Zobrazit v EDS

Architecture support for intrusion detection systems

Uloženo v:
Podrobná bibliografie
Název: Architecture support for intrusion detection systems
Autoři: Sreekar Shenoy, Govind
Přispěvatelé: University/Department: Universitat Politècnica de Catalunya. Departament d'Arquitectura de Computadors
Thesis Advisors: Tubella, Jordi, González Colás, Antonio
Zdroj: TDX (Tesis Doctorals en Xarxa)
Informace o vydavateli: Universitat Politècnica de Catalunya, 2012.
Rok vydání: 2012
Fyzický popis: 150 p.
Original Identifier: B. 26281-2013
Popis: System security is a prerequisite for efficient day-to-day transactions. As a consequence, Intrusion Detection Systems (IDS) are commonly used to provide an effective security ring to systems in a network. An IDS operates by inspecting packets flowing in the network for malicious content. To do so, an IDS like Snort[49] compares bytes in a packet with a database of prior reported attacks. This functionality can also be viewed as string matching of the packet bytes with the attack string database. Snort commonly uses the Aho-Corasick algorithm[2] to detect attacks in a packet. The Aho-Corasick algorithm works by first constructing a Finite State Machine (FSM) using the attack string database. Later the FSM is traversed with the packet bytes. The main advantage of this algorithm is that it provides a linear time search irrespective of the number of strings in the database. The issue however lies in devising a practical implementation. The FSM thus constructed gets very bloated in terms of the storage size, and so is area inefficient. This also affects its performance efficiency as the memory footprint also grows. Another issue is the limited scope for exploiting any parallelism due to the inherent sequential nature in a FSM traversal. This thesis explores hardware and software techniques to accelerate attack detection using the Aho-Corasick algorithm. In the first part of this thesis, we investigate techniques to improve the area and performance efficiency of an IDS. Notable among our contributions, includes a pipelined architecture that accelerates accesses to the most frequently accessed node in the FSM. The second part of this thesis studies the resilience of an IDS to evasion attempts. In an evasion attempt an adversary saturates the performance of an IDS to disable it, and thereby gain access to the network. We explore an evasion attempt that significantly degrades the performance of the Aho-Corasick al- gorithm used in an IDS. As a counter measure, we propose a parallel architecture that improves the resilience of an IDS to an evasion attempt. The final part of this thesis explores techniques to exploit the network traffic characteristic. In our study, we observe significant redundancy in the payload bytes. So we propose a mechanism to leverage this redundancy in the FSM traversal of the Aho-Corasick algorithm. We have also implemented our proposed redundancy-aware FSM traversal in Snort.
Description (Translated): DOCTORAT EN ARQUITECTURA DE COMPUTADORS (Pla 2007)
Druh dokumentu: Dissertation/Thesis
Popis souboru: application/pdf
Jazyk: English
DOI: 10.5821/dissertation-2117-94979
Přístupová URL adresa: http://hdl.handle.net/10803/124705
https://dx.doi.org/10.5821/dissertation-2117-94979
Rights: L'accés als continguts d'aquesta tesi queda condicionat a l'acceptació de les condicions d'ús establertes per la següent llicència Creative Commons: http://creativecommons.org/licenses/by/3.0/es/
Přístupové číslo: edstdx.10803.124705
Databáze: TDX
FullText Text:
  Availability: 0
CustomLinks:
  – Url: http://hdl.handle.net/10803/124705#
    Name: EDS - TDX (s4221598)
    Category: fullText
    Text: View record in TDX
Header DbId: edstdx
DbLabel: TDX
An: edstdx.10803.124705
RelevancyScore: 1298
AccessLevel: 3
PubType: Dissertation/ Thesis
PubTypeId: dissertation
PreciseRelevancyScore: 1298.02941894531
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Architecture support for intrusion detection systems
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Sreekar+Shenoy%2C+Govind%22">Sreekar Shenoy, Govind</searchLink>
– Name: Author
  Label: Contributors
  Group: Au
  Data: University/Department: Universitat Politècnica de Catalunya. Departament d'Arquitectura de Computadors
– Name: Author
  Label: Thesis Advisors
  Group: Au
  Data: Tubella, Jordi<br />González Colás, Antonio
– Name: TitleSource
  Label: Source
  Group: Src
  Data: TDX (Tesis Doctorals en Xarxa)
– Name: Publisher
  Label: Publisher Information
  Group: PubInfo
  Data: Universitat Politècnica de Catalunya, 2012.
