload that are split up into multi-packets. Consequently, it is quite necessary to reassemble packets on the application layer and restore the payload that is distributed in multiple packets. Then, we can analyze the complete attacker's payload flexibly. In this work, we propose a TCP session bidirectional data flow reassembly method based the Finite State Machine (FSM). Besides, we evaluate the performance of our work using the Spark platform. Simulation results show that our method is of high accuracy and good performance in expansibility.
[1]
Mark Handley,et al.
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
,
2001,
USENIX Security Symposium.
[2]
Youngseok Lee,et al.
A Hadoop-Based Packet Trace Processing Tool
,
2011,
TMA.
[3]
Benoit Claise,et al.
Cisco Systems NetFlow Services Export Version 9
,
2004,
RFC.
[4]
Martin Roesch,et al.
Snort - Lightweight Intrusion Detection for Networks
,
1999
.
[5]
Palak Agarwal.
TCP Stream Reassembly and Web based GUI for Sachet IDS
,
2007
.
[6]
Thomas Henry Ptacek,et al.
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
,
1998
.