Andrew Fingerhut Cisco Systems Flavio Bonomi Cisco Systems ABSTRACT Ptacek and Newsham 14 showed how to evade signature detection at Intrusion Prevention Systems IPS using TCP and IP Fragmentation These attacks are implemented in tools like FragRout ID: 85113
Download Pdf The PPT/PDF document "Detecting Evasion Attacks at High Speeds..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
DetectingEvasionAttacksatHighSpeedswithoutReassemblyGeorgeVargheseCiscoSystems,UCSDJ.AndrewFingerhutCiscoSystemsFlavioBonomiCiscoSystemsABSTRACTPtacekandNewsham[14]showedhowtoevadesignaturedetectionatIntrusionPreventionSystems(IPS)usingTCPandIPFragmentation.TheseattacksareimplementedintoolslikeFragRoute,andareinstitutionalizedinIPSprod-ucttests.TheclassicdefenseisfortheIPStoreassembleTCPandIPpackets,andtoconsistentlynormalizetheout-putstream.CurrentIPSstandardsrequirekeepingstate potentiallyincreasethecostsofmemoryandprocessingbyanorderofmagnitudebeyondthatrequiredbyreassembly.1.2IntrusionPreventionSystemsInaperfectworld,whereallendnodesdetectandpreventattacks,IntrusionDetectionSystems(IDS)wouldbeuse-less.Unfortunately,networkadministratorscannotrelyonendnodesoftware(oftencontrolledbyadierentorganiza-tion)beinguptodateintermsofAnti-Virusupdatesandpatches.Thus,justasinthecaseofrewalls,theuseofanIDSisapopularretrotstrategy.AlmosteverymajororganizationrunsanIDSofsomesort,andmanyorganiza-tions,motivatedbythethreatofinternalattacks,deployanIDSinseveralpartsoftheinternalnetwork.Thus,theIDSmarketisabilliondollarmarket,andcontinuestogrow.WewillfocusinthispaperonsignaturebasedIDS.SuchanIDSconsistsofadatabaseofrules.Eachrulespeciesapredicateonpacketheaders,optionallycontainsacon-tentstring,andhasanassociatedaction.InclassicalIDSsystemssuchastheopensourcetoolSnort[15]theasso-ciatedactionisusuallyanalerttotheadministrator.Sig-naturebasedIDSareverypopularandaresupportedbyeverymajorIDSvendor.ThebaneofmostIDSusersisthepotentiallylargenumberoffalsepositivesinalerts.BythetimeanIDScanraiseanalertandahumanadmin-istratorrespond,afast-movingattack(suchasawormoraDDOSattack)canhavedoneconsiderabledamage.Thusinrecentyears,theIDSmarkethasmorphedintotheso-calledIPS(IntrusionPreventionSystem)market.Somewhatcav-alierly,anIPScanbedescribedasanIDSwhereasubsetofrules(whichtheIDSimplementersarecondentcancausealmostnofalsepositives)areenabledwiththecorrespond-ingactiontodropanypacketthatmatchesthisrule.AnIPSmustbeinlinetodroppackets,whileanIDScansimplytapthedatatogeneratealerts.BothIDSandIPSsystemsarerequiredtoreassembleTCPowsandIPfragments.Thisensuresthatacontentstringinarulethatisfragmentedacrosspacketscanbede-tected.IPSsystemsarefurtherrequiredtonormalize[8,13]TCPows.Roughlyspeaking,normalizationseekstonor-malizethedatasentinaowtoavoidinconsistenciesthatcanbeexploitedbyanattacker.AsthemarketforIDSandIPSsystemshasmatured,therearenowwell-establishedteststhatcheckforconformance.Forexample,theNSSreport[11]testsvendorsforresiliencetoevasionattacksbyrunningfragroute[17],andwhiskernikto[10].Allthema-jorvendorsappeartohavedemonstrated[11]theirabilitytodetectevasionattempts.Asthespeedofenterprisenetworksmovesfrom1Gbpsto10Gbps,IPSdeviceshavebeenattemptingtoscaleupinspeedaswell.Intermsofspeed,somevendorsarealreadydeployingIPSsystemsat8Gbps.Further,asareactiontothenumberofadhocnetworkdevices(e.g.,loadbalancers,contentaccelerators,androuters)innetworks,thereisanincreasingtrendtowardsconsolidatingdeviceswithinasin-gleenterpriseswitch.Asmanyswitcheshave10Gbpsandeven20Gbpsports,itisdesirabletoscaleasingleIDSchipordeviceto20Gbps.WhatarethemainbottlenecksforanIPS?Onemajorbottleneckisscanningastreamofbytesforacontentstringorevenaregularexpression.Searchingforcontentstringsisfairlywellunderstood[5].Inrecentyears,manyIPSdeviceshaveallowedthespecicationofregularexpressionsforcon-tentstringsbuthardwarealgorithmsforeventhesearewellunderstood[5].However,asecondmajorbottleneckistheeortrequiredtoreassembleTCPowsandtonormalizethemifneeded.ManyIPSvendorsadvertisesupportforupto1millionconcurrentTCPows;thenumberofowsmayseemsurprisinglylargeforanenterprise.However,recallthatinasecuritycontext,aTCPowcannotbetimedoutquicklyincaseafragmentoftheattackissentmuchlater.Itisthissecondbottleneck,andespeciallyinthecontextofapackagedIPS/router,thatwefocusoninthispaper.1.3PaperOutlineandContributionsTherestofthispaperisorganizedasfollows.Section2containsanimplementationmodelforapackagedIPSinarouterorswitch,anddescribesthemainassumptionsaswellandmeasures.Section3providesabriefoverviewofthepossibleevasionsmadepossiblebyfragmentation.Section4beginsthesolutiondescriptionbyrstdealingwithtwocom-plicatingissues:overlappingTCPsegmentsandIPfrag-mentation.ThenSection5describestheSplit-Detectsolu-tionthatisscalableandyetabletodetectdamagecausedbyout-of-orderfragmentsandcha.Section6containsaproofthatSplit-Detectiscorrect;aproofisneededassev-eralofourinitialattemptshadaws.Section7describesatrace-drivenanalysisoftheperformanceimprovementre-sultingfromSplit-Detect.Section8suggestscleanslateap-proachestotheproblemofsimplifyingIPSdevicesbasedonthelessonslearnedinthispaper.Finally,Section9statesconclusions.Contributions:Themaincontributionofthispaperiscriticallyexaminingtheneedforreassemblyandnormaliza-tion.Aspartofthisexamination,weproposeanalternative(Split-Detect)tofullreassemblyanddatanormalizationforallowspassingthroughanIPSbyecientlyidentifyingasmallsubsetoftracinthefastpaththatrequiresnor-malization/reassembly.NotethatSplit-DetectonlyavoidsreassemblyandnormalizationinthefastpathUnfortunately,SplitDetectrequiresthreeassumptions:asmallmodicationtoTCPreceiverstocheckforinconsis-tentretransmissions,achangeinthedenitionofsignaturedetectiontoallowthestartandendofasignaturetobemissed,andarestrictiontoexactsignaturesorregularex-pressionswithaxedexactlength.Therstassumptionseemstobefundamental,thesecondcanberemovedbyanimplementationorprotocolchange,andthethirdassump-tionmayberelaxedbyfuturework.Giventhedicultieswiththeseassumptions,themaincontributionofthispaperisexposingtheassumptionsthatneedtobechangedtoavoidreassemblyandnormalizationinthefastpath.Wehopethatourinitialstudywillstimulatefurtherwork.Asecondcontributionistheformalizationofseveralcon-cepts(suchascriticalpacketsandpossiblereassembly)thatseemfundamentaltothetheoreticalmodelingofevasionat-tacks.2.MODELBetweenwhatmattersandwhatseemstomatter,howshouldtheworldweknowjudgewisely?E.C.Bentley,TrentsLastCaseWecapturewithamodelthesalientaspectsandparam-etersforIPSimplementations.Figure1showsamodelof