Intrusion Detection Using Protocol-based Non-Conformance to Trusted Behaviors

Generalized multiple protocol label switching (GMPLS) extends multi protocol label switching (MPLS) to provide the control plane for use with high speed/bandwidth switching networks. The control plane protocols are vulnerable to attacks both from outside and within the network. SigSectrade, an intrusion detection system under development, is intended to help detect and protect against attacks and is based on the premise that the GMPLS management, signaling and routing protocols are similar to programming languages. A protocol can be compared to a language definition: it contains a vocabulary, syntax definition and semantics. Like any computer language the protocol language must be unambiguous. The protocol specifies the behavior of concurrently executing processes. This concurrency creates a new class of subtle issues. One technique to address these issues is the finite state machine (FSM). SigSec captures the signaling protocol messages and forwards them to the appropriate protocol analyzer in addition to saving them to a database. SigSec performs intrusion detection through multiple layers of checks and verifications. SigSec detects many known attacks that may pass through semantic and syntax analyzers. Results of the security attack profile analysis indicate that SigSec is capable of protecting the control plane against any number of attack profiles.