Title :
Active mapping: resisting NIDS evasion without altering traffic
Author :
Shankar, Umesh ; Paxson, Vern
Author_Institution :
Univ. of California, Berkeley, CA, USA
Abstract :
A critical problem faced by a network intrusion detection system (NIDS) is that of ambiguity. The NIDS cannot always determine what traffic reaches a given host nor how that host will interpret the traffic, and attackers may exploit this ambiguity to avoid detection or cause misleading alarms. We present a lightweight solution, active mapping, which eliminates TCP/IP-based ambiguity in a NIDS analysis with minimal runtime cost. Active mapping efficiently builds profiles of the network topology and the TCP/IP policies of hosts on the network; a NIDS may then use the host profiles to disambiguate the interpretation of the network traffic on a per-host basis. Active mapping avoids the semantic and performance problems of traffic normalization, in which traffic streams are modified to remove ambiguities. We have developed a prototype implementation of active mapping and modified a NIDS to use the active mapping-generated profile database in our tests. We found wide variation across operating systems´ TCP/IP stack policies in real-world tests (about 6700 hosts), underscoring the need for this sort of disambiguation.
Keywords :
authorisation; computer network management; network operating systems; network topology; telecommunication traffic; transport protocols; NIDS evasion; TCP/IP-based ambiguity; active mapping; disambiguation; host TCP/IP policies; host profiles; misleading alarms; network intrusion detection system; network topology profiles; operating systems; traffic; Costs; Databases; Face detection; Intrusion detection; Network topology; Prototypes; Runtime; TCPIP; Telecommunication traffic; Testing;
Conference_Titel :
Security and Privacy, 2003. Proceedings. 2003 Symposium on
Print_ISBN :
0-7695-1940-7
DOI :
10.1109/SECPRI.2003.1199327
