Abstract
Intrusion Detection Systems (IDS) have emerged as one of the most promising ways to secure systems in the network. To be effective against evasion attempts, the IDS must provide tight bounds on performance. Otherwise an adversary can bypass the IDS by carefully crafting and sending packets that throttle it. This can render the IDS ineffective, thus resulting in the network becoming vulnerable.
We present a performance throttling attack mounted against the computationally intensive string matching algorithm. This algorithm performs string matching by traversing a finite-state-machine (FSM). We observe that there are some input bytes that sequentially traverse a chain of 30 pointers. This chain of traversal drastically degrades performance, and we observe a 22X performance drop in comparison to the average case performance. We investigate hardware and software mechanisms to counter this performance degradation. The software mechanism is targeted for commodity general purpose CPUs. While the hardware-based mechanism uses a parallel traversal suitable for network processor architectures. Our results show that our proposed mechanisms significantly improves (by over 3X magnitude) string matching algorithm’s worst performing cases.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A.V., Corasick, M.J.: Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM 18(6), 333–340 (1975)
Becchi, M., Cadambi, S.: Memory-Efficient Regular Expression Search Using State Merging. In: Proceedings of INFOCOM 2007 (2007)
Bloom, B.H.: Space/time Trade-offs in Hash Coding with Allowable Errors. Communications of the ACM 13(7), 422–426 (1970)
Cai, Q., Gui, Y., Johnson, R.: Exploiting Unix File-system Races via Algorithmic Complexity Attacks. In: Proceedings of IEEE Symposium on Security and Privacy (2009)
Cisco Inc. The Cisco QuantumFlow Processor: Cisco’s Next Generation Network Processor, http://www.cisco.com/en/US/prod/collateral/routers/ps9343/solution_overview_c22-448936.html
Crosby, S.A., Wallach, D.S.: Denial of Service via Algorithmic Complexity Attacks. USENIX Security (2003)
Defcon, http://www.defcon.org
Edler, J., Hill, M.D.: Dinero IV Trace-Driven Uniprocessor Cache Simulator, http://www.cs.wisc.edu/markhill/DineroIV
Handley, M., Paxson, V., Kreibich, C.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-end Protocol Semantics. In: Proceedings of the 10th USENIX Security Symposium (2011)
Hasan, J., Jalote, A., Vijaykumar, T.N., Brodley, C.E.: Heat Stroke: Power-Density-Based Denial of Service in SMT. In: Proceedings of HPCA (2005)
Intel Corporation. Intel IXP 2400 Network Processor Hardware Reference Manual, Revision 7 (2003)
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection. ACM SIGCOMM (2006)
Mirkovic, J., Reiher, P.: A Taxonomy of DDos Attack and DDos Defense Mechanisms. ACM SIGCOMM Computer Communications Review 34, 39–53 (2004)
MIT Lincoln Labs, DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/
Moscibroda, T., Mutlu, O.: Memory Performance Attacks: Denial of Memory Service in Multi-core Systems. In: 16th USENIX Security Symposium, pp. 1–18 (2007)
Paxson, V.: Bro: a System for Detecting Network Intruders in Real Time. Computer Networks 31(23-24), 2435–2463 (1999)
Pouget, F., Dacier, M., Hau, P.: Leurre.com: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform. In: E-Crime and Computer Conference (2005)
Ptacek, T., Newsham, T.: Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, Inc. (1998)
Roesch, M.: SNORT - Lightweight Intrusion Detection for Networks. In: LISA 1999: USENIX 13th Systems Administration Conference (1999)
Shenoy, G.S., Tubella, J., Gonzalez, A.: A Performance and Area Efficient Architecture for Intrusion Detection Systems. In: Proceedings of the 25th IEEE International Conference on Parallel and Distributed Processing Symposium, IPDPS (2011)
Smith, R., Estan, C., Jha, S.: Backtracking Algorithmic Complexity Attacks against a NIDS. In: ACSAC (2006)
Smith, R., Estan, C., Jha, S.: XFA: Faster Signature Matching with Extended Automata. In: IEEE Symposium on Security and Privacy (2008)
Song, T., Zhang, W., Wang, D., Xue, Y.: A Memory Efficient Multiple Pattern Matching Architecture for Network Security. In: Proceedings of IEEE Infocom (2008)
Thoziyoor, S., Muralimanohar, N., Ahn, J.H., Jouppi, N.P.: CACTI 5.1. Technical Report HP-2008-20, HP Labs (2008)
Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection. In: Proceedings of the IEEE Infocom (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shenoy, G.S., Tubella, J., González, A. (2013). Improving the Resilience of an IDS against Performance Throttling Attacks. In: Keromytis, A.D., Di Pietro, R. (eds) Security and Privacy in Communication Networks. SecureComm 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 106. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36883-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-36883-7_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36882-0
Online ISBN: 978-3-642-36883-7
eBook Packages: Computer ScienceComputer Science (R0)