Counting bloom filters for pattern matching and anti-evasion at the wire speed

Author

Antichi, Gianni ; Ficara, Domenico ; Giordano, Stefano ; Procissi, Gregorio ; Vitucci, Fabio

Author_Institution

Dept. of Inf. Eng., Univ. of Pisa, Pisa

Volume

23

Issue

1

fYear

2009

Firstpage

30

Lastpage

35

Abstract

Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.

Keywords

IP networks; digital signatures; string matching; telecommunication security; telecommunication traffic; transport protocols; IP fragmentation; TCP; anti-evasion; attack detection; counting bloom filter; deep packet inspection; intrusion detection system; network security; partial signature; pattern matching; string set; traffic processing; wire speed; Costs; Counting circuits; Databases; Matched filters; Out of order; Pattern matching; Payloads; Wire;

fLanguage

English

Journal_Title

Network, IEEE

Publisher

ieee

ISSN

0890-8044

Type

jour

DOI

10.1109/MNET.2009.4804321

Filename

4804321