Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting Bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.
展开▼
机译:用于深度数据包检测和网络安全的标准模式匹配方法可以通过 TCP 和 IP 分段来规避。为了检测此类攻击,入侵检测系统必须在应用匹配算法之前重新组装数据包,因此需要大量的内存和时间来响应威胁。在文献中,只有少数人提出了一种无需重新组装即可高速检测规避攻击的方法。本文的目的是介绍一种可以在真实设备中实现的高效反规避系统。它基于计数 Bloom 过滤器,并利用其功能来快速更新字符串集并处理部分签名。这样,攻击的检测和几乎所有的流量处理都在快速数据路径中执行,从而提高了入侵检测系统的可扩展性。
展开▼
