臺灣博碩士論文加值系統

隨著網際網路的快速開展，網路駭客入侵事件的發生也漸趨頻仍。網路型入侵偵測系統乃用以補防火牆之不足，並提供應用層級的網安保護。網路型入侵偵測系統並可以偵測不論是由網路內部之外部之資源亂用，或是由網路外部至內部之入侵等多種不同的資安問題。通常網路型入侵偵測系統使用字串比對以及靜態分析已進行偵測。但是字串比對已被證明是網路型入侵偵測系統的效能瓶頸所在。
吾人在這篇論文中，提出網路型入侵偵測系統中最重要的偵測引擎之設計與實作。首先針對SYN Flood攻擊，吾人提出FSS過濾器以成功阻攔攻擊並保護上層之TCP狀態引擎。接下來，吾人提出一個TCP的濾淨器。將駭客用以迷惑偵測引擎之不明封包移除，以確保字串比對器能夠見到正確無誤的內文。關於網路型入侵偵測系統的心臟，字串比對引擎，這篇文章一共提出三個方法。前兩個設計是以軟體為基底，而第三個設計是以硬體為基底。在不同的條件下，這三個比對引擎皆能有良好的處理速度，確保入侵偵測引擎在高準確度的前提下仍能有優異的效能。

With growing Internet connectivity comes evolving opportunities for attackers to unlawfully access computers over the network. The Network Intrusion Detection Systems (NIDSes) are designed to identify attacks against networks or a host that are invisible to firewalls, thus providing an additional layer of security. The NIDS aims to detect a wide range of security violations ranging from attempted break-ins by outsiders to system penetrations and abuses by insiders. Generally two main methods are used for intrusion detection, namely Pattern Matching and Statistical Analysis. The former method applies a static set of patterns and alerts to traffic sequences with known signatures. Meanwhile, the latter method detects anomalous events statistically by gathering protocol header information and comparing this traffic to known attacks, as well as by sensing anomalies. Pattern matching tools are excellent at detecting known attacks, but perform poorly when facing a fresh assault or a modification of an old assault. NIDSes that use statistical analysis perform worse at sensing known problems, but much better at reporting unknown assaults. Improved implementation of an NIDS should combine these two methods to improve network protection. Either way, NIDSes rely on exact string matching from network packet payloads against thousands of intrusion signatures.
This dissertation first discusses an efficient and practical mechanism named FSS (First-Seen SYN) filter which can mitigate and block SYN Flood attacks. Then it presents a TCP processing engine which tracks the behaviors of each TCP connection including the state transition, sequence and acknowledgement number, and integrity checking. The most important of all, it eliminates the ambiguities when the attackers use ambiguities in network protocol specifications to deceive network security systems. Then we introduce several fast pattern-matching algorithms since it’s the most computation -intensive task in an NIDS and dominates the performance of an NIDS. Two software-based algorithms and one hardware-based architecture are proposed and proven to be more efficient and high-performance compared to other existing methodologies.

Chapter 1 Introduction 1
Chapter 2 First-Seen-SYN Filter 5
2.1 SYN Flood 5
2.2 Defending Mechanisms 7
2.3 Design and Implementation of FSS Filter 10
2.4 Analysis of FSS Filter 13
2.5 Experiments over FSS Filter 16
Chapter 3 TCP Ambiguity Scrubber Engine 21
3.1 Evasion Technique against TCP Protocol 21
3.2 Related Works in Segment Reassembly 23
3.3 The Design and Implementation of the Ambiguity Scrubber Engine 25
3.4 Experiments over the TCP Scrubber Engine 30
Chapter 4 FNP: A Pattern Matching Algorithm for Network Processor Platforms 34
4.1 Introductions on NIDSes and NPUs 34
4.2 Previous Pattern Matching Algorithms in NIDS 37
4.3 Design and Implementation of FNP 40
4.4 Analysis of FNP 49
4.5 Experiments over FNP 51
4.6. Summaries of FNP 60
Chapter 5 FNP2: A MWM-like Pattern Matching Algorithm 62
5.1 Introduction of FNP2 62
5.2 Design/Implementation of FNP2 62
5.3 Experiments over FNP2 64
5.4 Summaries of FNP2 66
Chapter 6 FTSE: The FNP-Like TCAM Searching Engine 67
6.1 Introduction 67
6.2 FTSE Algorithm 68
6.3 Proposed Multiple-Pattern Matching Architecture 70
6.4 Experiments of FTSE 73
Chapter 7 Conclusions 78

[1] A. Aho and M. Corasick, “Efficient string matching: An aid to bibliographic search,” Communications of the ACM, vol. 18, no. 6, June 1975, pp. 333-343.
[2] Altera Inc, “Implementing High-Speed Search Applications with Altera CAM”, Altera Application note 119, July 2001.
[3] K. G. Anagnostakis, E. P. Markatos, S. Antonatos, and M. Polychronakis. “E2xB: A domainspecific string matching algorithm for intrusion detection,” Proceedings of the 18th IFIP International Information Security Conference (SEC2003), Athens, Greece, May 2003, pp. 217-228.
