Skip to main content
SpringerLink
Log in

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

CardGuard is a signature detection system for intrusion detection and prevention that scans the entire payload of packets for suspicious patterns and is implemented in software on a network card equiped with an Intel IXP1200 network processor. One card can be used to protect either a single host, or a small group of machines connected to a switch. CardGuard is non-intrusive in the sense that no cycles of the host CPUs are used for intrusion detection and the system operates at Fast Ethernet link rate. TCP flows are first reconstructed before they are scanned with the Aho-Corasick algorithm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The spread of the Sapphire/Slammer worm, technical report. Technical report, CAIDA (2003), http://www.caida.org/outreach/papers/2003/sapphire/

  2. Bellovin, S.M.: Distributed firewalls. Usenix;login. Special issue on Security, 37–39 (1999)

    Google Scholar 

  3. Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a distributed firewall. In: CCS 2000: Proceedings of the 7th ACM conference on Computer and communications security, pp. 190–199. ACM Press, New York (2000)

    Chapter  Google Scholar 

  4. Clark, C., Lee, W., Schimmel, D., Contis, D., Koné, M., Thomas, A.: A hardware platform for network intrusion detection and prevention. In: Third Workshop on Network Processors and Applications, Madrid, Spain (2004)

    Google Scholar 

  5. Toelle, J., Niggemann, O.: Supporting intrusion detection by graph clustering and graph drawing. In: Proc. RAID 2000, Toulouse, France (2000)

    Google Scholar 

  6. Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: SIGCOMM Internet Measurement Workshop, Miami, FLA (2003)

    Google Scholar 

  7. Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: Methods, evaluation, and applications. In: SIGCOMM Internet Measurement Workshop, Miami, FLA (2003)

    Google Scholar 

  8. Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: Global characteristics and prevalence. In: Proc. of ACM SIGMETRICS (2003)

    Google Scholar 

  9. Estan, C., Savage, S., Varghese, G.: Automatically inferring patterns of resource consumption in network traffic. In: Proc. of SIGCOMM 2003 (2003)

    Google Scholar 

  10. Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Communications of the ACM 18, 333–340 (1975)

    Article  MATH  MathSciNet  Google Scholar 

  11. Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  12. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE SP 2004, Oakland, CA (2004)

    Google Scholar 

  13. Kompella, R.R., Singh, S., Varghese, G.: On scalable attack detection in the network. In: SIGCOMM Internet measurement conference, pp. 187–200 (2004)

    Google Scholar 

  14. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of the 1999 USENIX LISA Systems Adminstration Conference (1999)

    Google Scholar 

  15. Shalaby, N., Peterson, L., Bavier, A., Gottlieb, Y., Karlin, S., Nakao, A., Qie, X., Spalink, T., Wawrzoniak, M.: Extensible routers for active networks. In: DANCE 2002 (2002)

    Google Scholar 

  16. Charitakis, I., Pnevmatikatos, D., Markatos, E., Anagnostakis, K.: S2I: a tool for automatic rule match compilation for the IXP network processor. In: SCOPES 2003, pp. 226–239 (2003)

    Google Scholar 

  17. Mogul, J.: TCP offload is a bad idea whose time has come. In: Proc. of HotOS IX, Lihue, Hawaii, USA (2003)

    Google Scholar 

  18. Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: Proceedings of IEEE Infocom, Hong Kong, China (2004)

    Google Scholar 

  19. Malan, R., Watson, D., Jahanian, F., Howell, P.: Transport and application protocol scrubbing. In: Infocom 2000, Tel-Aviv, Israel (2000)

    Google Scholar 

  20. Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: USENIX-Sec 2001, Washington, DC, USA (2001)

    Google Scholar 

  21. Johnson, E.J., Kunze, A.R.: IXP1200 Programming. Intel Press (2002)

    Google Scholar 

  22. Debar, H., Dacier, M., Wepsi, A.: A revised taxonomy for intrusion-detection systems. Technical report, IBM Research, Zurich (1999)

    Google Scholar 

  23. Smaha, S.E.: Haystack: An intrusion detection system. In: IEEE Fourth Aerospace Computer Security Applications Conference, Orlando, FL, USA (1988)

    Google Scholar 

  24. Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Rowe, J., Staniford, S., Yip, R., Zerkle, D.: The design of GrIDS: A graph-based intrusion detection system. Technical Report CSE-99-2, UC Davis (1999)

    Google Scholar 

  25. Cisco: Cisco secure intrusion detection system version 2.2.0 (netranger) (2002)

    Google Scholar 

  26. Farmer, D., Venema, W.: Improving the security of your site by breaking into it. Technical report, Internet White Paper (1993), http://www.fish.com/security/

  27. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Infocom, San Francisco, CA (2003)

    Google Scholar 

  28. Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc. (1998)

    Google Scholar 

  29. Lee, W., Cabrera, J.B.D., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y.: Performance adaptation in real-time intrusion detection systems. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 252. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  30. Kerschbaum, F., Spafford, E.H., Zamboni, D.: Using embedded sensors for detecting network attack. Technical report, Purdue University (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Vrije Universiteit, Amsterdam, The Netherlands

    H. Bos

  2. Xiamen University, Xiamen, China

    Kaiming Huang

Authors
  1. H. Bos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kaiming Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bos, H., Huang, K. (2006). Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_6

Download citation

  • DOI: https://doi.org/10.1007/11663812_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation