Network security

Anomaly detection can potentially detect new types of attacks that signature-based systems will miss. Unfortunately, anomaly detection systems are prone to falsely identifying events as malicious. Thus, this chapter does not address anomaly-based methods. Meanwhile signature-based systems are highly popular due to their relatively simple implementation and their ability to detect commonly used attack tools. This chapter samples three important subtasks that arise in the context of intrusion detection. The first is an analysis subtask, string matching, which is a key bottleneck in popular signature-based systems such as Snort. The second is a response subtask, traceback, which is of growing importance given the ability of intruders to use forged source addresses. The third is an analysis subtask to detect the onset of a new worm (e.g., Code Red) without prior knowledge. These three subtasks only scratch the surface of a vast area that needs to be explored. They were chosen to provide an indication of the richness of the problem space and to outline some potentially powerful tools. Worm detection was also chosen to showcase how mechanisms studied earlier in the book can be combined in powerful ways. This chapter is organized as follows. The first few sections explore solutions to the important problem of searching for suspicious strings in packet payloads. Section 17.1.1 describes the Aho–Corasick algorithm for searching for multiple strings in one pass using a trie with backpointers. Section 17.1.2 describes a generalization of the classical Boyer–Moore algorithm, which can sometimes act faster by skipping more bits in a packet. Section 17.2 shows how to approach an even harder problem—searching for approximate string matches. The section introduces two powerful ideas: min-wise hashing and random projections. This section suggests that even complex tasks such as approximate string matching can plausibly be implemented at wire speeds. Section 17.3 marks a transition to the problem of responding to an attack, by introducing the IP traceback problem. It also presents a seminal solution using probabilistic packet marking. Section 17.4 offers a second solution, which uses packet logs and no packet modifications; the logs are implemented efficiently using an important technique called a Bloom filter. Section 17.5 explains how algorithmic techniques can be used to extract automatically the strings used by intrusion detection systems such as Snort. In other words, instead of having these strings be installed manually by security analysts, could a system automatically extract the suspicious strings? We ground the discussion in the context of detecting worm attack payloads. Such techniques have since been known as automatic worm fingerprinting. Section 17.6 describes the earliest automatic worm fingerprinting system called EarlyBird and the network algorithmics techniques it uses to scale to high link and systems speeds. Section 17.7 describes Carousel, an elegant network algorithmics solution for another security network problem that looks deceptively simple but is in fact very challenging when the solution has to scale to high link and system speeds.