[4] D. J. Bernstein. SYN cookies. http://cr.yp.to/syncookies.html.
[5] R. S. Boyer and J. S. Moore, “A fast string searching algorithm,” Communications of the ACM, vol. 20, no. 10, Oct. 1977, pp. 762-772.
[6] Young H. Cho, S.N., Mangione-Smith, W., “Specialized hardware for deep network packet filtering,” Proceedings of 12th International Conference on Field Programmable Logic and Applications (FPL2002), Montpellier, France, Sep. 2002, pp. 452-461.
[7] C. Jason Coit, Stuart Staniford, and Joseph McAlerney, “Towards faster pattern matching for intrusion detection or exceeding the speed of snort,” in Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), Washington, DC, June 2001.
[8] D. E. Comer. Internetworking with TCP/IP. Prentice–Hall, Englewood Cliffs, New Jersey, third edition, 1995.
[9] Beate Commentz-Walter, “A string matching algorithm fast on the average,” in Proceedings 6th International Colloquium on Automata, Languages and Programming,” H.A. Maurer, Ed. July 1979, vol. 71 of Lecture Notes in Computer Science, Springer, pp. 118-132.
[10] DEFCON. http://www.shmoo.com/cctf/
[11] Neil Desai: “Increasing Performance in High Speed NIDS”. Available from http://www.linuxsecurity.com/articles/intrusion_detection_article-4617.html
[12] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” RFC 2267, January 1998.
[13] M. Fisk and G. Varghese. “An analysis of fast string matching applied to content­based forwarding and intrusion detection,” Technical Report CS2001­0670 (updated version), University of California ­ San Diego, 2002.
[14] R. Franklin, D. Carver, B. Hutchings, “Assisting network intrusion detection with reconfigurable hardware,” IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM’02), Napa, California, Sep. 2002, pp. 121-130.
[15] Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., Hogsett, V.: Granidt: Towards gigabit rate network intrusion detection technology. In: Proceedings of 12th International Conference on Field Programmable Logic and Applications (FPL2002), Montpellier, France, Sep. 2002, pp. 401-413.
[16] M. Handley, C. Kreibich, and V. Paxson, “Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics,” in Proc. 10th USENIX Security Symposium, Washington, DC, Aug. 2001, pp. 115-131.
[17] R. Nigel Horspool, “Practical fast searching in strings,” Software Practice and and Experience, vol. 10, no. 6, 1980, pp. 501-506.
[18] N.F. Huang, R.T. Liu, Y.T. Chen, “A Two-Stage Multiple-Pattern Matching Architecture for Network Security System," Submitted to IEEE International Conference on Communications (ICC2005), Seoul, Korea, May 2005.
[19] David Husak, “Network Processors: A Definition and Comparison,” Available from http://e-www.motorola.com/collateral/M957198397651.pdf
[20] IBM: “The Network Processor Enabling Technology for High-Performance Networking,” Available from http://www.npforum.org/pressroom/whitepapers. shtml
[21] IDT Inc, "Classification and Content Inspection Co-Processor" 2003.
[22] “Intel(R) Network Processor,” http://www.intel.com/design/network/products /npfamily/
[23] Bo Jiang, Bin Liu, “High-Speed Discrete Content Sensitive Pattern Match Algorithm for Deep Packet Filtering,” 2003 International Conference on Computer Networks and Mobile Computing (ICCNMC'03), Shanghai, China, Oct 2003, pp. 149-157.
[24] Sun Kim and Yanggon Kim, “A fast multiple string-pattern matching algorithm,” Proceedings of the 17th AoM/IAoM Inernational Conference on Computer Science, San Diego, California, May 1999, pp. 44-49.
[25] Frank Kargl, Joern Maier, Michael Weber, “Protecting web servers from distributed denial of service attacks,” Proceedings of the tenth international conference on World Wide Web, Hong Kong, April 2001, pp. 514-524.
[26] Panos C. Lekkas, "Network Processors: Architectures, Protocols and Platforms", McGraw-Hill Professional 2003.
[27] J. Lemon, “Resisting SYN Flooding DoS Attacks with a SYN Cache,” Proceedings of USENIX BSDCon’2002, San Francisco, California, Feb. 2002, pp. 89-98.
[28] R.T. Liu, N.F. Huang, C.H. Chen, C.N. Kao, “A Fast String Matching Algorithm for Network Processor-Based Intrusion Detection System”, ACM Transactions on Embedded Computing Systems, Vol. 3, No. 3, Aug. 2004, pp. 614-633.
[29] R.T. Liu and N.F. Huang, C.N. Kao, and C.H. Chen, “A Fast Pattern Matching Algorithm for Network Processor-Based Intrusion Detection System,” IEEE International Performance Computing and Communications Conference (IEEE IPCCC2004), Phoenix, Arizona, Apr. 2004, pp. 271-275.
[30] R.T. Liu, N.F. Huang, C.N. Kao, C.H. Chen, and Joe Chiou, “A Fast Pattern Match Engine for Network Processor-based IDS", International Conference on Information Technology (ITCC2004), Las Vegas, Nevada, Apr. 2004, pp. 97-101.
