Results 1 -
5 of
5
Scap: Stream-Oriented Network Traffic Capture and Analysis for High-Speed Networks
"... Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide ap-plications with just raw packets, and le ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide ap-plications with just raw packets, and leave complex operations like flow tracking and TCP stream reassembly to application develop-ers. This gap leads to increased application complexity, longer de-velopment time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module. This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to user-level applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninterest-ing traffic at early stages, while it inherently supports parallel pro-cessing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries, and can process more than five times higher traffic loads when eight cores are used for parallel stream processing in a pattern matching application.
The Power of Evil Choices in Bloom Filters
"... Abstract-A Bloom filter is a probabilistic hash-based data structure extensively used in software including online security applications. This paper raises the following important question: Are Bloom filters correctly designed in a security context? The answer is no and the reasons are multiple: ba ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract-A Bloom filter is a probabilistic hash-based data structure extensively used in software including online security applications. This paper raises the following important question: Are Bloom filters correctly designed in a security context? The answer is no and the reasons are multiple: bad choices of parameters, lack of adversary models and misused hash functions. Indeed, developers truncate cryptographic digests without a second thought on the security implications. This work constructs adversary models for Bloom filters and illustrates attacks on three applications, namely SCRAPY web spider, BITLY DABLOOMS spam filter and SQUID cache proxy. As a general impact, filters are forced to systematically exhibit worst-case behavior. One of the reasons being that Bloom filter parameters are always computed in the average case. We compute the worst-case parameters in adversarial settings, show how to securely and efficiently use cryptographic hash functions and propose several other countermeasures to mitigate our attacks.
SNIPS: A Software-Defined Approach for Scaling Intrusion Prevention Systems via Offloading
"... Abstract. Growing traffic volumes and the increasing complexity of attacks pose a constant scaling challenge for network intrusion prevention systems (NIPS). In this respect, offloading NIPS processing to compute clusters offers an im-mediately deployable alternative to expensive hardware upgrades. ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Growing traffic volumes and the increasing complexity of attacks pose a constant scaling challenge for network intrusion prevention systems (NIPS). In this respect, offloading NIPS processing to compute clusters offers an im-mediately deployable alternative to expensive hardware upgrades. In practice, however, NIPS offloading is challenging on three fronts in contrast to passive network security functions: (1) NIPS offloading can impact other traffic engi-neering objectives; (2) NIPS offloading impacts user perceived latency; and (3) NIPS actively change traffic volumes by dropping unwanted traffic. To address these challenges, we present the SNIPS system. We design a formal optimization framework that captures tradeoffs across scalability, network load, and latency. We provide a practical implementation using recent advances in software-defined networking without requiring modifications to NIPS hardware. Our evaluations on realistic topologies show that SNIPS can reduce the maximum load by up to 10 × while only increasing the latency by 2%. 1
LEoNIDS: A Low-Latency and Energy-Efficient Network-Level Intrusion Detection System
"... FORTH-ICS. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. ABSTRACT Over the past decade, design and implementation of low-power systems has received significant attention. Whil ..."
Abstract
- Add to MetaCart
(Show Context)
FORTH-ICS. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. ABSTRACT Over the past decade, design and implementation of low-power systems has received significant attention. While it started with data centers and battery-operated mobile devices, it has recently branched to core network devices such as routers. However, this emerging need for low-power system design has not been studied for security systems, which are becoming increasingly important today. Toward this direction, we aim to reduce the power consumption of network-level intrusion detection systems (NIDS), which are used to improve the secure operation of modern computer networks. Unfortunately, traditional approaches to low-power system design, such as frequency scaling, lead to a disproportionate increase in packet processing and queuing times. In this paper, we show that this increase has a negative impact on the detection latency and impedes a timely reaction. To address this issue, we present a low-latency and energy-efficient NIDS (LEoNIDS): an architecture that resolves the energy-latency tradeoff by providing both low power consumption and low detection latency at the same time. The key idea is to identify the packets that are more likely to carry an attack and give them higher priority so as to achieve low attack detection latency. Our
Stream-Oriented Network Traffic Capture and Analysis for High-Speed Networks
"... Abstract—Intrusion detection, traffic classification, and other network monitoring applications need to analyze the captured traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. Existing network traffic capt ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Intrusion detection, traffic classification, and other network monitoring applications need to analyze the captured traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. Existing network traffic capture frameworks, however, provide applications with raw packets and leave com-plex operations like flow tracking and TCP stream reassembly to application developers. This gap, between what applications need and what systems provide, leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module. This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to user-level applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architec-tures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries. Finally, we present the implementation and performance evaluation of four popular network traffic monitoring applications built on top of Scap.
