About This Item

Ask the MINDS@UW Librarian

Backtracking Algorithmic Complexity Attacks Against a NIDS

Show simple item record

File(s):

Files Size Format View
TR1561.pdf 257.1Kb application/pdf View/Open
Key Value Language
dc.contributor.author Smith, Randy en_US
dc.contributor.author Estan, Cristian en_US
dc.contributor.author Jha, Somesh en_US
dc.date.accessioned 2012-03-15T17:20:21Z
dc.date.available 2012-03-15T17:20:21Z
dc.date.created 2006 en_US
dc.date.issued 2012-03-15T17:20:21Z
dc.identifier.uri http://digital.library.wisc.edu/1793/60496
dc.description.abstract Network Intrusion Detection Systems (NIDS) have become crucial to securing modern networks. To be effective, a NIDS must be able to counter evasion attempts and operate at or near wire-speed. Failure to do so allows malicious packets to slip through a NIDS undetected. In this paper, we explore NIDS evasion through algorithmic complexity attacks. We present a highly effective attack against the Snort NIDS, and we provide a practical algorithmic solution that successfully thwarts the attack. This attack exploits the behavior of rule matching, yielding inspection times that are up to 1.5 million times slower than that of benign packets. Our analysis shows that this attack is applicable to many rules in Snortís ruleset, rendering vulnerable the thousands of networks protected by it. Our countermeasure confines the inspection time to within one order of magnitude of benign packets. Experimental results using a live system show that an attacker needs only 4.0 kbps of bandwidth to perpetually disable an unmodified NIDS, whereas all intrusions are detected when our countermeasure is used. en_US
dc.description.provenance Made available in DSpace on 2012-03-15T17:20:21Z (GMT). No. of bitstreams: 1 TR1561.pdf: 257137 bytes, checksum: a9a15f1739eb960b304489800ba23b77 (MD5) en
dc.format.mimetype application/pdf en_US
dc.publisher University of Wisconsin-Madison Department of Computer Sciences en_US
dc.title Backtracking Algorithmic Complexity Attacks Against a NIDS en_US
dc.type Technical Report en_US

Part of

Show simple item record