[31] G. R. Malan, D. Watson, F. Jahanian, and P. Howell, “Transport and application protocol scrubbing,” in Proceedings IEEE INFOCOM, Tel Aviv, Israel, Mar. 2000, pp. 1381–1390.
[32] D. Maltz and P. Bhagwat, “TCP splicing for application layer proxy performance,” IBM Res. Div., Tech. Rep. RC 21139, Mar. 1998.
[33] E.P Markatos, S. Antonatos, M. Polychronakis and K.G Anagnostakis. “ExB: Exclusion-based signature matching for intrusion detection,” Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN), Cambridge, USA, Nov. 2002, pp. 146-152.
[34] D. Moore, G. Voelker and S. Savage, “Inferring Internet Denial of Service Activity,” Proceedings of USENIX Security Symposium’2001, Washington, DC, Aug. 2001, pp. 9-22.
[35] J. Moscola, J. Lockwood, R.P. Loui, M. Pachos, “Implementation of a content scanning module for an internet firewall,” in Proceedings of IEEE Workshop on FPGAs for Custom Computing Machines, Napa, California, Apr. 2003, pp. 31-38.
[36] Network ICE: “Protocol Analysis vs Pattern Matching in Network and Host Intrusion Detection Systems”. Available from http://www.anitian.com/corp/ papers/protocol%20analysis.pdf
[37] Network ICE : “Protocol Analysis and Command Parsing vs. Pattern Matching in Intrusion Detection Systems,” Available from http://oldhand.org/document/ids/ Protocol_Analysis_vs_Pattern.pdf
[38] P. Paulin, F.Karim, P. Bromley, “Network Processors: A perspective on Market Requirements, Processor Architectures and Embedded S/W Tools,” In Proceedings of the DATE 2001 on Design, automation and test in Europe, Munich, Germany, Mar. 2001, pp 420-429.
[39] Vern Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, 31(23-24), Dec. 1999, pp. 2435–2463.
[40] T. H. Ptacek and T. N. Newsham, “Insertion, evasion, and denial of service: Eluding network intrusion detection,” Secure Networks, Inc., Tech. Rep., Jan. 1998.
[41] Martin Roesch, “Snort - lightweight intrusion detection for networks,” in Proceedings of the 13th Systems Administration Conference, Seattle, Washington, Nov. 1999, pp. 229-238.
[42] G. van Rooij, “Real Stateful TCP Packet Filtering in IP Filter,” in Proceedings of the 2nd International SANE Conference, Maastricht, Netherlands, March 2000, pp. 161-175.
[43] C. Schuba, I. Krsul, M. Kuhn, G. SpaRord, A. Sundaram, and D. Zamboni, “Analysis of a denial of service attack on TCP”, Proceedings of the 1997 IEEE Symposium on Security and Privacy, Oakland, California, May 1997, pp. 208-223.
[44] Niraj Shah, William Plishker, Kurt Keutzer. “NP-Click: A Programming Model for the Intel IXP1200” in 2nd Workshop on Network Processors (NP-2) at the 9th International Symposium on High Performance Computer Architecture (HPCA-9), Anaheim, CA, Feb. 2003, pp. 100-111.
[45] NSS Group. HTTP://www.nss.co.uk/
[46] OSEC. HTTP:// http://osec.neohapsis.com/
[47] R. Sidhu, V.K. Prasanna, “Fast regular expression matching using FPGAs,” IEEE Symposium on Field-Programmable Custom Computing Machines, Rohnert Park, CA , Apr. 2001, pp. 223-232.
[48] “Snort.org,” http://www.snort.org/
[49] Sourcefire. “Snort 2.0 - Detection Revisited,” http://www.snort.org/docs/ Snort_20_v4.pdf, October 2002.
[50] Ioannis Sourdis, Dionisios Pnevmatikatos, “Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System,” Proceedings of the 13th International Conference on Field Programmable Logic and Applications (FPL2003), Lisbon, Portugal, Sep. 2003, pp. 880-889.
[51] “Spirent Communications,” http://smartbits.spirentcom.com/
[52] “Vitesse.com,” http://www.vitesse.com/
[53] H. Wang, D. Zhang, and K.G. Shin, “Detecting SYN Flooding Attacks,” In Proceedings of IEEE INFOCOM, New York, US, Jun. 2002, pp. 1530-1539.
[54] B. W. Watson, “The performance of single-keyword and multiple-keyword pattern matching algorithms,” Tech. Rep. 94/19, Eindhoven University of Technology, 1994. Available from ftp://ftp.win.tue.nl
[55] David Watson , Matthew Smart , G. Robert Malan , Farnam Jahanian, “Protocol scrubbing: network security through transparent flow modification,” IEEE/ACM Transactions on Networking (TON), vol.12, no.2, pp.261-273, April 2004.
[56] “Whitehats.com,” http://www.whitehats.com/
[57] Sun Wu and Udi Manber, “A fast algorithm for multi-pattern searching,” Tech. Rep. TR94-17, Department of Computer Science, University of Arizona, May 1994.