Title :
Matryoshka: Tunneled packets breaking the rules
Author :
Ghali, Cesar ; Hamady, Faisal ; Elhajj, Imad H. ; Kayssi, Ayman
Author_Institution :
Electr. & Comput. Eng. Dept., American Univ. of Beirut, Beirut, Lebanon
Abstract :
Intrusion detection and prevention systems (IDPSs) are widely used to secure computer networks. They monitor network traffic by searching for unusual combinations in protocol headers and for malicious patterns in the packet payloads. In this paper we present "Matryoshka", a vulnerability that allows tunneled malicious packets to bypass the signature mapping procedures implemented in many industrial IDPS. Matryoshka is implemented as a tool and tested against Snort under different topologies and modes. To mitigate attacks that can be initialized using the bypassed tunneled malicious packets, a Snort preprocessor was developed and tested, and results demonstrated that all malicious tunneled packets were successfully detected. Processing overhead of the preprocessor to inspect and decapsulate tunneled packets was measured at 2% of the overall overhead of inspecting, decapsulating, and matching the malicious signature, and at 0:2% of the overall overhead of inspecting, decapsulating, assembling, and matching the signature.
Keywords :
computer network security; Matryoshka vulnerability; Snort preprocessor; bypassed tunneled malicious packet; computer network security; intrusion detection system; intrusion prevention system; malicious signature decapsulation; malicious signature inspection; malicious signature matching; signature mapping procedure; IP networks; Inspection; Network topology; Protocols; Security; Topology; Tunneling; Fragmentation; Intrusion Detection and Prevention Systems; SNORT®; Tunneling;
Conference_Titel :
High Performance Computing and Simulation (HPCS), 2011 International Conference on
Conference_Location :
Istanbul
Print_ISBN :
978-1-61284-380-3
DOI :
10.1109/HPCSim.2011.5999864