– Name: DatePubCY
  Label: Publication Year
  Group: Date
  Data: 2012
– Name: PhysDesc
  Label: Physical Description
  Group: PhysDesc
  Data: 150 p.
– Name: AN
  Label: Original Identifier
  Group: ID
  Data: B. 26281-2013
– Name: Abstract
  Label: Description
  Group: Ab
  Data: System security is a prerequisite for efficient day-to-day transactions. As a consequence, Intrusion Detection Systems (IDS) are commonly used to provide an effective security ring to systems in a network. An IDS operates by inspecting packets flowing in the network for malicious content. To do so, an IDS like Snort[49] compares bytes in a packet with a database of prior reported attacks. This functionality can also be viewed as string matching of the packet bytes with the attack string database. Snort commonly uses the Aho-Corasick algorithm[2] to detect attacks in a packet. The Aho-Corasick algorithm works by first constructing a Finite State Machine (FSM) using the attack string database. Later the FSM is traversed with the packet bytes. The main advantage of this algorithm is that it provides a linear time search irrespective of the number of strings in the database. The issue however lies in devising a practical implementation. The FSM thus constructed gets very bloated in terms of the storage size, and so is area inefficient. This also affects its performance efficiency as the memory footprint also grows. Another issue is the limited scope for exploiting any parallelism due to the inherent sequential nature in a FSM traversal. This thesis explores hardware and software techniques to accelerate attack detection using the Aho-Corasick algorithm. In the first part of this thesis, we investigate techniques to improve the area and performance efficiency of an IDS. Notable among our contributions, includes a pipelined architecture that accelerates accesses to the most frequently accessed node in the FSM. The second part of this thesis studies the resilience of an IDS to evasion attempts. In an evasion attempt an adversary saturates the performance of an IDS to disable it, and thereby gain access to the network. We explore an evasion attempt that significantly degrades the performance of the Aho-Corasick al- gorithm used in an IDS. As a counter measure, we propose a parallel architecture that improves the resilience of an IDS to an evasion attempt. The final part of this thesis explores techniques to exploit the network traffic characteristic. In our study, we observe significant redundancy in the payload bytes. So we propose a mechanism to leverage this redundancy in the FSM traversal of the Aho-Corasick algorithm. We have also implemented our proposed redundancy-aware FSM traversal in Snort.
– Name: Abstract
  Label: Description (Translated)
  Group: Ab
  Data: DOCTORAT EN ARQUITECTURA DE COMPUTADORS (Pla 2007)
– Name: TypeDocument
  Label: Document Type
  Group: TypDoc
  Data: Dissertation/Thesis
– Name: Format
  Label: File Description
  Group: SrcInfo
  Data: application/pdf
– Name: Language
  Label: Language
  Group: Lang
  Data: English
– Name: DOI
  Label: DOI
  Group: ID
  Data: 10.5821/dissertation-2117-94979
– Name: URL
  Label: Access URL
  Group: URL
  Data: <link linkTarget="URL" linkTerm="http://hdl.handle.net/10803/124705" linkWindow="_blank">http://hdl.handle.net/10803/124705</link><br /><link linkTarget="URL" linkTerm="https://dx.doi.org/10.5821/dissertation-2117-94979" linkWindow="_blank">https://dx.doi.org/10.5821/dissertation-2117-94979</link>
– Name: Copyright
  Label: Rights
  Group: Cpyrght
  Data: L'accés als continguts d'aquesta tesi queda condicionat a l'acceptació de les condicions d'ús establertes per la següent llicència Creative Commons: http://creativecommons.org/licenses/by/3.0/es/
– Name: AN
  Label: Accession Number
  Group: ID
  Data: edstdx.10803.124705
PLink https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edstdx&AN=edstdx.10803.124705
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.5821/dissertation-2117-94979
    Languages:
      – Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 150
    Titles:
      – TitleFull: Architecture support for intrusion detection systems
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Sreekar Shenoy, Govind
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 30
              M: 10
              Type: published
              Y: 2012
ResultId 1