Flow State Packets Figure1:AmodelofastandardIPSintegratedintoaswitch SLOW PATH (LARGEMEMORY, FULL REASSEMBLY) cB bits/s Figure2:NewmodelofanIPSwithafastpathandaslowpathaclassicalIDS/IPSimplementedatspeedsgreaterthan5Gbps.Packetsareinspectedbysomesetofchips,oftenASICs.Manyproductsusetwoorthreesuchchips.TheTCPandIPowstateisstoredinalargestatetablewithmemoryforconnections(oftenrequiredtobeatleast1million)withbitsperconnection.Evenifallthepacketsinaconnectionarein-ordertheminimumstateforaconnec-tionisatleasttheTCP5-tupleandthesequencenumber,whichisatleast128bits.Typicalimplementationsespe-ciallyforIPSdevicesprobablykeepatleast10timesthismuchstate,giventhatfulldatanormalization[8]appearstorequirekeepinganRTTsworthofTCPstreamdata.Thustheoverallmemoryrequiredfortheowtableisatleast128Mbits,andmorelikelytobecloserto1280Mbits,whichissucientlylargetorequireexternalDRAM.Inpractice,severalDRAMchipsarerequired.ThenetresultisthattheIPSimplementation,countingprocessingchipsandexternalmemory,requiresseveralchipsandsupportingprocessors,whichmakesitexpensiveandhardtopackagecheaplyintoeverylinecard.AnaturalalternateIPSmodelisshowninFigure2.TheideaisthattheIPScomplexinFigure1isreplacedbyasimpler(andpotentiallysingle)IPSchipthathandlesthecommoncase,butalsodetectsexceptionsbykeepingtrackofamuchsmallernumberofconnections.Whenanexceptionisdetected,theremainderoftheTCPowisdivertedtoasecondprocessorthathandlestheexceptioncaseusingthefullconnectionstate,reassembly,andnormalization.How-ever,theideaisthattheslowpathprocessoronlyhandlestheexceptionows.OneparticularlyattractivepackagingofthismodelistoplacethefastpathIPSchipineverylinecardofaswitch,andtokeeptheslowpathprocessor(s)inaseparatecardsharedbyallotherlinecardsoftheswitch.Forthispack-agingtomakesense,theamountofmemoryrequiredbythefastpathprocessorshouldideallybesucientlysmalltotintoon-chipmemoryorasmallCAM,makingtheperline-cardcostverysmall.Atthesametime,theamountoftracdivertedtotheslowpathmustbesucientlysmalltoallowtheslowpathprocessortobesharedbyseveralfastpathprocessors.ThusreferringtoFigure1andFigure2,tworelevantper-formancemeasuresoftheleverageofthenewmodel(Figure2versustheclassicalmodel(Figure2)are:Speedup:SpeedupcanbedenedasB/D.Inotherwords,thisisthereciprocalofthefractionofbytesdivertedtotheslowpathprocessor.Apotentialtargetisaspeedupof10for=20GbpsandGbps.Thisallowseitheracheapslowpathprocessororthesharingoftheslowpathprocessoracross10linecards.MemoryCompression:Memorycompressionistheratiooftheconnectionmemoryrequiredbytheclassi-calIPStothememoryrequiredbythefastpathpro-cessorinthenewmodel(Figure2).Fromthegure,thisisCW/).Apotentialtargetisamemorycompressionof25toyieldafastpathmemoryMbits(whichshouldtintoon-chipmemory)assum-ing=1millionand=128bits.3.THEGENTLEARTOFEVASIONKnowthyself,KnowthyEnemy SunTzu,circa500BCInthissectionwebrieyreviewsomeofthepoweravail-abletoanattackerusingfragmentation.ThepowerarisesfromthecombinationofTCPand/orIPfragmentationwithout-of-order,redundant,andoverlappingsegments.Weil-lustratethesebythefollowingexampleattacks.Theseex-amplesarebynomeansacomprehensivelistofattacks.Inalltheexamples,theintruderisattemptingtosendastringATTACKthatispassedbytheIPSbutisreceivedbythereceiver.Inthissection,werestrictourselvestoTCPfragments.3.1TheCaseoftheMisorderedFragmentsInthiswarm-upexample,theintruderbreaksthestringATTACKintotwofragmentsATTandACK.TheattackerthensendsthecontentstringACKintherstsegmenttophysicallypasstheIPS(timeowsfromlefttorightinallexamples)withTCPsequencenumber13.Later,therstpartoftheattackstringATTissentinasec-ondTCPpacketwithsequencenumber10.AlthoughthesefragmentspasstheIPSout-of-order(andpotentiallywithalongtimebetweenfragments),thereceivertowhichthesepacketsaredestinedwillreassemblethestringcorrectlybyrstplacingthestringATT(becauseithasstartbytese-quencenumber10)andthenattachingthestringACK SEQ = 13, DATA = ACKSEQ = 10, DATA = ATTSEQ =10, TTL = 10, ATTSEQ = 11, TTL = 1, JNK. . SEQ = 13, ACKSEQ = 10, ATTJNK THE CASE OF THE INTERSPERSED CHAFFTHE CASE OF THE OVERLAPPING SEGMENTSFigure3:Pictorialrepresentationof3powerfuleva-siontechniques(becauseithasstartbytesequencenumber13).ThetoprowofFigure3showsthisattackpictorially.Clearly,anIPSthatdoesreassemblycancatchthiscasebecauseitduplicatesreceiverreassemblybeforecheckingforstringssuchasATTACK.inthereassembledbytestream.3.2TheCaseoftheInterspersedChaffInthisexample,theattackerbreaksthestringintotwofragmentsATTandACKasbeforebutnowaddssomenoiseorchatotheattacktoconfusetheIPSwithoutdamagingcorrectreassemblyatthereceiver.Therearemanywaystodothis;onetechniqueistosendthegoodpacketswithalargeenoughTTL(TimetoLive)toreachthereceiver,whilesendingthechawithasmallTTLthatcausesittobedroppedbeforereachingthereceiver.IntheexampleinthesecondrowofFigure3,thefrag-mentsATTandACKaresentwithalargeTTLof10,whiletheinterspersedchaJNKissentwithaTTLof1.AssumingthattheIPShasnoknowledgeofnetworktopol-ogy,theIPScannottellwhichfragmentswillmakeittothereceiver.ThustheIPSdoesnotknowwhetherthereceiverwillreceiveATTJNKorATTACK.Itiseasytoconstructcaseswithpiecesofoverlappingchastartingatseveralpositionswithintheattacksigna-turesuchthatthereare2possiblereorderings.SinceitiscomputationallyhardfortheIPStocomputeexponen-tialnumbersofreorderings,amoreelegantsolutionisdatanormalization[8]:theIPSpicksacanonicalreordering(inthisexample,sayATTJNK),realizesthatitdoesnotmatchavalidattackstring,andsoletsitpasswithoutanalert.However,whenthepacketwiththestringACKgoesbytheIPS,theIPSrewritesthestringACKtoJNKtobeconsistentwithdatasentinthepast.Onceagain,thisexampleplausiblyarguesfortheneedtobothreassembleandnormalize.3.3TheCaseoftheOverlappingFragmentsAmoreperniciousformofattackusingoverlappingse-quencenumbersisshownpictoriallyinthethirdrowofFigure3.TherstTCPpacketcarriessequencenumber10andthestringATTJNK.ThesecondTCPpacketcar-riesthesequencenumber13andthestringACK..Oneconventionatareceiverwhenfacedwithoverlappingbytesistodeliverthemostrecentlyreceivedbytes.Withsuchaconvention,thereceiverwilldeliverthestringATTACKandtheintruderwillsucceed.Clearly,normalizationavoidsthisproblembyeithersendingATTJNKconsistentlyordroppingdatathatreassemblestoATTACK.Whileoverlappingfragmentsabstractlylookssimilartointerspersedchaandtheyhavethesamecure(normaliza-tion),theyhaveasubtledierence.Inthecaseofinter-spersedcha,apacketiseithercompletelychaorcom-pletelygooddata.Inthecaseofoverlappingfragments,apacketcanpartiallycontainchaandgooddata.Inpartic-ular,aftercuttingasignatureintopieces,anyattackthatonlycontainsinterspersedchawillbeforcedtosendsmallfragments,abehaviorthatcanbedetected.Ontheotherhand,usingoverlappingfragments,thesendercansendarbitrarilylargepacketswhilestill(eectively)fragmentingthesignatureintopiecesofsizeassmallas1byte.Forexample,imagineasequenceoflargepacketswhosesequencenumbersare+1,+2,etc.,andwherethenewbyteofthei-thpacketisthei-thbyteofthesignature,andtherestofthedatabytesarecha.Insum-mary,overlappingfragmentsaredeadlybecausetheyallowsignaturestobesegmentedvirtuallyintoassmallpiecesasdesiredwithoutanyaccompanyingphysicalmanifestationsintermsofsmallpacketsizes.4.CLEARINGTHEUNDERBRUSHBeforewemovetoournalsolution,wesimplifytheprob-lembyaddressingtwoattackmechanisms:IPfragmentationandoverlappingfragments.4.1IPFragmentationClearly,manyofthesameattacksdescribedinSection3canbeduplicatedwithIPfragmentswiththeIPfragmentoseteldsplayingthepartofTCPsequencenumbers.CombinationsofTCPandIPfragmentationinthesameattackcancomplicatethemechanismsandproofs.Forex-ample,noteveryIPfragmentofaTCPpacketcontainsaTCPheader.BecauseIPfragmentationissorareinprac-tice(afractionofapercentinourtracesandinpreviousreports[16]),weuseaconservativesolution:divertanyIPfragmentsandanyconnectionwhoseconnectionIDisinanIPfragmenttotheslowpath.4.2OverlappingTCPFragmentsDetectingoverlappingTCPfragmentsappearsveryhardwithoutkeepingstateforeveryconnection.Whileover-lappingTCPfragmentsdoresultinout-of-orderTCPseg-ments,benignout-of-ordersegmentsoccurbecauseofroutechanges,loadbalancing,andretransmission(considersend-ingpacketsP1,P2,P3,andthenresendingP1).Itappearshardtodistinguishbenignout-of-orderpacketsfromseg-mentswithoverlappingsequencenumberswithoutkeepingarecordofallpastsequencenumbers,whichisnobetterthankeepingTCPstateforallconnections.Itappearspossibletoprovethatdetectingoverlappingsequencenumbersrequiresalargeamountofspaceusingareductiontothesetdisjointnessproblem,aspioneeredin[2]andappliedin[9]toshowsimilarhardnessresultsforanumberofothersecurityproblems.However,onemustbecautiousaboutsuchresults.First,thehardnessofthesetdisjointnessproblemisbasedonassumptionswhichmayberelaxedinpractice.Second,aspointedoutin[9]thesame WearegratefultoYossiMattiasforthisobservation phenomenon(overlappingTCPfragments)mayhaveseveralmanifestations(e.g.,overlappingsequencenumbers,over-lappingcontent).Provingthatonemanifestationishardtodetectdoesnotimplythatscalabledetectionofsomeothermanifestationisimpossible.Despitethesecaveats,itdoesseemthatdetectingoverlappingfragmentsisfundamentallyhard.Instead,wewillrelyonchangestoendnodestosatisfythefollowingatomicityproperty.Inthefollowingweusede-liveredtomeandeliveredtotheapplication,notmerelythesegmentisdeliveredtothetargethost.WeakAtomicityProperty:NoneofthebytesinaTCPsegmentthataredeliveredwillbeinconsistentwithbytesofanotherTCPsegmentthataredelivered.Note,thatthisrestrictioncannotcauseanydicultytogoodsenderstacksbecausetheTCPprotocoldoesnotallowinconsistentdatatransmission.Theimplementationoftheweakatomicitypropertyisfairlyeasy.Maintainabuer,theOverlapDetectbuer,ofuptoanMSSsizeworthofthebyteslastdeliveredtothesocketbuer.Whenanewpacketbecomesin-orderandisacandidatefordelivery,compareanyoverlappingbyteswiththebytesintheoverlapbuer.Ifthereisinconsistency,donotdeliverthesegmentandresettheconnection.Notethatthisimplementationtakesmorespace(1MSS)andmoreprocessing(byte-by-bytecomparisonincaseofoverlap)thanastandardTCPimplementation.However,itisverylikelythatmostsocketbuerswillneedstorageforupto10MTUsormore.Thustheadditionalstoragecostshouldbeasmallpercentageoftheexistingstoragecost.Also,theprocessingcostcanbemainlyamatterofwritingtothecircularoverlapbuerandtheactualbyte-by-bytecheckisincurredonlyintherarecaseofanoverlappingsegment.WeakatomicityalsoappearstointroduceanewDenial-of-Serviceattackwhereinanattackercouldinjectinconsistentdataandcausetheconnectiontobereset.However,thealternativeistoallowtheattackertoinjectarbitrarywrongdata,whichisworse.NotethatSSHalsoresetsaTCPconnectionondetectingapossibleTCPinjectionattack.Wearguethatsuchanendnodechangeisactuallygoodbecause:Itpreventsbadbehavior(deliveredinconsistentdata)fromharminganendnode.ItdoesnotrequireimplementingacompleteIPS(nosignaturesarerequiredatendnodesinthisproposal)ornormalizerattheendnode.Itcaneasilybeimplemented.IfdeployedbyWindowsandLinux,thenthetwomostcommontargetsofat-tackscanbeprotectedwhileallowingIPSsystemstoInsummary,webelievethataneasily-implementablechangeinendnodestoimplementanobviousconsistencycheck(whichshouldhavebeenrequiredinthepast)cangreatlyimprovethescalabilityofIPSsystems.Further,itappearspossibletoprove[2]thatwithoutthischange,IPSdeviceswillhavetokeepmemoryforallconnectionsinthefastpath.4.3WhatStillRemainsItmayappearthatwiththenessingofthissectionthatwehavetrivializedtheproblemanddenedtheproblemaway.However,notethattheattackerstillhasgreatpower:TheattackercanstillbreakupanattacksignatureacrossseveralsmallTCPFragments.CompoundingthedicultyisthefactthatsmallTCPsegmentsarecommonininnocenttrac.Theattackercanstillsendout-of-orderFragments.Compoundingthedicultyisthatfactthatout-of-ordertraciscommoninrealtracbecauseofre-transmissions.Theattackercanstillsendredundantpackets/segmentsthatnevergettothereceiver(e.g.,ChawithlowTTLs)inattacktracbuthardtodetectattheIPS.Theattackercanstillusechatocreateanexponen-tialnumberofpossiblereassembliesattheIPSandthusnormalizationattheIPSisstillrequired.5.THESOLUTION:SPLIT-DETECTStrategywithouttacticsisliketheemptysoundbeforedefeat...