1 / 10

Normalizer

Normalizer. Get rid of the ambiguities in the traffic stream. NIDS: network intrusion detection system Attackers can exploit the ambiguities in the traffic stream to evade the monitoring of the NIDS. There are three major defects of the NIDS that allow them to do that:

damien
Download Presentation

Normalizer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Normalizer Get rid of the ambiguities in the traffic stream

  2. NIDS: network intrusion detection system • Attackers can exploit the ambiguities in the traffic stream to evade the monitoring of the NIDS. • There are three major defects of the NIDS that allow them to do that: • (1) Lack of complete analysis for the full range of behavior allowed by a particular protocol. • For example, an attacker can evade a NIDS that fails to reassemble IP fragments by intentionally transmitting their attack traffic in fragments. Because the NIDS does

  3. not know the end-systems will reassemble the fragments and probably get infected. • (2) lack of detailed knowledge of the end-system protocol implementation • The same packets may trigger different action in different system. In some system, they may cause trouble. But NIDS don’t know much about the end-system. • (How about implement the most strict detection rule?) • (3)lack of detailed knowledge of the topology between the NIDS and the end-system. • NIDS are not sure about whether some packets will be

  4. received or not. This kind of uncertainty is not good. • In conclusion, NIDS doesn’t know the end-system it serves very well. That’s where the ambiguities come from. • (Maybe we can customize NIDS)

  5. Normalizer: It will get rid of the ambiguities making sure no matter which end-system the NIDS serves the traffic will be interpreted and implemented in the same way. • Unlike the firewall, normalizer doesn’t block vicious traffics. It just translate them to normal form and make sure they won’t evade the NIDS’s detection.

  6. What we should be concerned about when design the normalizer: • Normalizer should not decompose the traffic to the level that is too basic, otherwise it will hamper the performance of the NIDS and the end-system. • Limited capacity to hold states will make the system vulnerable to the kind of the attacks that try to overwhelm the normalizer’s ability to cope states.

  7. Some problems normalizer will face in the real world: • Cold start: normalize lacks the knowledge of the already established collection. A patient attacker will wait until the normalizer shut down then do the dirty job and keep unnoticed after the normalizer restart. • Normalizer could be attacked by the stateholding attack. Memory monitoring mechanism should be introduced to monitor the states need to be hold and dynamically adjust the state-holding capacity.

  8. CPU overload attack • The systematic approach that the normalizer adopted is walking through the packet headers of each protocols that are taken into consideration.

  9. Norm had been implemented • Some methods are used to evaluate its performance. Reading from libpcap trace file factor out the cost of getting packets to the normalizer. And three kinds of trace file are used to ensure the completeness and fairness of the evaluation. • The results suggested that the normalizer implemented as click module could forward normal traffic at line-speed on a bidirectional 100Mb/s. • Link flooding will not cause denial-of-service on

  10. norm system. • But the normal system is vulnerable to out-of-order small fragments which will cause the normalizer to perform triage on the attack traffic.

More Related