Get rid of the ambiguities in the traffic stream NIDS network intrusion detection system Attackers can exploit the ambiguities in the traffic stream to evade the monitoring of the NIDS There are three major defects of the NIDS that allow them to do that ID: 619463
Download Presentation The PPT/PDF document "Normalizer" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Normalizer
Get rid of the ambiguities in the traffic streamSlide2
NIDS: network intrusion detection system
Attackers can exploit the ambiguities in the traffic stream to evade the monitoring of the NIDS.
There are three major defects of the NIDS that allow them to do that:
(1)
Lack of complete analysis for the full range of behavior allowed by a particular protocol.
For example, an attacker can evade a NIDS that fails to reassemble IP fragments by intentionally transmitting their attack traffic in fragments. Because the NIDS does Slide3
n
ot know the end-systems will reassemble the fragments and probably get infected.
(2) lack of detailed knowledge of
the end-system protocol
implementation
The same packets may trigger different action in different system. In some system, they may cause trouble. But NIDS don’t know much about the end-system.
(How about implement the most strict detection rule?)
(3)lack of detailed knowledge of the topology between the NIDS and the end-system.
NIDS are not sure about whether some packets will be Slide4
received or not. This kind of uncertainty is not good.
In conclusion, NIDS doesn’t know the end-system it serves very well. That’s where the ambiguities come from.
(Maybe we can customize NIDS) Slide5
Normalizer: It will get rid of the ambiguities making sure no matter which end-system the NIDS serves the traffic will be interpreted and implemented in the same way.
Unlike the firewall, normalizer doesn’t block vicious traffics. It just translate them to normal form and make sure they won’t evade the NIDS’s detection.Slide6
What we should be concerned about when design the normalizer:
Normalizer should not decompose the traffic to the level that is too basic, otherwise it will hamper the performance of the NIDS and the end-system.
Limited capacity to hold states will make the system vulnerable to the kind of the attacks that try to overwhelm the normalizer’s ability to cope states.Slide7
Some problems normalizer will face in the real world:
Cold start: normalize lacks the knowledge of the already established collection. A patient attacker will wait until the normalizer shut down then do the dirty job and keep unnoticed after the normalizer restart.
Normalizer could be attacked by the
stateholding
attack. Memory monitoring mechanism should be introduced to monitor the states need to be hold and dynamically adjust the state-holding
capacity.Slide8
CPU overload attack
The systematic approach that the normalizer adopted is walking through the packet headers of each protocols that are taken into consideration.Slide9
Norm had been implemented
Some methods are used to evaluate its performance. Reading from
libpcap
trace file factor out the cost of getting packets to the normalizer. And three kinds of trace file are used to ensure the completeness and fairness of the evaluation.
The results suggested that the normalizer implemented as click module could forward normal traffic at line-speed on a bidirectional 100Mb/s.
Link flooding will not cause denial-of-service on Slide10
norm system.
But the normal system is vulnerable to out-of-order small fragments which will cause the normalizer to perform triage on the attack traffic.