LIÊN KẾT WEBSITE
High performance TCP reassembly for network intrusion detection system
International Review on Computers and Software Số 6, năm 2012 (Tập 7, trang 3320-3325)
ISSN: 18286003
ISSN: 18286003
DOI:
Tài liệu thuộc danh mục: Scopus
Article
English
Từ khóa: Edge; Hold up; Intrusion patterns; Linked list; Matching techniques; Network intrusion detection systems; Network links; Reassembly; Segment Array; System supports; TCP connections; Time-stamp; Bottles; Computer crime; Dynamic random access storage; Field programmable gate arrays (FPGA); Intrusion detection; Transmission control protocol
Tóm tắt tiếng anh
Transmission Control Protocol (TCP) is now one of the most popular protocols in networking. However, it is practically proved that TCP reassembly is memory-hungry and it is usually the bottle neck of a system. In this paper, we propose a method for TCP reassembly, called multi-linked-list method, which can offer high performance. The targeted applications of our system are Network Intrusion Detection Systems (NIDS)s which usually use signature-based matching techniques to protect networks from illegal intrusions. Our proposed method combines reassembly technique with edge buffering to help NIDS detecting cross packet intrusion patterns. Our system supports TCP connections with up to 4 concurrent holes. It can hold up to 256K connections simultaneously including up to 46K out-of-sequence connections with only 64MB DRAM. This version of our system can operate on 10Gbps network link and support connection timestamp and buffer threshold to prevent some kinds of attacks to our system itself. 2012 Praise Worthy Prize S.r.l. - All rights reserved.