TY - GEN
T1 - An efficient TCP reassembler mechanism for layer7-aware network intrusion detection/prevention systems
AU - Hanaoka, Miyuki
AU - Kono, Kenji
AU - Shimamura, Makoto
AU - Yamaguchi, Satoshi
PY - 2007/12/1
Y1 - 2007/12/1
N2 - Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-fragmented packet immediately after copying it even if it has not been checked yet. Although the forwarded packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent packets Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order packets.
AB - Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-fragmented packet immediately after copying it even if it has not been checked yet. Although the forwarded packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent packets Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order packets.
UR - http://www.scopus.com/inward/record.url?scp=48049106857&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=48049106857&partnerID=8YFLogxK
U2 - 10.1109/ISCC.2007.4381605
DO - 10.1109/ISCC.2007.4381605
M3 - Conference contribution
AN - SCOPUS:48049106857
SN - 1424415217
SN - 9781424415212
T3 - Proceedings - IEEE Symposium on Computers and Communications
SP - 79
EP - 86
BT - 12th IEEE International Symposium on Computers and Communications, ISCC '07
T2 - 12th IEEE International Symposium on Computers and Communications, ISCC '07
Y2 - 1 July 2007 through 4 July 2007
ER -