Detecting Evasion Attacks at High Speeds without Reass - PDF document

DetectingEvasionAttacksatHighSpeedswithoutReassemblyGeorgeVargheseCiscoSystems,UCSDJ.AndrewFingerhutCiscoSystemsFlavioBonomiCiscoSystemsABSTRACTPtacekandNewsham[14]showedhowtoevadesignaturedetectionatIntrusionPreventionSystems(IPS)usingTCPandIPFragmentation.TheseattacksareimplementedintoolslikeFragRoute,andareinstitutionalizedinIPSprod-ucttests.TheclassicdefenseisfortheIPStoreassembleTCPandIPpackets,andtoconsistentlynormalizetheout-putstream.CurrentIPSstandardsrequirekeepingstate potentiallyincreasethecostsofmemoryandprocessingbyanorderofmagnitudebeyondthatrequiredbyreassembly.1.2IntrusionPreventionSystemsInaperfectworld,whereallendnodesdetectandpreventattacks,IntrusionDetectionSystems(IDS)wouldbeuse-less.Unfortunately,networkadministratorscannotrelyonendnodesoftware(oftencontrolledbyadierentorganiza-tion)beinguptodateintermsofAnti-Virusupdatesandpatches.Thus,justasinthecaseof“rewalls,theuseofanIDSisapopularretro“tstrategy.AlmosteverymajororganizationrunsanIDSofsomesort,andmanyorganiza-tions,motivatedbythethreatofinternalattacks,deployanIDSinseveralpartsoftheinternalnetwork.Thus,theIDSmarketisabilliondollarmarket,andcontinuestogrow.WewillfocusinthispaperonsignaturebasedIDS.SuchanIDSconsistsofadatabaseofrules.Eachrulespeci“esapredicateonpacketheaders,optionallycontainsacon-tentstring,andhasanassociatedaction.InclassicalIDSsystemssuchastheopensourcetoolSnort[15]theasso-ciatedactionisusuallyanalerttotheadministrator.Sig-naturebasedIDSareverypopularandaresupportedbyeverymajorIDSvendor.ThebaneofmostIDSusersisthepotentiallylargenumberoffalsepositivesinalerts.BythetimeanIDScanraiseanalertandahumanadmin-istratorrespond,afast-movingattack(suchasawormoraDDOSattack)canhavedoneconsiderabledamage.Thusinrecentyears,theIDSmarkethasmorphedintotheso-calledIPS(IntrusionPreventionSystem)market.Somewhatcav-alierly,anIPScanbedescribedasanIDSwhereasubsetofrules(whichtheIDSimplementersarecon“dentcancausealmostnofalsepositives)areenabledwiththecorrespond-ingactiontodropanypacketthatmatchesthisrule.AnIPSmustbeinlinetodroppackets,whileanIDScansimplytapthedatatogeneratealerts.BothIDSandIPSsystemsarerequiredtoreassembleTCP”owsandIPfragments.Thisensuresthatacontentstringinarulethatisfragmentedacrosspacketscanbede-tected.IPSsystemsarefurtherrequiredtonormalize[8,13]TCP”ows.Roughlyspeaking,normalizationseekstonor-malizethedatasentina”owtoavoidinconsistenciesthatcanbeexploitedbyanattacker.AsthemarketforIDSandIPSsystemshasmatured,therearenowwell-establishedteststhatcheckforconformance.Forexample,theNSSreport[11]testsvendorsforresiliencetoevasionattacksbyrunningfragroute[17],andwhiskernikto[10].Allthema-jorvendorsappeartohavedemonstrated[11]theirabilitytodetectevasionattempts.Asthespeedofenterprisenetworksmovesfrom1Gbpsto10Gbps,IPSdeviceshavebeenattemptingtoscaleupinspeedaswell.Intermsofspeed,somevendorsarealreadydeployingIPSsystemsat8Gbps.Further,asareactiontothenumberofadhocnetworkdevices(e.g.,loadbalancers,contentaccelerators,androuters)innetworks,thereisanincreasingtrendtowardsconsolidatingdeviceswithinasin-gleenterpriseswitch.Asmanyswitcheshave10Gbpsandeven20Gbpsports,itisdesirabletoscaleasingleIDSchipordeviceto20Gbps.WhatarethemainbottlenecksforanIPS?Onemajorbottleneckisscanningastreamofbytesforacontentstringorevenaregularexpression.Searchingforcontentstringsisfairlywellunderstood[5].Inrecentyears,manyIPSdeviceshaveallowedthespeci“cationofregularexpressionsforcon-tentstringsbuthardwarealgorithmsforeventhesearewellunderstood[5].However,asecondmajorbottleneckistheeortrequiredtoreassembleTCP”owsandtonormalizethemifneeded.ManyIPSvendorsadvertisesupportforupto1millionconcurrentTCP”ows;thenumberof”owsmayseemsurprisinglylargeforanenterprise.However,recallthatinasecuritycontext,aTCP”owcannotbetimedoutquicklyincaseafragmentoftheattackissentmuchlater.Itisthissecondbottleneck,andespeciallyinthecontextofapackagedIPS/router,thatwefocusoninthispaper.1.3PaperOutlineandContributionsTherestofthispaperisorganizedasfollows.Section2containsanimplementationmodelforapackagedIPSinarouterorswitch,anddescribesthemainassumptionsaswellandmeasures.Section3providesabriefoverviewofthepossibleevasionsmadepossiblebyfragmentation.Section4beginsthesolutiondescriptionby“rstdealingwithtwocom-plicatingissues:overlappingTCPsegmentsandIPfrag-mentation.ThenSection5describestheSplit-Detectsolu-tionthatisscalableandyetabletodetectdamagecausedbyout-of-orderfragmentsandcha.Section6containsaproofthatSplit-Detectiscorrect;aproofisneededassev-eralofourinitialattemptshad”aws.Section7describesatrace-drivenanalysisoftheperformanceimprovementre-sultingfromSplit-Detect.Section8suggestscleanslateap-proachestotheproblemofsimplifyingIPSdevicesbasedonthelessonslearnedinthispaper.Finally,Section9statesconclusions.Contributions:Themaincontributionofthispaperiscriticallyexaminingtheneedforreassemblyandnormaliza-tion.Aspartofthisexamination,weproposeanalternative(Split-Detect)tofullreassemblyanddatanormalizationforall”owspassingthroughanIPSbyecientlyidentifyingasmallsubsetoftracinthefastpaththatrequiresnor-malization/reassembly.NotethatSplit-DetectonlyavoidsreassemblyandnormalizationinthefastpathUnfortunately,SplitDetectrequiresthreeassumptions:asmallmodi“cationtoTCPreceiverstocheckforinconsis-tentretransmissions,achangeinthede“nitionofsignaturedetectiontoallowthestartandendofasignaturetobemissed,andarestrictiontoexactsignaturesorregularex-pressionswitha“xedexactlength.The“rstassumptionseemstobefundamental,thesecondcanberemovedbyanimplementationorprotocolchange,andthethirdassump-tionmayberelaxedbyfuturework.Giventhedicultieswiththeseassumptions,themaincontributionofthispaperisexposingtheassumptionsthatneedtobechangedtoavoidreassemblyandnormalizationinthefastpath.Wehopethatourinitialstudywillstimulatefurtherwork.Asecondcontributionistheformalizationofseveralcon-cepts(suchascriticalpacketsandpossiblereassembly)thatseemfundamentaltothetheoreticalmodelingofevasionat-tacks.2.MODELBetweenwhatmattersandwhatseemstomatter,howshouldtheworldweknowjudgewisely?E.C.Bentley,TrentsLastCaseWecapturewithamodelthesalientaspectsandparam-etersforIPSimplementations.Figure1showsamodelof Flow State Packets Figure1:AmodelofastandardIPSintegratedintoaswitch SLOW PATH (LARGEMEMORY, FULL REASSEMBLY) cB bits/s