-SunTzuWedescribethebasicidea,andprovideaquickexampleofcuttingasignatureintopieces.Weproceedwithadetailedstatementofthestatevariables,andthefastandslowpathprocessingalgorithms.5.1BasicFrameworkWecallthealgorithmSplit-Detectbecauseourmajortac-ticistosplitasignatureintoequalpieces.Thedetectionofanypiecewillcausethelinecardtodiverttheconnectiontotheslowpath.Thefast-pathalgorithmconsistsof:Split:Breakasignatureintoequalpiecesandarmthefastpathtodetectanypiece.Divert:DivertaTCPowtotheslowpathifFastpathchipdetectsanypieceFastpathchipdetectssmallpacketorout-of-orderbehavior.increases,theIPShasmorepiecestodetectbutthespeedupincreasesbecauseasmalleramountoftracwillbediverted.Morepiecesdonotnecessarilymeantimesmorestorageinthefastpath.Forexample,DFAbasedstringmatcherssuchasAho-Corasick[1]requirespacelinearinthetotalnumberofbytesanddonotincreasesignicantlyintimeorstoragewiththenumberofpieces.However,ifthepiecesaretoosmall,therewillbefalsepositivesdetectedininnocenttrac.Wepick4bytesasthesmallestacceptablepiecesizebecausetheresultingextradiversioncausedbyfalsepositivesof4byterandomdataissucientlysmallforTCPowsthatsendlessthan2bytes.Therandommodeloffalsepositivesisinsucient.Evenusingpiecesizesgreaterthan3,caremustbetakentoensurethatapieceisnotpartofacommonapplicationstring.Forexample,HELOisa4-bytestringusedintheSMTPhandshake;useofitasapiecewouldcauseeverySMTP CK S ATTA Figure4:ExampleofCuttingupaSignatureinto4piecesconnectiontobediverted.Notethatifasignatureislongenough,onecoulddiscardsomeinitialbytestochangethealignmentofpieces,sothatastringlikeHELObyitselfdoesnotformacompletepiece.Similarly,forasignaturethatstartswithhttp...,itisbesttodiscardtherstfewbytes.Generally,thelongerthepiecesize,thelesslikelyisitforthistobeaproblem.5.2ExampleofCuttingaSignatureintoPiecesFigure4showsanattacksignatureATTACKSIGNA-TUREbrokenupinto4piecesof4byteseach.Breakingupasignatureintopiecesandlookingforeachpieceindividuallyhasthefollowingintuitiveconsequences(wewillprovethemformallyinthenextsection):Ifapacketcontainsapiece,itwillbedetected.ThusallpiecesmustbesplittoevadeIfendnodeatomicity(Section4)isenforced,apacketcontainingasplitpiececannotcontainnon-signaturedatathatconictswiththesignature,ortheentiresignaturewillnotbedelivered.Allbuttherstandlastsplitswillcreatesmallpack-etswithpayloadsizePieceSize1,wherePieceSizeS/Kandisthesignaturelengthandthenum-berofpieces.Figure5showsthatanattackercancutthepieces(ofsize4bytesinthisexample)toevadedetectionintoseveralpiecesofsizeatmost6bytes(22).Theattackerspacketboundariesareshownusingdashedlines.Notethattherstandlastpacketscanbelargebutthemiddlethreemustbeatmost6bytes.Noticethatthemiddle3piecesareconsecutiveinsequencenumberspace.Thisseemstoimplythatonecandetectsuchaneva-sionattemptbylookingforacertainnumberofconsecu-tivesmallpackets,wheresmallmeansthepacketpayloadsizeisstrictlysmallerthan2PieceSize1.Unfortunately,theattackerhasmorepowerusingout-of-orderpacketsandchathatdoesnotreachthereceiver.5.3MotivatingtheAlgorithmClearly,lookingforsmallpacketsinsequencecannotsuf-cebecausepacketscanbesentout-of-order.Arstattemptatastatemachinetodetectevasionswouldbetolookfor CK S ATTA Piece 1Piece 2Piece 3Piece 4 Packet Boundaries excluding headers100103105Figure5:ExampleofSplittingeachpiece(packetboundariesareshownusingdashedlines)intopack-etssuchthatnocompletepieceisdetectedinapacketpassingthoughtheIPSeithersmallpacketsinorder,orout-of-ordersmallpacketsEventhisdoesnotsuce.Supposetheattackercutsupthesignatureintofragmentssuchthatnofragmentcontainsapiece.Theattackerdividesthefragmentsintooddandevenfragments.Theattackerthensendstheevenfragments(Frag0,Frag2,Frag4etc.)in-orderbyinterspersingtheevenfragmentswithappropriatelynumberedcha.Moreprecisely,theattackersendsFrag0,1,Frag2,2,Frag4,3,etc.),where3...arelargechapacketswithsmallTTLthatwillnotreachthereceiverbutwithstartingsequencenumbersthatmatchFrag1,Frag3,Frag5,etc.Oncetheattackerhassenttheevenfragments,hecangoaheadandsendtheoddfragmentsinthesameway.Thustherewillbeatmost2+1out-of-sequencetransition(oneaftereachchapacketandoneattheboundarybe-tweenevenandoddfragments)andtherewillneverbethecaseoftwoconsecutivesmallpackets.Notethaneveninthisexampletherearesmallpacketswhereisthenumberoffragmentstheattackerisforcedtocutthesignatureinto.Whilewecoulddetectthis,wewouldlikeastrongerpredi-catebecausetherearemanyinnocuousconnectionsthatwillsendanumberofsmallpacketsoverthelifetimeofthecon-nection.Theexampleaboveshowsthatsuchconnectionscannotbedistinguishedfromadeliberateattackasintheexample,becausethegapbetweenthesendingofthetrainofevenfragmentsandthetrainofoddfragmentscanbemadearbitrarilylongbyllingitinwithcha.Tocreateastrongerdiversionpredicate,examinetheex-amplemorecarefully,andnoticethatthesmallpacketsintheeventrainandintheoddtrainmustbespacedapartbythelengthofthesignature.Otherwise,theywillnotbeassembledtogetheratthereceivertobepartofacompletesignature.Todeneanomalousbehaviorweintroducethefollowingterminology.Consecutivesmallpacketsaretwopacketsre-ceivedbytheIPSthataresmallandinbetweenthereceiptofwhichtheIPSdoesnotreceiveanyothersmallpackets.ThusiftheIPSreceived5inorderwherepackets4,and5aresmalland2and3arelarge,1and4areconsecutivesmallpackets,andsoare4and5.However,1and5arenotconsecutivesmallpacketsbecauseofthepresenceof4inbetween. Thustodetectananomalousconnection,intuitivelywelookforanomalouseventsinaconnection,whereananomalouseventisdenedaseither:Condition1,CloselySpacedSmallPackets:Con-dition1istriggerediftheIPSreceivestwoconsecu-tivesmallpacketswhosesequencenumbersdierbyatmostthesignaturelengthCondition2,Out-of-Order:Condition2istrig-gerediftheIPSreceivestwoconsecutivesmallpacketsbetweenwhichthereisatleastoneout-of-ordertran-sition(theout-of-orderpacketcouldbeanypacketinthemiddleofthetwouptoandincludingthesecondsmallpacket).Thusbetweentwoconsecutivesmallpackets,eitherthesequenceiscompletelyin-orderinwhichcaseonlyCondi-tion1canoccurorCondition2occurs.Theintentisthatinnocuousconnectionthatsendssmallpacketsthataresucientlyspacedapartwillnotbedivertedtotheslowpath.Similarly,aninnocuousconnectionthatsendsveryfewout-of-ordersmallpacketswillnotbediverted.5.4FastPathStateMachineThefastpathalgorithmcanbecompactlydescribedbyastatemachinethatcaneasilybeimplementedinhardware.TheIPSsystemrstpicksthenumberofpieces.NotethatthepiecelengthPieceSizeSignatureLengthpacketisdenedtobesmallifitspayloadsizeisintherangege,2·PieceSize2].NotethatACKswith0databytesarenotconsideredtobesmallpackets.WeusethetermTCPowandconnectioninterchangeablyinwhatfollows.StateInstantiation:ThefastpathkeepsstateforaowonlyafteritsendsitsrstsmallpacketStateVariables:WhentheIPSdecidestokeeptrackofaow,itkeepsthefollowingvariables(allindexedbytheTCPconnection5-tuple,usingsayaCAM),(NextExpectedSequenceNumber,32bits)(OutOfOrdersincelastsmallpacket,Boolean)length(Lengthinbytessincelastsmallpacket,7bitscansupportsignatures127bytesorshorter)count(countofanomalies,4bitscansupportvaluesofupto16,1strikesandtheowisout)(LastUpdateTime,3bitscanstoreacoarsetimevaluesucientforagingoutoldunusedtableentries)Insummary,theIPSfastpathmaintainsaowtableforeveryactiveTCPowthathaseversentasmallpacket,whereeachowentrycontainsasmallamountofstatelengthcount)foratotalof48bitsofstateperowthatiskepttrackof(plus96bitsforIPv4sourceanddestinationaddress,andTCPsourceanddestinationport).ThisreducesmemorycomparedtostandardIPSim-plementationsthatneedtokeeptrackofallactiveows(notonlytheonesthateversentasmallpacket)andappeartokeeptrackofaroundtriptimesworthofpacketdatafor