1,055 research outputs found

    Adaptive conflict-free optimization of rule sets for network security packet filtering devices

    Get PDF
    Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices

    Enhancing snort IDs performance using data mining

    Get PDF
    Intrusion detection systems (IDSs) such as Snort apply deep packet inspection to detect intrusions. Usually, these are rule-based systems, where each incoming packet is matched with a set of rules. Each rule consists of two parts: the rule header and the rule options. The rule header is compared with the packet header. The rule options usually contain a signature string that is matched with packet content using an efficient string matching algorithm. The traditional approach to IDS packet inspection checks a packet against the detection rules by scanning from the first rule in the set and continuing to scan all the rules until a match is found. This approach becomes inefficient if the number of rules is too large and if the majority of the packets match with rules located at the end of the rule set. In this thesis, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in a rule set as a ‘class’. A classifier is first trained with labeled training data. Each such labeled data point contains packet header information, packet content summary information, and the corresponding class label (i.e. the rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e. rule, is checked against the packet to see if this packet really matches the predicted rule. If it does, the corresponding action (i.e. alert) of the rule is taken. Otherwise, if the prediction of the classifier is wrong, we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers much faster rule matching. We have proved, both analytically and empirically, that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions

    Early Packet Rejection Using Dynamic Binary Decision Diagram

    Get PDF
    A firewall is a hardware or software device that performs inspection on a given incoming/outgoing packets and decide whether to allow/deny the packet from entering/leaving the system. Firewall filters the packets by using a set of rules called firewall policies. The policies define what type of packets should be allowed or discarded. These policies describe the field values that the packet header must contain in order to match a policy in the firewall. The decision for any given packet is made by finding the first matching firewall policy, if any. In a traditional firewall, the packet filter goes through each policy in the list until a matching rule is found; the same process is again repeated for every packet that enters the firewall. The sequential lookup that the firewall uses to find the matching rule is time consuming and the total time it takes to perform the lookup increases as the policy in the list increases. Nowadays, a typical enterprise based firewall will have 1000+ firewall policy in it, which is normal. A major threat to network firewalls is specially crafted malicious packets that target the bottom rules of the firewall’s entire set of filtering rules. This attack’s main objective is to overload the firewall by processing a flood of network traffic that is matched against almost all the filtering rules before it gets rejected by a bottom rule. As a consequence of this malicious flooding network traffic, the firewall performance will decrease and the processing time of network traffic may increase significantly The current research work is based on the observation that an alternative method for the firewall policies can provide a faster lookup and hence a better filtering performance. The method proposed in this research relies on a basic fact that the policy c a n be represented as a simple Boolean expression. Thus, Binary Decision Diagrams (BDDs) are used as a basis for the representation of access list in this study. The contribution of this research work is a proposed method for representing firewall Policies using BDDs to improve the performance of packet filtering. The proposed mechanism is called Static Shuffling Binary Decision Diagram (SS-BDD), and is based on restructuring of the Binary Decision Diagram (BDD) by using byte-wise data structure instead of using Field-wise data structure. Real world traffic is used during the simulation phase to prove the performance of packet filtering. The numerical results obtained by the simulation shows that the proposed technique improves the performance for packet filtering significantly on medium to long access lists. Furthermore, using BDDs for representing the firewall policies provides other Useful characteristics that makes this a beneficial approach to in real world

    Impact of denial of service solutions on network quality of service

    Get PDF
    The Internet has become a universal communication network tool. It has evolved from a platform that supports best-effort traffic to one that now carries different traffic types including those involving continuous media with quality of service (QoS) requirements. As more services are delivered over the Internet, we face increasing risk to their availability given that malicious attacks on those Internet services continue to increase. Several networks have witnessed denial of service (DoS) and distributed denial of service (DDoS) attacks over the past few years which have disrupted QoS of network services, thereby violating the Service Level Agreement (SLA) between the client and the Internet Service Provider (ISP). Hence DoS or DDoS attacks are major threats to network QoS. In this paper we survey techniques and solutions that have been deployed to thwart DoS and DDoS attacks and we evaluate them in terms of their impact on network QoS for Internet services. We also present vulnerabilities that can be exploited for QoS protocols and also affect QoS if exploited. In addition, we also highlight challenges that still need to be addressed to achieve end-to-end QoS with recently proposed DoS/DDoS solutions