Figure2:NewmodelofanIPSwithafastpathandaslowpathaclassicalIDS/IPSimplementedatspeedsgreaterthan5Gbps.Packetsareinspectedbysomesetofchips,oftenASICs.Manyproductsusetwoorthreesuchchips.TheTCPandIP”owstateisstoredinalargestatetablewithmemoryforconnections(oftenrequiredtobeatleast1million)withbitsperconnection.Evenifallthepacketsinaconnectionarein-ordertheminimumstateforaconnec-tionisatleasttheTCP5-tupleandthesequencenumber,whichisatleast128bits.Typicalimplementationsespe-ciallyforIPSdevicesprobablykeepatleast10timesthismuchstate,giventhatfulldatanormalization[8]appearstorequirekeepinganRTTsworthofTCPstreamdata.Thustheoverallmemoryrequiredforthe”owtableisatleast128Mbits,andmorelikelytobecloserto1280Mbits,whichissucientlylargetorequireexternalDRAM.Inpractice,severalDRAMchipsarerequired.ThenetresultisthattheIPSimplementation,countingprocessingchipsandexternalmemory,requiresseveralchipsandsupportingprocessors,whichmakesitexpensiveandhardtopackagecheaplyintoeverylinecard.AnaturalalternateIPSmodelisshowninFigure2.TheideaisthattheIPScomplexinFigure1isreplacedbyasimpler(andpotentiallysingle)IPSchipthathandlesthecommoncase,butalsodetectsexceptionsbykeepingtrackofamuchsmallernumberofconnections.Whenanexceptionisdetected,theremainderoftheTCP”owisdivertedtoasecondprocessorthathandlestheexceptioncaseusingthefullconnectionstate,reassembly,andnormalization.How-ever,theideaisthattheslowpathprocessoronlyhandlestheexception”ows.OneparticularlyattractivepackagingofthismodelistoplacethefastpathIPSchipineverylinecardofaswitch,andtokeeptheslowpathprocessor(s)inaseparatecardsharedbyallotherlinecardsoftheswitch.Forthispack-agingtomakesense,theamountofmemoryrequiredbythefastpathprocessorshouldideallybesucientlysmallto“tintoon-chipmemoryorasmallCAM,makingtheperline-cardcostverysmall.Atthesametime,theamountoftracdivertedtotheslowpathmustbesucientlysmalltoallowtheslowpathprocessortobesharedbyseveralfastpathprocessors.ThusreferringtoFigure1andFigure2,tworelevantper-formancemeasuresoftheleverageofthenewmodel(Figure2versustheclassicalmodel(Figure2)are:Speedup:Speedupcanbede“nedasB/D.Inotherwords,thisisthereciprocalofthefractionofbytesdivertedtotheslowpathprocessor.Apotentialtargetisaspeedupof10for=20GbpsandGbps.Thisallowseitheracheapslowpathprocessororthesharingoftheslowpathprocessoracross10linecards.MemoryCompression:Memorycompressionistheratiooftheconnectionmemoryrequiredbytheclassi-calIPStothememoryrequiredbythefastpathpro-cessorinthenewmodel(Figure2).Fromthe“gure,thisisCW/).Apotentialtargetisamemorycompressionof25toyieldafastpathmemoryMbits(whichshould“tintoon-chipmemory)assum-ing=1millionand=128bits.3.THEGENTLEARTOFEVASIONKnowthyself,KnowthyEnemy„…SunTzu,circa500BCInthissectionwebrie”yreviewsomeofthepoweravail-abletoanattackerusingfragmentation.ThepowerarisesfromthecombinationofTCPand/orIPfragmentationwithout-of-order,redundant,andoverlappingsegments.Weil-lustratethesebythefollowingexampleattacks.Theseex-amplesarebynomeansacomprehensivelistofattacks.Inalltheexamples,theintruderisattemptingtosendastringATTACKŽthatispassedbytheIPSbutisreceivedbythereceiver.Inthissection,werestrictourselvestoTCPfragments.3.1TheCaseoftheMisorderedFragmentsInthiswarm-upexample,theintruderbreaksthestringATTACKŽintotwofragmentsATTŽandACKŽ.TheattackerthensendsthecontentstringACKŽinthe“rstsegmenttophysicallypasstheIPS(time”owsfromlefttorightinallexamples)withTCPsequencenumber13.Later,the“rstpartoftheattackstringATTŽissentinasec-ondTCPpacketwithsequencenumber10.AlthoughthesefragmentspasstheIPSout-of-order(andpotentiallywithalongtimebetweenfragments),thereceivertowhichthesepacketsaredestinedwillreassemblethestringcorrectlyby“rstplacingthestringATTŽ(becauseithasstartbytese-quencenumber10)andthenattachingthestringACKŽ SEQ = 13, DATA = “ACK”SEQ = 10, DATA = “ATT”SEQ =10, TTL = 10, “ATT”SEQ = 11, TTL = 1, “JNK”. . SEQ = 13, “ACK”SEQ = 10, “ATTJNK” THE CASE OF THE INTERSPERSED CHAFFTHE CASE OF THE OVERLAPPING SEGMENTSFigure3:Pictorialrepresentationof3powerfuleva-siontechniques(becauseithasstartbytesequencenumber13).ThetoprowofFigure3showsthisattackpictorially.Clearly,anIPSthatdoesreassemblycancatchthiscasebecauseitduplicatesreceiverreassemblybeforecheckingforstringssuchasATTACK.inthereassembledbytestream.3.2TheCaseoftheInterspersedChaffInthisexample,theattackerbreaksthestringintotwofragmentsATTŽandACKŽasbeforebutnowaddssomenoiseŽorchatotheattacktoconfusetheIPSwithoutdamagingcorrectreassemblyatthereceiver.Therearemanywaystodothis;onetechniqueistosendthegoodpacketswithalargeenoughTTL(TimetoLive)toreachthereceiver,whilesendingthechawithasmallTTLthatcausesittobedroppedbeforereachingthereceiver.IntheexampleinthesecondrowofFigure3,thefrag-mentsATTŽandACKŽaresentwithalargeTTLof10,whiletheinterspersedchaJNKŽissentwithaTTLof1.AssumingthattheIPShasnoknowledgeofnetworktopol-ogy,theIPScannottellwhichfragmentswillmakeittothereceiver.ThustheIPSdoesnotknowwhetherthereceiverwillreceiveATTJNKŽorATTACKŽ.Itiseasytoconstructcaseswithpiecesofoverlappingchastartingatseveralpositionswithintheattacksigna-turesuchthatthereare2possiblereorderings.SinceitiscomputationallyhardfortheIPStocomputeexponen-tialnumbersofreorderings,amoreelegantsolutionisdatanormalization[8]:theIPSpicksacanonicalreordering(inthisexample,sayATTJNK),realizesthatitdoesnotmatchavalidattackstring,andsoletsitpasswithoutanalert.However,whenthepacketwiththestringACKŽgoesbytheIPS,theIPSrewritesthestringACKŽtoJNKŽtobeconsistentwithdatasentinthepast.Onceagain,thisexampleplausiblyarguesfortheneedtobothreassembleandnormalize.3.3TheCaseoftheOverlappingFragmentsAmoreperniciousformofattackusingoverlappingse-quencenumbersisshownpictoriallyinthethirdrowofFigure3.The“rstTCPpacketcarriessequencenumber10andthestringATTJNKŽ.ThesecondTCPpacketcar-riesthesequencenumber13andthestringACKŽ..Oneconventionatareceiverwhenfacedwithoverlappingbytesistodeliverthemostrecentlyreceivedbytes.Withsuchaconvention,thereceiverwilldeliverthestringATTACKŽandtheintruderwillsucceed.Clearly,normalizationavoidsthisproblembyeithersendingATTJNKŽconsistentlyordroppingdatathatreassemblestoATTACKŽ.Whileoverlappingfragmentsabstractlylookssimilartointerspersedchaandtheyhavethesamecure(normaliza-tion),theyhaveasubtledierence.Inthecaseofinter-spersedcha,apacketiseithercompletelychaorcom-pletelygooddata.Inthecaseofoverlappingfragments,apacketcanpartiallycontainchaandgooddata.Inpartic-ular,aftercuttingasignatureintopieces,anyattackthatonlycontainsinterspersedchawillbeforcedtosendsmallfragments,abehaviorthatcanbedetected