Sincewearelookingformultiplesignatures,thisshouldreallybethemaximumlengthacrossallsignaturesbeingdetected.normalization.NotethatourslowpathisnoworseintermsofstateorprocessingthanatraditionalIPS.Thestatema-chineprocessingisasfollows:Toupdatecountcountisinitializedto1whentheowisrstplacedintheowtable.countissubsequentlyincrementedonreceivingasmallpacketforaowif:thepacketssequencenumberisnotequaltoistrue(i.e.,someout-of-ordersincelastsmallpacket),orlengthSignatureLengthNotethatcountisneverupdatedforlargepackets,andisneverincrementedpast1(i.e.itsticksatthatvalue).Toupdate,andlengthissettotrueifthecurrentpacketsequencenum-berisnotequaltoandthepacketislarge;resettofalseifthecurrentpacketissmall(thisreectstheintuitionthatisaagthatdetectsout-of-orderreceptionbetweensmallpackets;henceitisresetwhenasmallpacketisreceived.)issetequalto,whereisthecurrentpacketsequencenumberandistheTCPpayloadlengthofthecurrentpacket,(issettoreectthesequencenumberofthenextexpectedin-orderTCPsegmentinthisow.)lengthisincrementedbythepayloadlengthifthecur-rentpacketislargeandresettozeroifthecurrentpacketissmall(lengthmeasuresthelengthinbytesreceivedforthisowsincethelastsmallpacketwasreceived.)Asaspecialcase,TCPpacketswithnodatacausenochangetoanyofcount,orlength.Allpackets,includingthosewithnodata,causetobeupdatedtothecurrenttime.Afterstateupdate,theentireow(includingthecurrentpacketcausingtheupdate)isdivertedtotheslowpathifeitherofthefollowingtwoconditionsaretrue:1.Thepacketisfoundtocontainapieceofsomesigna-ture(bysomestringmatchingalgorithm).Inthiscasethefastpathcansimplysetcount1inordertodiverttheow.2.Theanomalycountcountisequalto1(onelessthanthenumberofpieces)Iftheowisnotdiverted,thepacketisforwardednor-mallybut,inaddition,acopyofthepacketissenttotheslowpathifandonlyifthepacketissmall(i.e.,payloadsizeisintherange[1PieceSize2]).Inotherwords,ifapacketcontainsplausibleevidence(i.e.,packetissmallorcontainsapiece),thenacopyofthepacketissenttotheslowpathforexamination.However,iftheanomalycountistoohighorapieceisdetected,theentireowisdivertedtotheslowpath. 5.5SlowPathAlgorithmEverypacketsentfromthefastpathtotheslowpathissentwithadditionalinformationindicatingwhetheritisacopyofaforwardedpacket,orifthepackethasbeendi-vertedandthushasnotbeenforwardednormallybythefastpath.Whentheslowpathreceivesapacketmarkedasacopy,itstoresitinatableindexedbythepackets5-tuple.Thesepacketsmaybeneededinthefuturefordetectinganoccurrenceofanattacksignature,butdonotrequireanyotherimmediateaction.Iftheslowpathreceivesapacketforaowthatismarkedasdiverted,thenitbecomesresponsiblefordecid-ingwhethertoforwardthepacketontothereceiver.Theslowpathtriestopastetogetherthefragmentsreceivedforow;ifitgetsclosetoformingasignature(therstandlastpiecesmaybemissing)thenthepacketsoftheowaredropped.Themoreprecisespecicationisasfollows.Foreveryow(divertedowsaswellasowsforwhichitreceivescopies),theslowpathmaintainsasingleversionofthereassembledTCPstreamuptothispoint.Clearly,ifsegmentsoverlapandhaveinconsistentdata,onecancreateanexponentialnumberofpossiblereassemblies[8].Sincewewishnottoburdentheslowpath,wesetaagattherstsignofinconsistentdatafortheowanddropthelatersegmentthatisinconsistent.Notethatthisislikedatanormalization[8]exceptthatindatanormalization,thelatersegmentismodiedtobeconsistentwithpreviousseg-ments.Ifdataisinconsistent,theniftheowisdiverted,wesimplydropallfurtherpacketsoftheow.ThisisaDraco-nianstance,butonewhichisconsistentwithend-nodeweakatomicityenforcement.Finally,ifaowisdiverted,theslowpathlooksfortheconcatenationofpieces2through1(ofanysigna-tureinthedatabase)inthereassembledstream.Ifsuchanearmatchisfound,furtherpacketsoftheTCPowaredroppedandtheTCPconnectionisreset.Notethatwhilelookingforsuchanearmatchappearstoworsenthefalsepositiverate(becausewearenotlookingfor2outofpieces),onecanarguethatifthesignatureisfragmentedacrosspackets,theprobabilityofthathappeningoninnocu-ousdataisveryunlikely.However,acarefulargumentre-quiresamodelofhowrandomdatasplitsacrosspackets.Overall,wedonotfeelthatthefalsepositiveratewillin-creaseatallinpractice;evenifitdoesitcanbecombatedbymakingthesignaturelonger.Itispossible,butnotstrictlynecessary,fortheslowpathtodostandarddatanormalizationafterdiversion.Ineithercase,thestateandprocessingrequirements(perow)oftheslowpatharesimilartothatofastandardIPSdoingdatanormalizationbutworkingonlywithasmallnumberofdivertedows.Weassumethatheadernormalization(i.e.,settingheadervaluestocanonicalvaluestoavoidinformationleakageortopreventattacks)isdonebothinthefastpathandintheslowpath.Suchheadernormalizationisneitherstatenorcomputationintensive[8].Finally,therearemanyotherdetailssuchaswhenstatecanbesafelyreleasedforwhichtheextensivetechniquesin[8]canbeused.6.PROOFInthissection,wewillestablishcorrectnessofSplit-Detectalgorithm.Moreprecisely,thecombinationofthefastpathstatemachineandtheslowpathprocessingwillneverletaowcontainingasignaturetobesenttoareceiver,despitetheuseofevasiontechniquesbythesender.WeassumethatthereceiverterminatesanyTCPowthatattemptstoviolateweakatomicitybeforedeliveryofinconsistentdata.AssumetheIPSsplitsthesignatureintopieces,1through.Weneedpreliminarydenitions.Denition1:ConsideranIPSthathasreceivedase-quenceofpacketsforaTCPow.Areassembledowforsequenceisapossiblereassemblyofsequence(includingcaseswhereisreorderedorarbitrarysubsetsaredropped)atanyendnodeenforcingatomicity.NotethatthesequenceisreceivedattheIPSbutweconsiderthereassemblydoneatanendnodeenforcingatom-icity.Thusevenifthesequencecontainschathatmaynotreachtheendnodewestillapplytheendnodeoperationtothesequence.ThedenitionofpossiblereassembledTCPstreamsprovidesaformaldenitionofanevasion.Aneva-sionisaTCPconnectioninwhichsomepossiblereassemblyoftheconnectioncontainsaforbiddenstring.ThenextdenitionformalizesthenotionthattheslowpathlooksforanearmissofstringDenition2:Foranystring,wedenethestringAlmost)tobethestringcontainingPieces2throughinsequence.Wenowformalizethenotionofthecriticalpacket,theforwardingofwhichcancausethestringtobedeliveredtotheendnode,andthegametobelost.Sinceitishardtoguaranteethatsuchapacketwillbedetected(itcouldbealargepacketcontainingthelastpiece)werelaxthedenitiontosaythatthecriticalpacketisonethatcancauseAlmost)tobedelivered.Clearly,preventingAlmostwillpreventfrombeingdelivered.Itisessentialthatthefastandslowpathconspiretogethertodropthecriticalpacket.Thus:Denition3:ThecriticalpacketforaTCPconnectioncontainingstringwithrespecttoanIPSisthepacketfromtheTCPconnectionreceivedattheIPSsuchthatAlmost)iscontainedinsomereassembledTCPstreamforthisconnectionuptoandincludingthispacket,butsuchthatthatthestringAlmost)isnotcontainedinanyreassembledTCPstreamnotincludingthispacket.ThecollaboratorsofacriticalpacketareanypriorpacketsintheTCPconnectionthatareusedinsomereassembledTCPstreamcontainingAlmost)uptoandincludingthecriti-calpacket.ObservethatmerelycontainingabyteofAlmost)doesnotqualifyapackettobeacollaborator;itmusthavese-quencenumbersforthisbytethatqualifythebytetobepartofareassemblyofAlmost).Weusesomereassem-bledstreambecausetherecanbemorethanonepossiblewaytoreassembleaTCPstreamincasethereismorethanonepacketforthesamesequencenumberoroverlappingsegmentswithinconsistentdata.Example:Weuse(s,P)todenoteaTCPpacketwithse-quencenumberandpayload.WithrespecttoAlmostABCDE,supposeaTCPconnectionsendstherstpacketcontaining(0AB),thesecondcontaining(3XY),thethirdcontaining(5),thefourthcontaining(3CD),andthefthcontaining(0ABC).Thenthecriticalpacketisthefourthpacketbecausewhiletherearetwopossiblereassem-bledstreamsuptoandincludingthispacket(ABXYEandABCDE),thereisonereassembledstreamcontainingthe string.Notethatwhilethisisalsotrueafterthefthpacket,thisisrsttrueafterthefourthpacketreceivedbytheIPS.Thecollaboratorsofthecriticalpacketaretherst,third,andfourthpackets.Thefollowinglemmastates,intuitively,thatthecriticalpathanditscollaboratorsmusteithercontainapieceorbesucientlysmalltowarrantbeingcopiedtotheslowpath.SeeFigure5.ForanyTCPconnectionandstring,thecriticalpacketforstringandallcollaboratorsofthecriticalpacketwilleithercontainapieceofinitsentiretyorhavepayloadlengthPieceSizeProof.Considerapacketthatiseitherthecriticalpacketoracollaboratorofthecriticalpacket.SuchapacketmustcontainsomebyteofstringthatcontributestosomereassemblyofstringAlmost)atanendnodesatisfyingatomicity.ThusitcontainsaportionofsomePieceIK,thatisusedinthisreassembly.Case1:IfpacketcontainsanypieceinitsentiretythatisusedinthereassemblyofAlmost)wearedone.Case2:Packetdoesnotcontainapieceinitsentiretythatisusedinthereassembly.Thus,itmusteithercontainaportionofPieceonly,orcontainabeginningportionofandaportionofPiece1,oratrailingportionofPieceandaportionofPiece+1.ItcannotcontainacompletepieceofeitherPiece1orPiece+1byassumption.ThusthepartofpacketcontainingaportionofStringAlmost)must(inallthreecases)beoflengthPieceSizeNowwewanttoshowthatcanonlycontainthispor-tionofSignature(i.e.,itcanhavenomorebytesthatmakesthispacketlargeandhenceundetectablebytheslowpath).Ifithasatleast2PieceSize1bytesandthesebytesareconsistentwithstringAlmost),wewouldhaveacompletepiecewhichcontradictstheassumptionofCase2.Otherwise,ifithasmorebytesandthesebytesareincon-sistentwithAlmost),thentheremustbeanotherpacketthatcontainsthecorrectbytesforAlmost)atthecorre-spondingsequencenumbersthatarepartofthereassem-blyofAlmost)atsomeendnode,andthesetwopacketswouldviolatetheweakatomicitydeliveryassumptionattheendnode.ThuscanonlycontainportionsofAlmost)oflengthPieceSize1andnofurtherbytes,andthusmustitselfbeoflengthPieceSize Themaintheoremformalizestheroleofthefastpath.TheoremFastPathDiversion)ATCPconnec-tioncontainingstringinsomereassembledstreamwillbedivertedtotheslowpathbeforeorwhileprocessingthecriti-calpacketinthefastpath.Further,ifpriortodiversionthefastpathprocessedacollaboratorofthecriticalpacket,thenacopyofthecollaboratorwassenttotheslowpath.Proof.Weprovethesecondpartofthetheoremrst.Consideranycollaboratorpacketprocessedbythefastpathbeforediversion.ByLemma6.1,suchapacketwillei-thercontainapieceinitsentiretyorbeofpayloadsizePieceSize1.Ineithercase,theforwardingruleswillensurethatacopywillbesenttotheslowpath.Fortherstpartofthetheorem,consider2cases:Case1:Acompletepieceissentinitsentiretybeforeorincludingthecriticalpacket.Inthatcase,bytheforwardingrules,after(andincluding)thispacket,theconnectionwillbedivertedtotheslowpath.Case2:Acompletepieceisnotsentbeforeorinclud-ingthecriticalpacket.Thenweknowthatforeachpiece,aportionofthepiecemustbesentinaseparatepacketuptoandincludingthecriticalpacket.ByLemma6.1andbythefactthatwehaveexcluded,thepacketcontainingtheportionofPiecemustbeofPieceSize1.OrderthesefragmentsbythetimeatwhichtheyrstarriveattheIPS.Thusfragment1istherstpacketcontainingaportionofthesignaturethatisprocessedbythefastpath,fragment2isthenextpacket,andsoon.WeclaimthatbetweenthearrivalofFragmentandFragment+1,countfortheconnectionmustincrementby1.Supposenot.WeknowthatFragmentandFragment+1aresmallbecausetheirpayloadsizeisPieceSizecountdoesnotincrement,thenthebitmustbefalsewhen+1isreceived,andsothesequencenumbersmustincreaseinorderfromFragmenttoFragment1.ButsinceFragmentand+1bothcontainportionsofthesignature,thenthedierenceinsequencenumbersfromFragmenttoFragment+1mustbelessthanthesignaturelength.Butinthiscase(seestatemachine),countmusthaveincremented,acontradiction.Butifbetweenany2consecutivefragments,countin-creasesby1,andthereare1fragments,thencountmusthavereached1beforethecriticalpacket.Butinthatcase,bythediversionrules,theconnectionmusthavebeendivertedafterthecriticalpacketisprocessedbythefastpath. Thenaltheoremformalizestheroleoftheslowpath.Theorem(SlowPathBlocking):ATCPconnec-tioncontainingstringinsomereassembledstreamwillhaveitscriticalpacketdroppedintheslowpath(Safety)Conversely,aTCPconnectionthatdoesnotcontainAlmostinsomereassemblyoftheconnectionandhasnoincon-sistentdatawillnothaveanypacketsdroppedattheIPS(Liveness)Proof.ThesafetypartofTheorem2followsfromThe-orem1.IfTheorem1istrue,thenitisclearthatafterandincludingthecriticalpacket,theowisbeingprocessedbytheslowpath.Also,anycollaboratorsofthecriticalpacketforwardedbythefastpatharealreadyattheslowpathpro-cessor.Sincetheowisnowbeinghandledbytheslowpath,allremaining(ifany)portionsofPieces2through1of(bythedenitionofcollaboratorsandAlmost))willalsobereceivedbytheslowpath.Ifthereismorethanpossiblereassemblyofthepacketsthattheslowpathhasreceived,thenweknowthattheslowpathwillbeconguredtodropfurtherpacketsofthisowandwearedone.If,ontheotherhand,thereisonlyonereassemblyofthepacketsreceivedsofar,andtheslowpathhasreceivedPieces2through1,itmustreassemblethesepiecestoputtheminsequence.SincetheslowpathalgorithmisconguredtodropallsubsequentpacketsifitndsPieces2through1insequence,thenatleastthecriticalpacketwillnothavebeenforwardedbeforetheSlowPathbeginsdropping.Hence,bythedenitionofthecriticalpacket,stringAlmost)(andhencestringcannotreassembledattheendnode.Thelivenesspartfollowstriviallyfromthefactthattheslowpathonlydropspacketsfromaconnectionwhenit eitherndsmorethanonepossibleTCPreassembly(whichcanonlyhappeniftheconnectionhasinconsistentdata),oriftheslowpathndsPieces2through1ofsomesignatureinsequenceinitsreassemblyoftheconnection. 