    Optimization of delays experienced by packets due to ACLs within a domain

    Get PDF
    The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes however this has a negative effect on performance since it introduces a delay associated with packet filtering. Recommended techniques for network design imply that every packet should be checked at the first possible ingress points of the network. When access control lists (ACL's) are used within a router for this purpose then there can be a significant overhead associated with this process. The purpose of this paper is to consider the effect of delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACL. Using theoretical principles modified by practical calculation a model is created for packet delay for all nodes across a given path in a domain

    Thwarting ICMP low-rate attacks against firewalls while minimizing legitimate traffic loss

    Get PDF
    © 2013 IEEE. Low-rate distributed denial of service (LDDoS) attacks pose more challenging threats that disrupt network security devices and services. Such type of attacks is difficult to detect and mitigate. In LDDoS attacks, attacker uses low-volume of malicious traffic that looks alike legitimate traffic. Thus, it can enter the network in silence without any notice. However, it may have severe effect on disrupting network services, depleting system resources, and degrading network speed to a point considering them as one of the most damaging attack types. There are many types of LDDoS such as application server and ICMP error messages based LDDoS. This paper is solely concerned with the ICMP error messages based LDDoS. The paper proposes a mechanism to mitigate low-rate ICMP error message attacks targeting security devices, such as firewalls. The mechanism is based on triggering a rejection rule to defend against corresponding detected attack as early as possible, in order to preserve firewall resources. The rejection rule has certain adaptive activity time, during which the rule continues to reject related low-rate attack packets. This activity time is dynamically predicted for the next rule activation period according to current and previous attack severity and statistical parameters. However, the rule activity time needs to be stabilized in a manner in order to prevent any additional overhead to the system as well as to prevent incremental loss of corresponding legitimate packets. Experimental results demonstrate that the proposed mechanism can efficiently defend against incremental evasion cycle of low-rate attacks, and monitor rejection rule activity duration to minimize legitimate traffic loss

    Dynamic Traffic Driven Architectures and Algorithms for Securing Networks

    Get PDF
    The continuous growth in the Internet's size, the amount of data traffic, and the complexity of processing this traffic gives rise to new challenges in building high performance network devices. Such an exponential growth coupledwith the increasing sophistication of attacks, is placing stringent demands on the performance of networked systems (Firewalls). These challengesrequire new designs, architecture and algorithms for the optimization of such systems.The current or classical security of present day Internet is "static" and "oblivious" to traffic dynamics in the network. Hence, there are tremendous efforts towards the design and development of several techniques and strategies to deal with the above shortcomings. Unfortunately, the current solutions have been successful in addressing only some aspects ofsecurity. However, as a whole security remains a major issue. This is primarily due to the lack of adaptation and dynamics in the design of such intrusion detection and mitigation systems.This thesis focuses on the design of architectures and algorithms for theoptimization of such networked systems, to aid not only adaptive and real-time "packet filtering' but also fast "content basedrouting (differentiated services)' in today's data-driven networks.The approach proposed involves a unique combination of algorithmic andarchitectural techniques that aims to outperform all current solutions in termsof adaptiveness, speed of operation (under attack or heavily loaded conditions) andoverall operational cost-effectiveness of such systems. The tools proposed in thisthesis also aim to offer the flexibility to include new approaches, and providethe ability to migrate or deploy additional entities for attack detection and defense

    Adaptive Conflict-Free Optimization of Rule Sets for Network Security Packet Filtering Devices

    Get PDF

    Adaptive Response System for Distributed Denial-of-Service Attacks

    No full text
    The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS) attacks in today’s Internet raise growing security concerns and call for an immediate response to come up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually inflexible and determined attackers with knowledge of these mechanisms, could work around them. Most existing detection and response mechanisms are standalone systems which do not rely on adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating detected attack traffic, there is a need for an Adaptive Response System. We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a distributed DDoS mitigation system capable of executing appropriate detection and mitigation responses automatically and adaptively according to the attacks. It supports easy integrations for both signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual components takes into consideration the strengths and weaknesses of existing defence mechanisms, and the characteristics and possible future mutations of DDoS attacks. These components consist of an Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together interactively to adapt the detections and responses in accordance to the attack types. Experiments conducted on DARE show that the attack detection and mitigation are successfully completed within seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in accordance to the attacks being launched with high accuracy, effectiveness and efficiency. We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim under attack verifies the authenticity of the source by performing virtual relocations to differentiate the legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6 protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to verify that it would work with the existing Mobile IPv6 implementation. It was observed that the operations of each module were functioning correctly and TRAPS was able to successfully mitigate an attack launched with spoofed source IP addresses
    corecore