.Ontheotherhand,usingoverlappingfragments,thesendercansendarbitrarilylargepacketswhilestill(eectively)fragmentingthesignatureintopiecesofsizeassmallas1byte.Forexample,imagineasequenceoflargepacketswhosesequencenumbersare+1,+2,etc.,andwherethenewbyteofthei-thpacketisthei-thbyteofthesignature,andtherestofthedatabytesarecha.Insum-mary,overlappingfragmentsaredeadlybecausetheyallowsignaturestobesegmentedvirtuallyintoassmallpiecesasdesiredwithoutanyaccompanyingphysicalmanifestationsintermsofsmallpacketsizes.4.CLEARINGTHEUNDERBRUSHBeforewemovetoour“nalsolution,wesimplifytheprob-lembyaddressingtwoattackmechanisms:IPfragmentationandoverlappingfragments.4.1IPFragmentationClearly,manyofthesameattacksdescribedinSection3canbeduplicatedwithIPfragmentswiththeIPfragmentoset“eldsplayingthepartofTCPsequencenumbers.CombinationsofTCPandIPfragmentationinthesameattackcancomplicatethemechanismsandproofs.Forex-ample,noteveryIPfragmentofaTCPpacketcontainsaTCPheader.BecauseIPfragmentationissorareinprac-tice(afractionofapercentinourtracesandinpreviousreports[16]),weuseaconservativesolution:divertanyIPfragmentsandanyconnectionwhoseconnectionIDisinanIPfragmenttotheslowpath.4.2OverlappingTCPFragmentsDetectingoverlappingTCPfragmentsappearsveryhardwithoutkeepingstateforeveryconnection.Whileover-lappingTCPfragmentsdoresultinout-of-orderTCPseg-ments,benignout-of-ordersegmentsoccurbecauseofroutechanges,loadbalancing,andretransmission(considersend-ingpacketsP1,P2,P3,andthenresendingP1).Itappearshardtodistinguishbenignout-of-orderpacketsfromseg-mentswithoverlappingsequencenumberswithoutkeepingarecordofallpastsequencenumbers,whichisnobetterthankeepingTCPstateforallconnections.Itappearspossibletoprovethatdetectingoverlappingsequencenumbersrequiresalargeamountofspaceusingareductiontothesetdisjointnessproblem,aspioneeredin[2]andappliedin[9]toshowsimilarhardnessresultsforanumberofothersecurityproblems.However,onemustbecautiousaboutsuchresults.First,thehardnessofthesetdisjointnessproblemisbasedonassumptionswhichmayberelaxedinpractice.Second,aspointedoutin[9]thesame WearegratefultoYossiMattiasforthisobservation phenomenon(overlappingTCPfragments)mayhaveseveralmanifestations(e.g.,overlappingsequencenumbers,over-lappingcontent).Provingthatonemanifestationishardtodetectdoesnotimplythatscalabledetectionofsomeothermanifestationisimpossible.Despitethesecaveats,itdoesseemthatdetectingoverlappingfragmentsisfundamentallyhard.Instead,wewillrelyonchangestoendnodestosatisfythefollowingatomicityproperty.Inthefollowingweusede-liveredŽtomeandeliveredtotheapplicationŽ,notmerelythesegmentisdeliveredtothetargethostŽ.WeakAtomicityProperty:NoneofthebytesinaTCPsegmentthataredeliveredwillbeinconsistentwithbytesofanotherTCPsegmentthataredelivered.Note,thatthisrestrictioncannotcauseanydicultytogoodsenderstacksbecausetheTCPprotocoldoesnotallowinconsistentdatatransmission.Theimplementationoftheweakatomicitypropertyisfairlyeasy.Maintainabuer,theOverlapDetectbuer,ofuptoanMSSsizeworthofthebyteslastdeliveredtothesocketbuer.Whenanewpacketbecomesin-orderandisacandidatefordelivery,compareanyoverlappingbyteswiththebytesintheoverlapbuer.Ifthereisinconsistency,donotdeliverthesegmentandresettheconnection.Notethatthisimplementationtakesmorespace(1MSS)andmoreprocessing(byte-by-bytecomparisonincaseofoverlap)thanastandardTCPimplementation.However,itisverylikelythatmostsocketbuerswillneedstorageforupto10MTUsormore.Thustheadditionalstoragecostshouldbeasmallpercentageoftheexistingstoragecost.Also,theprocessingcostcanbemainlyamatterofwritingtothecircularoverlapbuerandtheactualbyte-by-bytecheckisincurredonlyintherarecaseofanoverlappingsegment.WeakatomicityalsoappearstointroduceanewDenial-of-Serviceattackwhereinanattackercouldinjectinconsistentdataandcausetheconnectiontobereset.However,thealternativeistoallowtheattackertoinjectarbitrarywrongdata,whichisworse.NotethatSSHalsoresetsaTCPconnectionondetectingapossibleTCPinjectionattack.Wearguethatsuchanendnodechangeisactuallygoodbecause:Itpreventsbadbehavior(deliveredinconsistentdata)fromharminganendnode.ItdoesnotrequireimplementingacompleteIPS(nosignaturesarerequiredatendnodesinthisproposal)ornormalizerattheendnode.Itcaneasilybeimplemented.IfdeployedbyWindowsandLinux,thenthetwomostcommontargetsofat-tackscanbeprotectedwhileallowingIPSsystemstoInsummary,webelievethataneasily-implementablechangeinendnodestoimplementanobviousconsistencycheck(whichshouldhavebeenrequiredinthepast)cangreatlyimprovethescalabilityofIPSsystems.Further,itappearspossibletoprove[2]thatwithoutthischange,IPSdeviceswillhavetokeepmemoryforallconnectionsinthefastpath.4.3WhatStillRemainsItmayappearthatwiththe“nessingofthissectionthatwehavetrivializedtheproblemandde“nedtheproblemawayŽ.However,notethattheattackerstillhasgreatpower:TheattackercanstillbreakupanattacksignatureacrossseveralsmallTCPFragments.CompoundingthedicultyisthefactthatsmallTCPsegmentsarecommonininnocenttrac.Theattackercanstillsendout-of-orderFragments.Compoundingthedicultyisthatfactthatout-of-ordertraciscommoninrealtracbecauseofre-transmissions.Theattackercanstillsendredundantpackets/segmentsthatnevergettothereceiver(e.g.,ChawithlowTTLs)inattacktracbuthardtodetectattheIPS.Theattackercanstillusechatocreateanexponen-tialnumberofpossiblereassembliesattheIPSandthusnormalizationattheIPSisstillrequired.5.THESOLUTION:SPLIT-DETECTStrategywithouttacticsisliketheemptysoundbeforedefeat...„-SunTzuWedescribethebasicidea,andprovideaquickexampleofcuttingasignatureintopieces.Weproceedwithadetailedstatementofthestatevariables,andthefastandslowpathprocessingalgorithms.5.1BasicFrameworkWecallthealgorithmSplit-Detectbecauseourmajortac-ticistosplitasignatureintoequalpieces.Thedetectionofanypiecewillcausethelinecardtodiverttheconnectiontotheslowpath.Thefast-pathalgorithmconsistsof:Split:Breakasignatureintoequalpiecesandarmthefastpathtodetectanypiece.Divert:DivertaTCP”owtotheslowpathif„FastpathchipdetectsanypieceFastpathchipdetectssmallpacketorout-of-orderbehavior.increases,theIPShasmorepiecestodetectbutthespeedupincreasesbecauseasmalleramountoftracwillbediverted.Morepiecesdonotnecessarilymeantimesmorestorageinthefastpath.Forexample,DFAbasedstringmatcherssuchasAho-Corasick[1]requirespacelinearinthetotalnumberofbytesanddonotincreasesigni“cantlyintimeorstoragewiththenumberofpieces.However,ifthepiecesaretoosmall,therewillbefalsepositivesdetectedininnocenttrac.Wepick4bytesasthesmallestacceptablepiecesizebecausetheresultingextradiversioncausedbyfalsepositivesof4byterandomdataissucientlysmallforTCP”owsthatsendlessthan2bytes.Therandommodeloffalsepositivesisinsucient.Evenusingpiecesizesgreaterthan3,caremustbetakentoensurethatapieceisnotpartofacommonapplicationstring.Forexample,HELOŽisa4-bytestringusedintheSMTPhandshake;useofitasapiecewouldcauseeverySMTP CK S ATTA Figure4:ExampleofCuttingupaSignatureinto4piecesconnectiontobediverted.Notethatifasignatureislongenough,onecoulddiscardsomeinitialbytestochangethealignmentofpieces,sothatastringlikeHELOŽbyitselfdoesnotformacompletepiece.Similarly,forasignaturethatstartswithhttp...