7.RESULTSBeyondcorrectness,themotivationforSplit-Detectisper-formance.Inthissection,wedescribepreliminaryresultsthatindicatethatSplit-Detectcanachieveaspeedupof10,andamemorycompressionofbetween10and100,makingitpossibletoimplementiton-chipat20Gbps.Wealsoshowrobustnessoftheresultacrosstime(samepacketcapturepoint,dierenttimes)andspace(dierentpacketcapturepoints,dierentnetworks).Inthetrace-drivensimulations,owstatesarecreatedwhentherstpacketwhosepayloadcontainsatmost2PieceSize2bytesisencounteredfortheow,asdescribedearlier.Flowstatesareagedoutifnopacketisreceivedfortheconnectionforatleast2minutes.Figure6providesstatisticsaboutthetracesweanalyzed.AllofthemexceptALargeenterprisearepubliclyavailable.Theresultsthatfollowaredescribedintermsoftableswiththefollowingheadingsforcolumns.Packetswithbe-tween1andSmall Threshbytes(inclusive)intheirTCPpayloadsareconsideredsmall,whereSmall Threshisequalto2PieceSize2.Thecountatwhichredirectionoccurs)isequalto1,whereNum.PiecesMaxowsisthemaximumnumberofowsinthefastpathsowtableatanytimeduringthesimulationoverthepackettrace.%owsisequaltoMaxowsdividedbythetotalnumberofowsinthetrace.Tocalculatethetotalnumberofowsinthetrace,weranaseparateprogramthatsimplycreatedaowentrythersttimeapacketwasseenforanewow(regardlessofitssize),andagedoutentrieswhennopack-etshadbeenseenfortheconnectionfor2minutes.ThisisintendedtorepresentthenumberofowstatesthatwouldberequiredbyatraditionalIPSsystemforthesametrac.Intheresultswereportseparatelythefractionofpack-ets/bytescopiedtotheslowpath,andthetotalfractionofpackets/bytesthatwerediverted(eithercopiedorredi-rected).Thislattersetofnumbersrepresentsthetotalloadontheslowpath.Oursimulationsareeectivelyperformedwithnopiecesinstalled.Amorecompletesimulationde-pendinguponpacketcontentandsignaturesisdiculttoperformusingpublicsourcesduetoprivacyconcerns.Ourrstexperimentexaminestheeectofvaryingthenumberofpiecesonthetwometricsofinterest:thediver-sionratio(fractionoftracshuntedtoslowpath)andtheamountofstatekeptinthefastpath(fractionofconnec-tionsfastpathkeepsstatefor).WeusedasingleOC-48traceandvariedboththeSignaturelengthandthenumberofpieces:westaywithintherangeofSignaturelengthsusedinpractice,andneverdecreasethepiecesizebelow4bytes.InFigure7wevarythesignaturelengthandthenumberofpieces.Allotherparameters(e.g.,smallpacketthresh-old,whichis2PieceSize2)canbederivedfromthesetwoparameters.Theoverallmessageisthatusingareasonablesmallpacketthresholdof8to16bytesforthecommoncaseof40bytesignatureswith4to8piecesresultsinkeepingstateforonly5%oftheowsanddiverts8%to12%ofthetracineitherbytesorpackets,providingafactorof10im-provementinthroughput.Thisimpliesthattheslowpathcanrunat2Gbps,whichiseasilyachievabletoday.Similarly,keeping5%of1millionows(notthenumbersinthetracesbutthenumbersaimedforbyanIPStoday)resultsinkeepingtrackof50,000owswhichat150bitsperow(100bitsforowIDand48bitsforstate)forthestatemachinedescribedinSection5.4resultsin7.5Mbitsofmemory.7.5Mbitsiseasilyachievableusingon-chipmem-ory,allowingasinglechipimplementationofthefastpathstatemachine.Forgracefuldegradation,ifthefastpathex-haustsitsonchipmemory,allsubsequentowsthatcontainasmallpackethavetobedivertedtotheslowpath.igure8comparesoneofthepreviousresultsagainstonethatweconsidertobeapoorchoiceofparameters.Ingen-eral,breakingalargesignatureintoonlyafewlargepiecesisbadfortworeasons.First,itleadstoalargerSmall Threshvalue,andthusmorepacketsareconsideredsmallbythefastpath.Second,itleadstoasmallervaluethatcountmustreachbeforetherestoftheowisredirectedtotheslowpath.Foralloftheremainingresults,wereportonlytheresultsPieceSize=6(thusSmall Thresh=10)and=5,whichispossibleforsignaturescontainingatleast30bytes.Althoughthetableisnotshown,wecomparedresultsusingthesameparameters,butfortracescollectedfromthesamelink(anOC-48link)atthreedierenttimes,eachtakenseveralmonthsapart.TheintentwastodeterminewhethertherewasanyobvioustrendinthetraccharacteristicsindicatingthattheperformanceofSplit-Detectchangesovertime.TheresultsfortheAugust14,2002andJanuary15,2003aresimilar.ThefractionofpacketssenttotheslowpathfortheApril24,2003traceisnoticeablylower.Weattributethistothefactthatitwastakenatadierenttimeofday,whenthetotaltracloadwaslower.Theresultsshowthatinallcasesthefractionofdivertedtracstaysunder10%,asneededforourspeeduparguments,butcanbelower(aslowas3%)duringsomeperiods.Sofartheresultshavebeenforasinglewide-areatrace.Figure9usesthesameparametervaluesandreportstheresultsforallthetracesshowninFigure6.Figure9showsthattheresultsseemfairlyinvarianttothetypeoftraceused.TheUniversityandlargeenterprisetracesweused,inparticular,aremorerepresentativeofenterpriseswhereanIPSismorelikelytobedeployed.Finally,wenotethatwithDFAimplementationsofstringmatching(suchasAho-Corasick[1]),thecostofstringmatch-ingincreaseslinearlywiththebytesinastring.Thusin-creasingthenumberofpieces(withoutchangingtheoverallbytesmatched)shouldnotgreatlyincreasecomplexity.8.CLEANSLATEAPPROACHESWhilemuchofthispaperdealswithexistingTCPendnodes,wehavearguedforasmallchangeinTCPendnodes(weakatomicity).GiventhatthereisageneraldissatisfactionwiththestatusquoasevincedbyproposalssuchasFINDtorearchitecttheInternet[7],itisworthposingthequestion:whatotherchangesintransportprotocolscouldmakethejobofdetectingsignatureseasierinthenetwork?Evenwiththeassumptionofweakatomicityinendnodesandexactsignatures,thesolutiondescribedinthispaperhadthedisadvantageofonlydetectingAlmost)insteadoftheexactsignature.RecallthatAlmost)iswiththerstandlastpiecesmissing.Whileonecanarguethatifislongenough,thisdoesnotchangethefalsepositiverateappreciably,thisisdiculttoselltosecurityanalysts. Trace Duration(min) Avg.pkts/sec Avg.bits/sec %ofTCPpackets CAIDA2002-08-1409:00 75K 344M 93% CAIDA2003-01-1509:59 59K 326M 88% CAIDA2003-04-2400:55 23K 92M 91% Alargeenterprise 25M 90% Univ.Florida 39K 223M 91% Lawrence-BerkeleyNationalLab 7M