Título:
|
Hardware/software mechanisms for protecting an IDS against algorithmic complexity attacks
|
Autor/a:
|
Sreekar Shenoy, Govind; Tubella Murgadas, Jordi; González Colás, Antonio María
|
Otros autores:
|
Universitat Politècnica de Catalunya. Departament d'Arquitectura de Computadors; Universitat Politècnica de Catalunya. ARCO - Microarquitectura i Compiladors |
Abstract:
|
Intrusion Detection Systems (IDS) have emerged as one of the most promising ways to secure systems in the network. An IDS like the popular Snort[17] detects attacks on the network using a database of previous attacks. So in order to detect these attack strings in the packet, Snort uses the Aho-Corasick algorithm. This algorithm first constructs a Finite State Machine (FSM) from the attack strings, and subsequently traverses the FSM using bytes from the packet. We observe that there are input bytes that result in a traversal of a series of FSM states (also viewed as pointers). This chain of pointer traversal significantly degrades (22X) the processing
time of an input byte. Such a wide variance in the processing time of an input byte can be exploited by an adversary to throttle the IDS. If the IDS is unable to keep pace with the network traffic, the IDS gets disabled. So in the process the network becomes vulnerable. Attacks done in this manner are
referred to as algorithmic complexity attacks, and arise due to weaknesses in IDS processing. In this work, we explore defense mechanisms to the above outlined algorithmic complexity attack. Our proposed mechanisms provide over 3X improvement in the worst-case performance. |
Materia(s):
|
-Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica -Computer networks -- Security measures -Intrusion detection systems (Computer security) -Defense mechanisms -Hardware support -Intrusion detection systems -Ordinadors, Xarxes d' -- Mesures de seguretat |
Derechos:
|
|
Tipo de documento:
|
Artículo - Versión publicada Objeto de conferencia |
Editor:
|
Institute of Electrical and Electronics Engineers (IEEE)
|
Compartir:
|
|