Ž,itisbesttodiscardthe“rstfewbytes.Generally,thelongerthepiecesize,thelesslikelyisitforthistobeaproblem.5.2ExampleofCuttingaSignatureintoPiecesFigure4showsanattacksignatureATTACKSIGNA-TUREŽbrokenupinto4piecesof4byteseach.Breakingupasignatureintopiecesandlookingforeachpieceindividuallyhasthefollowingintuitiveconsequences(wewillprovethemformallyinthenextsection):Ifapacketcontainsapiece,itwillbedetected.ThusallpiecesmustbesplittoevadeIfendnodeatomicity(Section4)isenforced,apacketcontainingasplitpiececannotcontainnon-signaturedatathatcon”ictswiththesignature,ortheentiresignaturewillnotbedelivered.Allbutthe“rstandlastsplitswillcreatesmallpack-etsŽwithpayloadsizePieceSize1,wherePieceSizeS/Kandisthesignaturelengthandthenum-berofpieces.Figure5showsthatanattackercancutthepieces(ofsize4bytesinthisexample)toevadedetectionintoseveralpiecesofsizeatmost6bytes(22).Theattackerspacketboundariesareshownusingdashedlines.Notethatthe“rstandlastpacketscanbelargebutthemiddlethreemustbeatmost6bytes.Noticethatthemiddle3piecesareconsecutiveinsequencenumberspace.Thisseemstoimplythatonecandetectsuchaneva-sionattemptbylookingforacertainnumberofconsecu-tivesmallpackets,wheresmallŽmeansthepacketpayloadsizeisstrictlysmallerthan2PieceSize1.Unfortunately,theattackerhasmorepowerusingout-of-orderpacketsandchaŽthatdoesnotreachthereceiver.5.3MotivatingtheAlgorithmClearly,lookingforsmallpacketsinsequencecannotsuf-“cebecausepacketscanbesentout-of-order.A“rstattemptatastatemachinetodetectevasionswouldbetolookfor CK S ATTA Piece 1Piece 2Piece 3Piece 4 Packet Boundaries excluding headers100103105Figure5:ExampleofSplittingeachpiece(packetboundariesareshownusingdashedlines)intopack-etssuchthatnocompletepieceisdetectedinapacketpassingthoughtheIPSeithersmallpacketsinorder,orout-of-ordersmallpacketsEventhisdoesnotsuce.Supposetheattackercutsupthesignatureintofragmentssuchthatnofragmentcontainsapiece.Theattackerdividesthefragmentsintooddandevenfragments.Theattackerthensendstheevenfragments(Frag0,Frag2,Frag4etc.)in-orderbyinterspersingtheevenfragmentswithappropriatelynumberedcha.Moreprecisely,theattackersendsFrag0,1,Frag2,2,Frag4,3,etc.),where3...arelargechapacketswithsmallTTLthatwillnotreachthereceiverbutwithstartingsequencenumbersthatmatchFrag1,Frag3,Frag5,etc.Oncetheattackerhassenttheevenfragments,hecangoaheadandsendtheoddfragmentsinthesameway.Thustherewillbeatmost2+1out-of-sequencetransition(oneaftereachchapacketandoneattheboundarybe-tweenevenandoddfragments)andtherewillneverbethecaseoftwoconsecutivesmallpackets.Notethaneveninthisexampletherearesmallpacketswhereisthenumberoffragmentstheattackerisforcedtocutthesignatureinto.Whilewecoulddetectthis,wewouldlikeastrongerpredi-catebecausetherearemanyinnocuousconnectionsthatwillsendanumberofsmallpacketsoverthelifetimeofthecon-nection.Theexampleaboveshowsthatsuchconnectionscannotbedistinguishedfromadeliberateattackasintheexample,becausethegapbetweenthesendingofthetrainofevenfragmentsandthetrainofoddfragmentscanbemadearbitrarilylongby“llingitinwithcha.Tocreateastrongerdiversionpredicate,examinetheex-amplemorecarefully,andnoticethatthesmallpacketsintheeventrainandintheoddtrainmustbespacedapartbythelengthofthesignature.Otherwise,theywillnotbeassembledtogetheratthereceivertobepartofacompletesignature.Tode“neanomalousbehaviorweintroducethefollowingterminology.Consecutivesmallpacketsaretwopacketsre-ceivedbytheIPSthataresmallandinbetweenthereceiptofwhichtheIPSdoesnotreceiveanyothersmallpackets.ThusiftheIPSreceived5inorderwherepackets4,and5aresmalland2and3arelarge,1and4areconsecutivesmallpackets,andsoare4and5.However,1and5arenotconsecutivesmallpacketsbecauseofthepresenceof4inbetween. Thustodetectananomalousconnection,intuitivelywelookforanomalouseventsinaconnection,whereananomalouseventisde“nedaseither:Condition1,CloselySpacedSmallPackets:Con-dition1istriggerediftheIPSreceivestwoconsecu-tivesmallpacketswhosesequencenumbersdierbyatmostthesignaturelengthCondition2,Out-of-Order:Condition2istrig-gerediftheIPSreceivestwoconsecutivesmallpacketsbetweenwhichthereisatleastoneout-of-ordertran-sition(theout-of-orderpacketcouldbeanypacketinthemiddleofthetwouptoandincludingthesecondsmallpacket).Thusbetweentwoconsecutivesmallpackets,eitherthesequenceiscompletelyin-orderinwhichcaseonlyCondi-tion1canoccurorCondition2occurs.Theintentisthatinnocuousconnectionthatsendssmallpacketsthataresucientlyspacedapartwillnotbedivertedtotheslowpath.Similarly,aninnocuousconnectionthatsendsveryfewout-of-ordersmallpacketswillnotbediverted.5.4FastPathStateMachineThefastpathalgorithmcanbecompactlydescribedbyastatemachinethatcaneasilybeimplementedinhardware.TheIPSsystem“rstpicksthenumberofpieces.NotethatthepiecelengthPieceSizeSignatureLengthpacketisde“nedtobesmallifitspayloadsizeisintherangege,2·PieceSize2].NotethatACKswith0databytesarenotconsideredtobesmallpackets.WeusethetermTCP”owandconnectioninterchangeablyinwhatfollows.StateInstantiation:Thefastpathkeepsstatefora”owonlyafteritsendsits“rstsmallpacketStateVariables:WhentheIPSdecidestokeeptrackofa”ow,itkeepsthefollowingvariables(allindexedbytheTCPconnection5-tuple,usingsayaCAM),(NextExpectedSequenceNumber,32bits)(OutOfOrdersincelastsmallpacket,Boolean)length(Lengthinbytessincelastsmallpacket,7bitscansupportsignatures127bytesorshorter)count(countofanomalies,4bitscansupportvaluesofupto16,1strikesandthe”owisout)(LastUpdateTime,3bitscanstoreacoarsetimevaluesucientforagingoutoldunusedtableentries)Insummary,theIPSfastpathmaintainsa”owtableforeveryactiveTCP”owthathaseversentasmallpacket,whereeach”owentrycontainsasmallamountofstatelengthcount)foratotalof48bitsofstateper”owthatiskepttrackof(plus96bitsforIPv4sourceanddestinationaddress,andTCPsourceanddestinationport).ThisreducesmemorycomparedtostandardIPSim-plementationsthatneedtokeeptrackofallactive”ows(notonlytheonesthateversentasmallpacket)andappeartokeeptrackofaroundtriptimesworthofpacketdatafor Sincewearelookingformultiplesignatures,thisshouldreallybethemaximumlengthacrossallsignaturesbeingdetected.normalization.NotethatourslowpathisnoworseintermsofstateorprocessingthanatraditionalIPS.Thestatema-chineprocessingisasfollows:Toupdatecountcountisinitializedto1whenthe”owis“rstplacedinthe”owtable.countissubsequentlyincrementedonreceivingasmallpacketfora”owif:thepacketssequencenumberisnotequaltoistrue(i.e.,someout-of-ordersincelastsmallpacket),orlengthSignatureLengthNotethatcountisneverupdatedforlargepackets,andisneverincrementedpast1(i.e.itsticksŽatthatvalue).Toupdate,andlengthissettotrueifthecurrentpacketsequencenum-berisnotequaltoandthepacketislarge;resettofalseifthecurrentpacketissmall(thisre”ectstheintuitionthatisa”agthatdetectsout-of-orderreceptionbetweensmallpackets;henceitisresetwhenasmallpacketisreceived.)issetequalto,whereisthecurrentpacketsequencenumberandistheTCPpayloadlengthofthecurrentpacket,(issettore”ectthesequencenumberofthenextexpectedin-orderTCPsegmentinthis”ow.)lengthisincrementedbythepayloadlengthifthecur-rentpacketislargeandresettozeroifthecurrentpacketissmall(lengthmeasuresthelengthinbytesreceivedforthis”owsincethelastsmallpacketwasreceived.)Asaspecialcase,TCPpacketswithnodatacausenochangetoanyofcount,orlength.Allpackets,includingthosewithnodata,causetobeupdatedtothecurrenttime.Afterstateupdate,theentire”ow(includingthecurrentpacketcausingtheupdate)isdivertedtotheslowpathifeitherofthefollowingtwoconditionsaretrue:1.Thepacketisfoundtocontainapieceofsomesigna-ture(bysomestringmatchingalgorithm).Inthiscasethefastpathcansimplysetcount1inordertodivertthe”ow.2.Theanomalycountcountisequalto1(onelessthanthenumberofpieces)Ifthe”owisnotdiverted,thepacketisforwardednor-mallybut,inaddition,acopyofthepacketissenttotheslowpathifandonlyifthepacketissmall(i.e.,payloadsizeisintherange[1PieceSize2]).Inotherwords,ifapacketcontainsplausibleevidence(i.e.,packetissmallorcontainsapiece),thenacopyofthepacketissenttotheslowpathforexamination.However,iftheanomalycountistoohighorapieceisdetected,theentire”owisdivertedtotheslowpath. 5.5SlowPathAlgorithmEverypacketsentfromthefastpathtotheslowpathissentwithadditionalinformationindicatingwhetheritisacopyofaforwardedpacket,orifthepackethasbeendi-vertedandthushasnotbeenforwardednormallybythefastpath.Whentheslowpathreceivesapacketmarkedasacopy,itstoresitinatableindexedbythepackets5-tuple.Thesepacketsmaybeneededinthefuturefordetectinganoccurrenceofanattacksignature,butdonotrequireanyotherimmediateaction.Iftheslowpathreceivesapacketfora”owthatismarkedasdiverted,thenitbecomesresponsiblefordecid-ingwhethertoforwardthepacketontothereceiver.Theslowpathtriestopastetogetherthefragmentsreceivedfor”ow;ifitgetsclosetoformingasignature(the“rstandlastpiecesmaybemissing)thenthepacketsofthe”owaredropped.Themoreprecisespeci“cationisasfollows.Forevery”ow(diverted”owsaswellas”owsforwhichitreceivescopies),theslowpathmaintainsasingleversionofthereassembledTCPstreamuptothispoint.Clearly,ifsegmentsoverlapandhaveinconsistentdata,onecancreateanexponentialnumberofpossiblereassemblies[8].Sincewewishnottoburdentheslowpath,weseta”agatthe“rstsignofinconsistentdataforthe”owanddropthelatersegmentthatisinconsistent.Notethatthisislikedatanormalization[8]exceptthatindatanormalization,thelatersegmentismodi“edtobeconsistentwithpreviousseg-ments.Ifdataisinconsistent,thenifthe”owisdiverted,wesimplydropallfurtherpacketsofthe”ow.ThisisaDraco-nianstance,butonewhichisconsistentwithend-nodeweakatomicityenforcement.Finally,ifa”owisdiverted,theslowpathlooksfortheconcatenationofpieces2through1(ofanysigna-tureinthedatabase)inthereassembledstream.IfsuchanearmatchŽisfound,furtherpacketsoftheTCP”owaredroppedandtheTCPconnectionisreset.Notethatwhilelookingforsuchanearmatchappearstoworsenthefalsepositiverate(becausewearenotlookingfor2outofpieces),onecanarguethatifthesignatureisfragmentedacrosspackets,theprobabilityofthathappeningoninnocu-ousdataisveryunlikely.However,acarefulargumentre-quiresamodelofhowrandomdatasplitsacrosspackets.Overall,wedonotfeelthatthefalsepositiveratewillin-creaseatallinpractice;evenifitdoesitcanbecombatedbymakingthesignaturelonger.Itispossible,butnotstrictlynecessary,fortheslowpathtodostandarddatanormalizationafterdiversion.Ineithercase,thestateandprocessingrequirements(per”ow)oftheslowpatharesimilartothatofastandardIPSdoingdatanormalizationbutworkingonlywithasmallnumberofdiverted”ows.Weassumethatheadernormalization(i.e.,settingheadervaluestocanonicalvaluestoavoidinformationleakageortopreventattacks)isdonebothinthefastpathandintheslowpath.Suchheadernormalizationisneitherstatenorcomputationintensive[8].Finally,therearemanyotherdetailssuchaswhenstatecanbesafelyreleasedforwhichtheextensivetechniquesin[8]canbeused.6.PROOFInthissection,wewillestablishcorrectnessofSplit-Detectalgorithm.Moreprecisely,thecombinationofthefastpathstatemachineandtheslowpathprocessingwillneverleta”owcontainingasignaturetobesenttoareceiver,despitetheuseofevasiontechniquesbythesender.WeassumethatthereceiverterminatesanyTCP”owthatattemptstoviolateweakatomicitybeforedeliveryofinconsistentdata.AssumetheIPSsplitsthesignatureintopieces,1through.Weneedpreliminaryde“nitions.De“nition1:ConsideranIPSthathasreceivedase-quenceofpacketsforaTCP”ow.Areassembled”owforsequenceisapossiblereassemblyofsequence(includingcaseswhereisreorderedorarbitrarysubsetsaredropped)atanyendnodeenforcingatomicity.NotethatthesequenceisreceivedattheIPSbutweconsiderthereassemblydoneatanendnodeenforcingatom-icity.Thusevenifthesequencecontainschathatmaynotreachtheendnodewestillapplytheendnodeoperationtothesequence.Thede“nitionofpossiblereassembledTCPstreamsprovidesaformalde“nitionofanevasion.Aneva-sionisaTCPconnectioninwhichsomepossiblereassemblyoftheconnectioncontainsaforbiddenstring.Thenextde“nitionformalizesthenotionthattheslowpathlooksforanearmissofstringDe“nition2:Foranystring,wede“nethestringAlmost)tobethestringcontainingPieces2throughinsequence.Wenowformalizethenotionofthecriticalpacket,theforwardingofwhichcancausethestringtobedeliveredtotheendnode,andthegametobelost.Sinceitishardtoguaranteethatsuchapacketwillbedetected(itcouldbealargepacketcontainingthelastpiece)werelaxthede“nitiontosaythatthecriticalpacketisonethatcancauseAlmost)tobedelivered.Clearly,preventingAlmostwillpreventfrombeingdelivered.Itisessentialthatthefastandslowpathconspiretogethertodropthecriticalpacket.Thus:De“nition3:ThecriticalpacketforaTCPconnectioncontainingstringwithrespecttoanIPSisthepacketfromtheTCPconnectionreceivedattheIPSsuchthatAlmost)iscontainedinsomereassembledTCPstreamforthisconnectionuptoandincludingthispacket,butsuchthatthatthestringAlmost)isnotcontainedinanyreassembledTCPstreamnotincludingthispacket.ThecollaboratorsofacriticalpacketareanypriorpacketsintheTCPconnectionthatareusedinsomereassembledTCPstreamcontainingAlmost)uptoandincludingthecriti-calpacket.ObservethatmerelycontainingabyteofAlmost)doesnotqualifyapackettobeacollaborator;itmusthavese-quencenumbersforthisbytethatqualifythebytetobepartofareassemblyofAlmost).WeusesomeŽreassem-bledstreambecausetherecanbemorethanonepossiblewaytoreassembleaTCPstreamincasethereismorethanonepacketforthesamesequencenumberoroverlappingsegmentswithinconsistentdata.Example:Weuse(s,P)todenoteaTCPpacketwithse-quencenumberandpayload.WithrespecttoAlmostABCDE,supposeaTCPconnectionsendsthe“rstpacketcontaining(0AB),thesecondcontaining(3XY),thethirdcontaining(5),thefourthcontaining(3CD),andthe“fthcontaining(0ABC).Thenthecriticalpacketisthefourthpacketbecausewhiletherearetwopossiblereassem-bledstreamsuptoandincludingthispacket(ABXYEandABCDE),thereisonereassembledstreamcontainingthe string.Notethatwhilethisisalsotrueafterthe“fthpacket,thisis“rsttrueafterthefourthpacketreceivedbytheIPS.Thecollaboratorsofthecriticalpacketarethe“rst,third,andfourthpackets.Thefollowinglemmastates,intuitively,thatthecriticalpathanditscollaboratorsmusteithercontainapieceorbesucientlysmalltowarrantbeingcopiedtotheslowpath.SeeFigure5.ForanyTCPconnectionandstring,thecriticalpacketforstringandallcollaboratorsofthecriticalpacketwilleithercontainapieceofinitsentiretyorhavepayloadlengthPieceSizeProof.Considerapacketthatiseitherthecriticalpacketoracollaboratorofthecriticalpacket.SuchapacketmustcontainsomebyteofstringthatcontributestosomereassemblyofstringAlmost)atanendnodesatisfyingatomicity.ThusitcontainsaportionofsomePieceIK,thatisusedinthisreassembly.Case1:IfpacketcontainsanypieceinitsentiretythatisusedinthereassemblyofAlmost)wearedone.Case2:Packetdoesnotcontainapieceinitsentiretythatisusedinthereassembly.Thus,itmusteithercontainaportionofPieceonly,orcontainabeginningportionofandaportionofPiece1,oratrailingportionofPieceandaportionofPiece+1.ItcannotcontainacompletepieceofeitherPiece1orPiece+1byassumption.ThusthepartofpacketcontainingaportionofStringAlmost)must(inallthreecases)beoflengthPieceSizeNowwewanttoshowthatcanonlycontainthispor-tionofSignature(i.e.,itcanhavenomorebytesthatmakesthispacketlargeŽandhenceundetectablebytheslowpath).Ifithasatleast2PieceSize1bytesandthesebytesareconsistentwithstringAlmost),wewouldhaveacompletepiecewhichcontradictstheassumptionofCase2.Otherwise,ifithasmorebytesandthesebytesareincon-sistentwithAlmost),thentheremustbeanotherpacketthatcontainsthecorrectbytesforAlmost)atthecorre-spondingsequencenumbersthatarepartofthereassem-blyofAlmost)atsomeendnode,andthesetwopacketswouldviolatetheweakatomicitydeliveryassumptionattheendnode.ThuscanonlycontainportionsofAlmost)oflengthPieceSize1andnofurtherbytes,andthusmustitselfbeoflengthPieceSize Themaintheoremformalizestheroleofthefastpath.TheoremFastPathDiversion)ATCPconnec-tioncontainingstringinsomereassembledstreamwillbedivertedtotheslowpathbeforeorwhileprocessingthecriti-calpacketinthefastpath.Further,ifpriortodiversionthefastpathprocessedacollaboratorofthecriticalpacket,thenacopyofthecollaboratorwassenttotheslowpath.Proof.Weprovethesecondpartofthetheorem“rst.Consideranycollaboratorpacketprocessedbythefastpathbeforediversion.ByLemma6.1,suchapacketwillei-thercontainapieceinitsentiretyorbeofpayloadsizePieceSize1.Ineithercase,theforwardingruleswillensurethatacopywillbesenttotheslowpath.Forthe“rstpartofthetheorem,consider2cases:Case1:Acompletepieceissentinitsentiretybeforeorincludingthecriticalpacket.Inthatcase,bytheforwardingrules,after(andincluding)thispacket,theconnectionwillbedivertedtotheslowpath.Case2:Acompletepieceisnotsentbeforeorinclud-ingthecriticalpacket.Thenweknowthatforeachpiece,aportionofthepiecemustbesentinaseparatepacketuptoandincludingthecriticalpacket.ByLemma6.1andbythefactthatwehaveexcluded,thepacketcontainingtheportionofPiecemustbeofPieceSize1.Orderthesefragmentsbythetimeatwhichthey“rstarriveattheIPS.Thusfragment1isthe“rstpacketcontainingaportionofthesignaturethatisprocessedbythefastpath,fragment2isthenextpacket,andsoon.WeclaimthatbetweenthearrivalofFragmentandFragment+1,countfortheconnectionmustincrementby1.Supposenot.WeknowthatFragmentandFragment+1aresmallbecausetheirpayloadsizeisPieceSizecountdoesnotincrement,thenthebitmustbefalsewhen+1isreceived,andsothesequencenumbersmustincreaseinorderfromFragmenttoFragment1.ButsinceFragmentand+1bothcontainportionsofthesignature,thenthedierenceinsequencenumbersfromFragmenttoFragment+1mustbelessthanthesignaturelength.Butinthiscase(seestatemachine),countmusthaveincremented,acontradiction.Butifbetweenany2consecutivefragments,countin-creasesby1,andthereare1fragments,thencountmusthavereached1beforethecriticalpacket.Butinthatcase,bythediversionrules,theconnectionmusthavebeendivertedafterthecriticalpacketisprocessedbythefastpath. The“naltheoremformalizestheroleoftheslowpath.Theorem(SlowPathBlocking):ATCPconnec-tioncontainingstringinsomereassembledstreamwillhaveitscriticalpacketdroppedintheslowpath(Safety)Conversely,aTCPconnectionthatdoesnotcontainAlmostinsomereassemblyoftheconnectionandhasnoincon-sistentdatawillnothaveanypacketsdroppedattheIPS(Liveness)Proof.ThesafetypartofTheorem2followsfromThe-orem1.IfTheorem1istrue,thenitisclearthatafterandincludingthecriticalpacket,the”owisbeingprocessedbytheslowpath.Also,anycollaboratorsofthecriticalpacketforwardedbythefastpatharealreadyattheslowpathpro-cessor.Sincethe”owisnowbeinghandledbytheslowpath,allremaining(ifany)portionsofPieces2through1of(bythede“nitionofcollaboratorsandAlmost))willalsobereceivedbytheslowpath.Ifthereismorethanpossiblereassemblyofthepacketsthattheslowpathhasreceived,thenweknowthattheslowpathwillbecon“guredtodropfurtherpacketsofthis”owandwearedone.If,ontheotherhand,thereisonlyonereassemblyofthepacketsreceivedsofar,andtheslowpathhasreceivedPieces2through1,itmustreassemblethesepiecestoputtheminsequence.Sincetheslowpathalgorithmiscon“guredtodropallsubsequentpacketsifit“ndsPieces2through1insequence,thenatleastthecriticalpacketwillnothavebeenforwardedbeforetheSlowPathbeginsdropping.Hence,bythede“nitionofthecriticalpacket,stringAlmost)(andhencestringcannotreassembledattheendnode.Thelivenesspartfollowstriviallyfromthefactthattheslowpathonlydropspacketsfromaconnectionwhenit either“ndsmorethanonepossibleTCPreassembly(whichcanonlyhappeniftheconnectionhasinconsistentdata),oriftheslowpath“ndsPieces2through1ofsomesignatureinsequenceinitsreassemblyoftheconnection. 7.RESULTSBeyondcorrectness,themotivationforSplit-Detectisper-formance.Inthissection,wedescribepreliminaryresultsthatindicatethatSplit-Detectcanachieveaspeedupof10,andamemorycompressionofbetween10and100,makingitpossibletoimplementiton-chipat20Gbps.Wealsoshowrobustnessoftheresultacrosstime(samepacketcapturepoint,dierenttimes)andspace(dierentpacketcapturepoints,dierentnetworks).Inthetrace-drivensimulations,”owstatesarecreatedwhenthe“rstpacketwhosepayloadcontainsatmost2PieceSize2bytesisencounteredforthe”ow,asdescribedearlier.Flowstatesareagedoutifnopacketisreceivedfortheconnectionforatleast2minutes.Figure6providesstatisticsaboutthetracesweanalyzed.AllofthemexceptALargeenterpriseŽarepubliclyavailable.Theresultsthatfollowaredescribedintermsoftableswiththefollowingheadingsforcolumns.Packetswithbe-tween1andSmall Threshbytes(inclusive)intheirTCPpayloadsareconsideredsmall,whereSmall Threshisequalto2PieceSize2.Thecountatwhichredirectionoccurs)isequalto1,whereNum.PiecesMax”owsisthemaximumnumberof”owsinthefastpaths”owtableatanytimeduringthesimulationoverthepackettrace.%”owsŽisequaltoMax”owsdividedbythetotalnumberof”owsinthetrace.Tocalculatethetotalnumberof”owsinthetrace,weranaseparateprogramthatsimplycreateda”owentrythe“rsttimeapacketwasseenforanew”ow(regardlessofitssize),andagedoutentrieswhennopack-etshadbeenseenfortheconnectionfor2minutes.Thisisintendedtorepresentthenumberof”owstatesthatwouldberequiredbyatraditionalIPSsystemforthesametrac.Intheresultswereportseparatelythefractionofpack-ets/bytescopiedtotheslowpath,andthetotalfractionofpackets/bytesthatwerediverted(eithercopiedorredi-rected).Thislattersetofnumbersrepresentsthetotalloadontheslowpath.Oursimulationsareeectivelyperformedwithnopiecesinstalled.Amorecompletesimulationde-pendinguponpacketcontentandsignaturesisdiculttoperformusingpublicsourcesduetoprivacyconcerns.Our“rstexperimentexaminestheeectofvaryingthenumberofpiecesonthetwometricsofinterest:thediver-sionratio(fractionoftracshuntedtoslowpath)andtheamountofstatekeptinthefastpath(fractionofconnec-tionsfastpathkeepsstatefor).WeusedasingleOC-48traceandvariedboththeSignaturelengthandthenumberofpieces:westaywithintherangeofSignaturelengthsusedinpractice,andneverdecreasethepiecesizebelow4bytes.InFigure7wevarythesignaturelengthandthenumberofpieces.Allotherparameters(e.g.,smallpacketthresh-old,whichis2PieceSize2)canbederivedfromthesetwoparameters.Theoverallmessageisthatusingareasonablesmallpacketthresholdof8to16bytesforthecommoncaseof40bytesignatureswith4to8piecesresultsinkeepingstateforonly5%ofthe”owsanddiverts8%to12%ofthetracineitherbytesorpackets,providingafactorof10im-provementinthroughput.Thisimpliesthattheslowpathcanrunat2Gbps,whichiseasilyachievabletoday.Similarly,keeping5%of1million”ows(notthenumbersinthetracesbutthenumbersaimedforbyanIPStoday)resultsinkeepingtrackof50,000”owswhichat150bitsper”ow(100bitsfor”owIDand48bitsforstate)forthestatemachinedescribedinSection5.4resultsin7.5Mbitsofmemory.7.5Mbitsiseasilyachievableusingon-chipmem-ory,allowingasinglechipimplementationofthefastpathstatemachine.Forgracefuldegradation,ifthefastpathex-haustsitsonchipmemory,allsubsequent”owsthatcontainasmallpackethavetobedivertedtotheslowpath.igure8comparesoneofthepreviousresultsagainstonethatweconsidertobeapoorchoiceofparameters.Ingen-eral,breakingalargesignatureintoonlyafewlargepiecesisbadfortworeasons.First,itleadstoalargerSmall Threshvalue,andthusmorepacketsareconsideredsmallbythefastpath.Second,itleadstoasmallervaluethatcountmustreachbeforetherestofthe”owisredirectedtotheslowpath.Foralloftheremainingresults,wereportonlytheresultsPieceSize=6(thusSmall Thresh=10)and=5,whichispossibleforsignaturescontainingatleast30bytes.Althoughthetableisnotshown,wecomparedresultsusingthesameparameters,butfortracescollectedfromthesamelink(anOC-48link)atthreedierenttimes,eachtakenseveralmonthsapart.TheintentwastodeterminewhethertherewasanyobvioustrendinthetraccharacteristicsindicatingthattheperformanceofSplit-Detectchangesovertime.TheresultsfortheAugust14,2002andJanuary15,2003aresimilar.ThefractionofpacketssenttotheslowpathfortheApril24,2003traceisnoticeablylower.Weattributethistothefactthatitwastakenatadierenttimeofday,whenthetotaltracloadwaslower.Theresultsshowthatinallcasesthefractionofdivertedtracstaysunder10%,asneededforourspeeduparguments,butcanbelower(aslowas3%)duringsomeperiods.Sofartheresultshavebeenforasinglewide-areatrace.Figure9usesthesameparametervaluesandreportstheresultsforallthetracesshowninFigure6.Figure9showsthattheresultsseemfairlyinvarianttothetypeoftraceused.TheUniversityandlargeenterprisetracesweused,inparticular,aremorerepresentativeofenterpriseswhereanIPSismorelikelytobedeployed.Finally,wenotethatwithDFAimplementationsofstringmatching(suchasAho-Corasick[1]),thecostofstringmatch-ingincreaseslinearlywiththebytesinastring.Thusin-creasingthenumberofpieces(withoutchangingtheoverallbytesmatched)shouldnotgreatlyincreasecomplexity.8.CLEANSLATEAPPROACHESWhilemuchofthispaperdealswithexistingTCPendnodes,wehavearguedforasmallchangeinTCPendnodes(weakatomicity).GiventhatthereisageneraldissatisfactionwiththestatusquoasevincedbyproposalssuchasFINDtorearchitecttheInternet[7],itisworthposingthequestion:whatotherchangesintransportprotocolscouldmakethejobofdetectingsignatureseasierinthenetwork?Evenwiththeassumptionofweakatomicityinendnodesandexactsignatures,thesolutiondescribedinthispaperhadthedisadvantageofonlydetectingAlmost)insteadoftheexactsignature.RecallthatAlmost)iswiththe“rstandlastpiecesmissing.Whileonecanarguethatifislongenough,thisdoesnotchangethefalsepositiverateappreciably,thisisdiculttoselltosecurityanalysts. Trace Duration(min) Avg.pkts/sec Avg.bits/sec %ofTCPpackets CAIDA2002-08-1409:00 75K 344M 93% CAIDA2003-01-1509:59 59K 326M 88% CAIDA2003-04-2400:55 23K 92M 91% Alargeenterprise 25M 90% Univ.Florida 39K 223M 91% Lawrence-BerkeleyNationalLab 7M Figure6:Summarydataforthepackettracesanalyzed SigLength