Figure6:Summarydataforthepackettracesanalyzed SigLength PieceSize Num.Pieces Small Thresh Maxows %ows %pkts/bytescopied %pkts/bytesdiverted 10 34494 0.51%/0.04% 10.85%/9.98% 5 30482 0.51%/0.04% 9.06%/8.31% 8 8 0.46%/0.04% 6.02%/5.29% 0.38%/0.03% 3.43%/4.04% 10 34494 0.38%/0.03% 12.66%/12.01% 5 24215 0.42%/0.03% 8.03%/7.20% 6 8 0.42%/0.03% 6.88%/6.24% 0.15%/0.01% 2.00%/2.41% 4 8 0.34%/0.03% 8.39%/7.95% 5 6 0.31%/0.02% 5.48%/6.38% Figure7:EectofvaryingparametersonthesamepackettraceHowever,thefollowingradicalchangeinthetransportprotocolcanremedythis.Imaginethatthetransportpro-tocolrepeatsthelastbytesofeachpacketintherstbytesofthenextpacket.Thenitfollowsthatanystringoflengthnomorethanwillbecontainedinitsentiretyinsomepacket.Ifstringhappenstosplitacrosspacket,itwillbefoundinitsentiretyinpacket+1.Ifaslargeasthepiecesize(say10bytes),thenaverysimplefastpathstatemachinecandivertaowtotheslowpathifanypieceisdetected.TheCleanSlateapproachalsosuggeststhefollowingplementationalternativetoarchitecturalrevolution.Sendthelastbytesandtherstbytesofeverypackettotheslowpath.Iftheaveragepacketsizeissay200bytesandis10,thiswilladdafurther10%overheadtothedivertedtrac.Finally,iftheSlowPathdetectsAlmost),thentheseadditionalbytescanbeexaminedtoconrmthatwassentbeforedroppingpacketsintheconnection.9.CONCLUSIONThispaperisagentlerstvolleysuggestinganalternativetofullstatereassemblyandnormalizationathighspeedsusingtheideasofcuttingsignaturesintopiecesthatarelookedforaswellaslookingforunusualsmallpacketactivityindicativeofattemptstocutbetweenpieces.Whilemuchremainstobedone:Theexperimentaldataseemstosupportaspeedupof10,andastatecompressionof10and20.Morecompressionappearspossibleviacompactdatastructures(e.g.,BloomFilters)inreturnfordivertingslightlymorethantherequirednumberofows.TheendnodeatomicityrequiredbySplit-Detectmayseemtoohighapricetopay.However,webelieveitispossibletoprovealowerboundtoshowthatdetectingoverlappingfragmentsinthenetworkrequiresalmostasmuchmemoryasdatanormalization.Ifthisistrue,thenendnodeatom-icitymayberequiredforhighperformancereassemblyandnormalization.Fromourpreliminaryinvestigation,weakatomicityappearseasytoimplementafteraddingoneMTUworthofextrabueringandasmallamountofextraprocess-inginrarecases.NotethattheassumptionthatAlmostisdetectedandnotcanberemediedbydivertingsomeoftherstandlastbytesofeverypacket.Finally,ourpaperhasdealtonlywithexactmatchingbutmostIPSvendorssupportregularexpressions.First,notethatwhileregularexpressionsarecommonlyusedtoabstractlydescribevulnerabilities,exactstringssucetodescribeexploitswhichmaysuceforblockingatswitchesintheimmediateaftermathofanattacksuchasaworm.Further,wehavealreadyidentiedaclassofregularex-pressionsthatcanbehandledbySplit-Detecttechniques.TheseareregularexpressionsthatusetheORoperator(i.e.,)andthe.operator(anysinglecharacter).Thuswecandoregularexpressionsoftheform((etc.).Thesecanbebrokenintopieces;allweneedisthefastpathtobeabletomatchtheseexpressionsusingstandardDFAtechniques.Inparticular,wecanhandleupperandlowercase,whichisverycommonintheIPSrules.Also,iftheregularexpressionhasaformsuchasthefastpathcansendacopyofstring(whicheverisdetectedrst)withoutdivertingtheow.Whentheotherstringisseen,theowcandivertedtotheslowpath.OurpreliminarystudyofacommercialIPSdatabaseaswellastheClamAVdatabaseshowsthat60to80%oftherulestthesecategories.Weareworkingonfurtherextensionstothis,andontechniquestorewriteregularexpressionstomakethemttheclasseswecanhandle.Changestoendnodesandtotheuseofregularexpres- Sig.Length PieceSize Num.Pieces Small Thresh Maxows %ows %pkts/bytesdiverted 5 24215 8.03%/7.20% 16 48026 15.18%/13.76% Figure8:Eectofpoorlychosenparametersonthefractionofdivertedtrac Trace Maxows %ofows %pkts/bytescopied %ofpkts/bytescopied/redirected CAIDAOC-482002-08-14 0.42%/0.03% 8.03%/7.20% ALargeenterprise 0.38%/0.03% 8.81%/11.79% Univ.Florida 0.54%/0.04% 5.68%/5.56% Lawrence-BerkeleyNationalLab 20.92% 0.21%/0.02% 1.52%/3.07% Figure9:Variationinthedivertedtracacrosstracestakenfromdierentnetworkssionsareclearlydiculttopopularize.Butwhenconsideredagainstthebackdropofanevenmoredicultproblem,thatofdetectingattacksignatureatveryhighspeeds,perhapssuchchangesseemmorereasonable.10.ACKNOWLEDGEMENTSWearegratefultoJonathanChang,TomEdsall,MikeHall,PereMonclus,SushilSingh,andSumeetSinghofCiscoSystemsforfruitfuldiscussions.GeorgeVarghesewouldalsoliketoacknowledgeNSFGrantANI0137102andagrantfromNISTthathelpedstimulatethedirectionofthecurrentresearch,whichwasdoneentirelyatCisco.11.REFERENCES[1]AlfredV.AhoandMargaretJ.Corasick.Ecientstringmatching:Anaidtobibliographicsearch.CommunicationsoftheACM18(6):333-340,June1975.[2]N.Alon,Y.Matias,andM.Szegedy.Thespacecomplexityofapproximatingthefrequencymoments.Proceedings28thACMSymp.onTheoryofComputing,pages20 29,May1996.[3]G.Appenzeller,I.Keslassy,andN.McKeownSizingRouterBuers.ProceedingsofACMSIGCOMM,2004.[4]D.Clark,TheStructuringofSystemsUsingUpcalls.Proceedingsofthe10thACMSymposiumonOperatingSystemsPrinciples,pp.171 180,December1 41985.[5]S.Dharmapurikar,P.Krishnamurthy,T.Sproull,andJ.W.Lockwood,DeeppacketinspectionusingparallelBloomlters.HotInterconnects,Aug.2003.[6]S.Dharmapurikar,V.Paxson,RobustTCPstreamreassemblyinthepresenceofadversaries.Proceedingsofthe14thUSENIXSecuritySymposium,Baltimore,2005.[7]TheFutureoftheInternet.RedHerring,April10th,2006.[8]M.Handley,C.Kreibich,andV.Paxson.NetworkIntrusionDetection:Evasion,TracNormalization,andEnd-to-EndProtocolSemantics.Proc.USENIXSecuritySymposium,May[9]K.Levchenko,R.Paturi,andG.Varghese.OntheDicultyofScalablyDetectingNetworkAttacks.Proc.oftheEleventhACMConferenceonComputerandCommunicationSecurityOctober2004.[10]Nikto,http://www.cirt.net/code/nikto.shtml[11]NSSGroup.IntrusionPreventionSystems(IPS)GroupTest(Edition3),NSSGroup,August2005,http://www.nss.co.uk[12]V.Paxson,Bro:ASystemforDetectingNetworkIntrudersinReal-Time.ComputerNetworks,31(23-24),pp.2435-2463,14Dec1999[13]V.PaxsonandM.Handley,DefendingAgainstNIDSEvasionusingTracNormalizers.SecondInternationalWorkshopontheRecentAdvancesinIntrusionDetection,September1999.[14]T.PtacekandT.Newsham.Insertion,EvasionandDenialofService:EludingNetworkIntrusionDetection,SecureNetworks,Inc.,Jan.1998.[15]M.Roesch,Snort-LightweightIntrusionDetectionforNetworks,LISA99[16]C.Shannon,D.Moore,k.clay,CharacteristicsofFragmentedIPTraconInternetLinks,WorkshoponPassiveandActiveMeasurement,2001.[17]DugSong,2002,Fragroute,http://www.monkey.org/dugsong/fragroute/