Abstract
CardGuard is a signature detection system for intrusion detection and prevention that scans the entire payload of packets for suspicious patterns and is implemented in software on a network card equiped with an Intel IXP1200 network processor. One card can be used to protect either a single host, or a small group of machines connected to a switch. CardGuard is non-intrusive in the sense that no cycles of the host CPUs are used for intrusion detection and the system operates at Fast Ethernet link rate. TCP flows are first reconstructed before they are scanned with the Aho-Corasick algorithm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The spread of the Sapphire/Slammer worm, technical report. Technical report, CAIDA (2003), http://www.caida.org/outreach/papers/2003/sapphire/
Bellovin, S.M.: Distributed firewalls. Usenix;login. Special issue on Security, 37–39 (1999)
Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a distributed firewall. In: CCS 2000: Proceedings of the 7th ACM conference on Computer and communications security, pp. 190–199. ACM Press, New York (2000)
Clark, C., Lee, W., Schimmel, D., Contis, D., Koné, M., Thomas, A.: A hardware platform for network intrusion detection and prevention. In: Third Workshop on Network Processors and Applications, Madrid, Spain (2004)
Toelle, J., Niggemann, O.: Supporting intrusion detection by graph clustering and graph drawing. In: Proc. RAID 2000, Toulouse, France (2000)
Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: SIGCOMM Internet Measurement Workshop, Miami, FLA (2003)
Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: Methods, evaluation, and applications. In: SIGCOMM Internet Measurement Workshop, Miami, FLA (2003)
Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: Global characteristics and prevalence. In: Proc. of ACM SIGMETRICS (2003)
Estan, C., Savage, S., Varghese, G.: Automatically inferring patterns of resource consumption in network traffic. In: Proc. of SIGCOMM 2003 (2003)
Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Communications of the ACM 18, 333–340 (1975)
Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE SP 2004, Oakland, CA (2004)
Kompella, R.R., Singh, S., Varghese, G.: On scalable attack detection in the network. In: SIGCOMM Internet measurement conference, pp. 187–200 (2004)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of the 1999 USENIX LISA Systems Adminstration Conference (1999)
Shalaby, N., Peterson, L., Bavier, A., Gottlieb, Y., Karlin, S., Nakao, A., Qie, X., Spalink, T., Wawrzoniak, M.: Extensible routers for active networks. In: DANCE 2002 (2002)
Charitakis, I., Pnevmatikatos, D., Markatos, E., Anagnostakis, K.: S2I: a tool for automatic rule match compilation for the IXP network processor. In: SCOPES 2003, pp. 226–239 (2003)
Mogul, J.: TCP offload is a bad idea whose time has come. In: Proc. of HotOS IX, Lihue, Hawaii, USA (2003)
Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: Proceedings of IEEE Infocom, Hong Kong, China (2004)
Malan, R., Watson, D., Jahanian, F., Howell, P.: Transport and application protocol scrubbing. In: Infocom 2000, Tel-Aviv, Israel (2000)
Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: USENIX-Sec 2001, Washington, DC, USA (2001)
Johnson, E.J., Kunze, A.R.: IXP1200 Programming. Intel Press (2002)
Debar, H., Dacier, M., Wepsi, A.: A revised taxonomy for intrusion-detection systems. Technical report, IBM Research, Zurich (1999)
Smaha, S.E.: Haystack: An intrusion detection system. In: IEEE Fourth Aerospace Computer Security Applications Conference, Orlando, FL, USA (1988)
Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Rowe, J., Staniford, S., Yip, R., Zerkle, D.: The design of GrIDS: A graph-based intrusion detection system. Technical Report CSE-99-2, UC Davis (1999)
Cisco: Cisco secure intrusion detection system version 2.2.0 (netranger) (2002)
Farmer, D., Venema, W.: Improving the security of your site by breaking into it. Technical report, Internet White Paper (1993), http://www.fish.com/security/
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Infocom, San Francisco, CA (2003)
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc. (1998)
Lee, W., Cabrera, J.B.D., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y.: Performance adaptation in real-time intrusion detection systems. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 252. Springer, Heidelberg (2002)
Kerschbaum, F., Spafford, E.H., Zamboni, D.: Using embedded sensors for detecting network attack. Technical report, Purdue University (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bos, H., Huang, K. (2006). Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_6
Download citation
DOI: https://doi.org/10.1007/11663812_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)