PieceSize Num.Pieces Small Thresh Max”ows %”ows %pkts/bytescopied %pkts/bytesdiverted 10 34494 0.51%/0.04% 10.85%/9.98% 5 30482 0.51%/0.04% 9.06%/8.31% 8 8 0.46%/0.04% 6.02%/5.29% 0.38%/0.03% 3.43%/4.04% 10 34494 0.38%/0.03% 12.66%/12.01% 5 24215 0.42%/0.03% 8.03%/7.20% 6 8 0.42%/0.03% 6.88%/6.24% 0.15%/0.01% 2.00%/2.41% 4 8 0.34%/0.03% 8.39%/7.95% 5 6 0.31%/0.02% 5.48%/6.38% Figure7:EectofvaryingparametersonthesamepackettraceHowever,thefollowingradicalchangeinthetransportprotocolcanremedythis.Imaginethatthetransportpro-tocolrepeatsthelastbytesofeachpacketinthe“rstbytesofthenextpacket.Thenitfollowsthatanystringoflengthnomorethanwillbecontainedinitsentiretyinsomepacket.Ifstringhappenstosplitacrosspacket,itwillbefoundinitsentiretyinpacket+1.Ifaslargeasthepiecesize(say10bytes),thenaverysimplefastpathstatemachinecandiverta”owtotheslowpathifanypieceisdetected.TheCleanSlateapproachalsosuggeststhefollowingplementationalternativetoarchitecturalrevolution.Sendthelastbytesandthe“rstbytesofeverypackettotheslowpath.Iftheaveragepacketsizeissay200bytesandis10,thiswilladdafurther10%overheadtothedivertedtrac.Finally,iftheSlowPathdetectsAlmost),thentheseadditionalbytescanbeexaminedtocon“rmthatwassentbeforedroppingpacketsintheconnection.9.CONCLUSIONThispaperisagentle“rstvolleysuggestinganalternativetofullstatereassemblyandnormalizationathighspeedsusingtheideasofcuttingsignaturesintopiecesthatarelookedforaswellaslookingforunusualsmallpacketactivityindicativeofattemptstocutbetweenpieces.Whilemuchremainstobedone:Theexperimentaldataseemstosupportaspeedupof10,andastatecompressionof10and20.Morecompressionappearspossibleviacompactdatastructures(e.g.,BloomFilters)inreturnfordivertingslightlymorethantherequirednumberof”ows.TheendnodeatomicityrequiredbySplit-Detectmayseemtoohighapricetopay.However,webelieveitispossibletoprovealowerboundtoshowthatdetectingoverlappingfragmentsinthenetworkrequiresalmostasmuchmemoryasdatanormalization.Ifthisistrue,thenendnodeatom-icitymayberequiredforhighperformancereassemblyandnormalization.Fromourpreliminaryinvestigation,weakatomicityappearseasytoimplementafteraddingoneMTUworthofextrabueringandasmallamountofextraprocess-inginrarecases.NotethattheassumptionthatAlmostisdetectedandnotcanberemediedbydivertingsomeofthe“rstandlastbytesofeverypacket.Finally,ourpaperhasdealtonlywithexactmatchingbutmostIPSvendorssupportregularexpressions.First,notethatwhileregularexpressionsarecommonlyusedtoabstractlydescribevulnerabilities,exactstringssucetodescribeexploitswhichmaysuceforblockingatswitchesintheimmediateaftermathofanattacksuchasaworm.Further,wehavealreadyidenti“edaclassofregularex-pressionsthatcanbehandledbySplit-Detecttechniques.TheseareregularexpressionsthatusetheORoperator(i.e.,)andthe.operator(anysinglecharacter).Thuswecandoregularexpressionsoftheform((etc.).Thesecanbebrokenintopieces;allweneedisthefastpathtobeabletomatchtheseexpressionsusingstandardDFAtechniques.Inparticular,wecanhandleupperandlowercase,whichisverycommonintheIPSrules.Also,iftheregularexpressionhasaformsuchasthefastpathcansendacopyofstring(whicheverisdetected“rst)withoutdivertingthe”ow.Whentheotherstringisseen,the”owcandivertedtotheslowpath.OurpreliminarystudyofacommercialIPSdatabaseaswellastheClamAVdatabaseshowsthat60to80%oftherules“tthesecategories.Weareworkingonfurtherextensionstothis,andontechniquestorewriteregularexpressionstomakethem“ttheclasseswecanhandle.Changestoendnodesandtotheuseofregularexpres- Sig.Length PieceSize Num.Pieces Small Thresh Max”ows %”ows %pkts/bytesdiverted 5 24215 8.03%/7.20% 16 48026 15.18%/13.76% Figure8:Eectofpoorlychosenparametersonthefractionofdivertedtrac Trace Max”ows %of”ows %pkts/bytescopied %ofpkts/bytescopied/redirected CAIDAOC-482002-08-14 0.42%/0.03% 8.03%/7.20% ALargeenterprise 0.38%/0.03% 8.81%/11.79% Univ.Florida 0.54%/0.04% 5.68%/5.56% Lawrence-BerkeleyNationalLab 20.92% 0.21%/0.02% 1.52%/3.07% Figure9:Variationinthedivertedtracacrosstracestakenfromdierentnetworkssionsareclearlydiculttopopularize.Butwhenconsideredagainstthebackdropofanevenmoredicultproblem,thatofdetectingattacksignatureatveryhighspeeds,perhapssuchchangesseemmorereasonable.10.ACKNOWLEDGEMENTSWearegratefultoJonathanChang,TomEdsall,MikeHall,PereMonclus,SushilSingh,andSumeetSinghofCiscoSystemsforfruitfuldiscussions.GeorgeVarghesewouldalsoliketoacknowledgeNSFGrantANI0137102andagrantfromNISTthathelpedstimulatethedirectionofthecurrentresearch,whichwasdoneentirelyatCisco.11.REFERENCES[1]AlfredV.AhoandMargaretJ.Corasick.Ecientstringmatching:Anaidtobibliographicsearch.ŽCommunicationsoftheACM18(6):333-340,June1975.[2]N.Alon,Y.Matias,andM.Szegedy.ThespacecomplexityofapproximatingthefrequencymomentsŽ.Proceedings28thACMSymp.onTheoryofComputing,pages20…29,May1996.[3]G.Appenzeller,I.Keslassy,andN.McKeownSizingRouterBuersŽ.ProceedingsofACMSIGCOMM,2004.[4]D.Clark,TheStructuringofSystemsUsingUpcallsŽ.Proceedingsofthe10thACMSymposiumonOperatingSystemsPrinciples,pp.171…180,December1…41985.[5]S.Dharmapurikar,P.Krishnamurthy,T.Sproull,andJ.W.Lockwood,DeeppacketinspectionusingparallelBloom“lters.HotInterconnects,Aug.2003.[6]S.Dharmapurikar,V.Paxson,RobustTCPstreamreassemblyinthepresenceofadversariesŽ.Proceedingsofthe14thUSENIXSecuritySymposium,Baltimore,2005.[7]TheFutureoftheInternetŽ.RedHerring,April10th,2006.[8]M.Handley,C.Kreibich,andV.Paxson.NetworkIntrusionDetection:Evasion,TracNormalization,andEnd-to-EndProtocolSemanticsŽ.Proc.USENIXSecuritySymposium,May[9]K.Levchenko,R.Paturi,andG.Varghese.OntheDicultyofScalablyDetectingNetworkAttacksŽ.Proc.oftheEleventhACMConferenceonComputerandCommunicationSecurityOctober2004.[10]Nikto,http://www.cirt.net/code/nikto.shtml[11]NSSGroup.IntrusionPreventionSystems(IPS)GroupTest(Edition3),NSSGroup,August2005,http://www.nss.co.uk[12]V.Paxson,Bro:ASystemforDetectingNetworkIntrudersinReal-TimeŽ.ComputerNetworks,31(23-24),pp.2435-2463,14Dec1999[13]V.PaxsonandM.Handley,DefendingAgainstNIDSEvasionusingTracNormalizersŽ.SecondInternationalWorkshopontheRecentAdvancesinIntrusionDetection,September1999.[14]T.PtacekandT.Newsham.Insertion,EvasionandDenialofService:EludingNetworkIntrusionDetectionŽ,SecureNetworks,Inc.,Jan.1998.[15]M.Roesch,Snort-LightweightIntrusionDetectionforNetworksŽ,LISA99[16]C.Shannon,D.Moore,k.clay,CharacteristicsofFragmentedIPTraconInternetLinksŽ,WorkshoponPassiveandActiveMeasurement,2001.[17]DugSong,2002,Fragroute,http://www.monkey.org/dugsong/fragroute/