TCP/IP Reassembly in Network Intrusion Detection and Prevention Systems

2014 ◽  
Vol 8 (3) ◽  
pp. 63-76 ◽  
Author(s):  
Xiaojun Wang ◽  
Brendan Cronin
Keyword(s):  
Intrusion Detection ◽  
Hardware Acceleration ◽  
Network Intrusion Detection ◽  
Network Interface ◽  
Deep Packet Inspection ◽  
Regular Expressions ◽  
Attack Pattern ◽  
Network Intrusion ◽  
Packet Inspection ◽  
Intrusion Detection And Prevention

Deep Packet Inspection (DPI) in Network Intrusion Detection and Prevention Systems (NIDPS) typically involves the matching of packet payloads against attack signatures in the form of fixed strings and regular expressions. As an attack pattern may span multiple IP fragments or TCP segments, accurate DPI requires that the traffic is reassembled prior to analysis of the payload data stream. Although hardware acceleration of the TCP layer, including reassembly, is well known in the form of TCP Offload Engines for Network Interface Cards, only limited research has been conducted into reassembly architectures suited to the particular requirements of DPI systems. The challenging requirements include the tracking and fragment/segment reordering of a potentially very large number of streams in addition to dealing with subtle ambiguities in IP fragmentation and TCP segmentation using target based reassembly or traffic normalization. In this article, the authors present a combined hardware and software architecture which harnesses the resources of the latest FPGA technology to improve on existing research proposals.

Network Intrusion Detection: Using MDLcompress for deep packet inspection

2008 ◽  
Author(s):  
E. Earl Eiland ◽  
Scott C. Evans ◽  
T. Stephen Markham ◽  
Bruce Barnett ◽  
Jeremy Impson ◽  
...  
Keyword(s):  
Intrusion Detection ◽  
Network Intrusion Detection ◽  
Deep Packet Inspection ◽  
Network Intrusion ◽  
Packet Inspection

Network Intrusion Detection System in Latest DFA Compression Methods for Deep Packet Scruting

2021 ◽  
pp. 219-243
Author(s):  
Vinoth Kumar K
Keyword(s):  
Intrusion Detection ◽  
Regular Expression ◽  
Detection System ◽  
Finite Automata ◽  
Excessive Amount ◽  
Network Intrusion Detection ◽  
Regular Expressions ◽  
Practical Applications ◽  
Network Intrusion ◽  
Packet Inspection

The vast majority of the system security applications in today's systems depend on deep packet inspection. In recent years, regular expression matching was used as an important operator. It examines whether or not the packet's payload can be matched with a group of predefined regular expressions. Regular expressions are parsed using the deterministic finite automata representations. Conversely, to represent regular expression sets as DFA, the system needs a large amount of memory, an excessive amount of time, and an excessive amount of per flow state, limiting their practical applications. This chapter explores network intrusion detection systems.

scholarly journals Logical Circuits for Extended Content Matching in Hardware Based NIDPS

2013 ◽  
Vol 7 (3) ◽  
pp. 664-669
Author(s):  
Dejan Georgiev ◽  
Aristotel Tentov
Keyword(s):  
Intrusion Detection ◽  
The Other ◽  
Network Intrusion Detection ◽  
Network Intrusion ◽  
Other Hand ◽  
Efficient Detection ◽  
Network Speed ◽  
Intrusion Detection And Prevention

In this paper we present logical circuits for efficient detection of rolled out contents. As network speed increases and security matters  there is a demand for implementation of hardware based Network Intrusion Detection and Prevention Systems (NIDPS). On the other hand hardware based NIDPS are lacking the flexibility of detection of so named "evasion" techniques. Here we present simple but efficient enhancement to content matching in hardware with minimal basic memory elements (flip-flops) used.

scholarly journals THE LOAD BALANCING OF SELF-SIMILAR TRAFFIC IN NETWORK INTRUSION DETECTION SYSTEMS

2020 ◽  
Vol 3 (7) ◽  
pp. 17-30
Author(s):  
Tamara Radivilova ◽  
Lyudmyla Kirichenko ◽  
Maksym Tawalbeh ◽  
Petro Zinchenko ◽  
Vitalii Bulakh
Keyword(s):  
Load Balancing ◽  
Intrusion Detection ◽  
Intrusion Detection System ◽  
Detection System ◽  
Intrusion Detection Systems ◽  
Deep Packet Inspection ◽  
Detection Systems ◽  
Network Intrusion ◽  
Load Imbalance ◽  
Packet Inspection

The problem of load balancing in intrusion detection systems is considered in this paper. The analysis of existing problems of load balancing and modern methods of their solution are carried out. Types of intrusion detection systems and their description are given. A description of the intrusion detection system, its location, and the functioning of its elements in the computer system are provided. Comparative analysis of load balancing methods based on packet inspection and service time calculation is performed. An analysis of the causes of load imbalance in the intrusion detection system elements and the effects of load imbalance is also presented. A model of a network intrusion detection system based on packet signature analysis is presented. This paper describes the multifractal properties of traffic. Based on the analysis of intrusion detection systems, multifractal traffic properties and load balancing problem, the method of balancing is proposed, which is based on the funcsioning of the intrusion detection system elements and analysis of multifractal properties of incoming traffic. The proposed method takes into account the time of deep packet inspection required to compare a packet with signatures, which is calculated based on the calculation of the information flow multifractality degree. Load balancing rules are generated by the estimated average time of deep packet inspection and traffic multifractal parameters. This paper presents the simulation results of the proposed load balancing method compared to the standard method. It is shown that the load balancing method proposed in this paper provides for a uniform load distribution at the intrusion detection system elements. This allows for high speed and accuracy of intrusion detection with high-quality multifractal load balancing.

Network Intrusion Detection and Prevention Systems on Flooding and Worm Attacks

2016 ◽  
pp. 183-207
Author(s):  
P. Vetrivelan ◽  
M. Jagannath ◽  
T. S. Pradeep Kumar
Keyword(s):  
Intrusion Detection ◽  
Denial Of Service ◽  
Packet Transmission ◽  
Network Intrusion Detection ◽  
The Internet ◽  
Network Intrusion ◽  
Worm Attacks ◽  
Packet Marking ◽  
Vast Network ◽  
Intrusion Detection And Prevention

The Internet has transformed greatly the improved way of business, this vast network and its associated technologies have opened the doors to an increasing number of security threats which are dangerous to networks. The first part of this chapter presents a new dimension of denial of service attacks called TCP SYN Flood attack has been witnessed for severity of damage and second part on worms which is the major threat to the internet. The TCP SYN Flood attack by means of anomaly detection and traces back the real source of the attack using Modified Efficient Packet Marking algorithm (EPM). The mechanism for detecting the smart natured camouflaging worms which is sensed by means of a technique called Modified Controlled Packet Transmission (MCPT) technique. Finally the network which is affected by these types of worms are detected and recovered by means of Modified Centralized Worm Detector (MCWD) mechanism. The Network Intrusion Detection and Prevention Systems (NIDPS) on Flooding and Worm Attacks were analyzed and presented.

Sign in / Sign up

Export Citation Format

Share Document