Title :
Counting bloom filters for pattern matching and anti-evasion at the wire speed
Author :
Antichi, Gianni ; Ficara, Domenico ; Giordano, Stefano ; Procissi, Gregorio ; Vitucci, Fabio
Author_Institution :
Dept. of Inf. Eng., Univ. of Pisa, Pisa
Abstract :
Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.
Keywords :
IP networks; digital signatures; string matching; telecommunication security; telecommunication traffic; transport protocols; IP fragmentation; TCP; anti-evasion; attack detection; counting bloom filter; deep packet inspection; intrusion detection system; network security; partial signature; pattern matching; string set; traffic processing; wire speed; Costs; Counting circuits; Databases; Matched filters; Out of order; Pattern matching; Payloads; Wire;
Journal_Title :
Network, IEEE
DOI :
10.1109/MNET.2009.4804321
