The Experts below are selected from a list of 354 Experts worldwide ranked by ideXlab platform
Kenji Kono - One of the best experts on this subject based on the ideXlab platform.
-
tcp reassembler for layer7 aware network intrusion detection prevention systems
IEICE Transactions on Information and Systems, 2007Co-Authors: Miyuki Hanaoka, Makoto Shimamura, Kenji KonoAbstract:Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Layer7 context enables us to inspect message formats and the message exchanged order. Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP and IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. Complete prevention means that the NIDS/NIPS should prevent malicious messages from reaching target applications. Application transparency means not requiring any modifications to and/or reconfiguration of server and client applications. Transport transparency is not to disrupt the end-to-end semantics of TCP/IP. To the best of our knowledge, none of the existing approaches meet all of these requirements. We have developed an efficient mechanism for layer7-aware NIDS/NIPSs that does meet the above requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying the Packet even if it has not been checked yet by an NIDS/NIPS sensor. Although the forwarded Packet might turn out to be a part of an attack message, the store-through mechanism can successfully defend against the attack by blocking one of the subsequent Packets that contain another part of attack message. Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order and IP-Fragmented Packets. In addition, the experimental results suggest that the CPU and memory usage incurred by our store-through is not significant.
-
an efficient tcp reassembler mechanism for layer7 aware network intrusion detection prevention systems
International Symposium on Computers and Communications, 2007Co-Authors: Miyuki Hanaoka, Kenji Kono, Makoto Shimamura, Satoshi YamaguchiAbstract:Exploiting layer/ context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately layerl-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing (1) complete prevention, (2) performance, (3) application transparency, or (4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying it even if it has not been checked yet. Although the forwarded Packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent Packets. Testing of a prototype in linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order Packets.
Miyuki Hanaoka - One of the best experts on this subject based on the ideXlab platform.
-
tcp reassembler for layer7 aware network intrusion detection prevention systems
IEICE Transactions on Information and Systems, 2007Co-Authors: Miyuki Hanaoka, Makoto Shimamura, Kenji KonoAbstract:Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Layer7 context enables us to inspect message formats and the message exchanged order. Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP and IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. Complete prevention means that the NIDS/NIPS should prevent malicious messages from reaching target applications. Application transparency means not requiring any modifications to and/or reconfiguration of server and client applications. Transport transparency is not to disrupt the end-to-end semantics of TCP/IP. To the best of our knowledge, none of the existing approaches meet all of these requirements. We have developed an efficient mechanism for layer7-aware NIDS/NIPSs that does meet the above requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying the Packet even if it has not been checked yet by an NIDS/NIPS sensor. Although the forwarded Packet might turn out to be a part of an attack message, the store-through mechanism can successfully defend against the attack by blocking one of the subsequent Packets that contain another part of attack message. Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order and IP-Fragmented Packets. In addition, the experimental results suggest that the CPU and memory usage incurred by our store-through is not significant.
-
an efficient tcp reassembler mechanism for layer7 aware network intrusion detection prevention systems
International Symposium on Computers and Communications, 2007Co-Authors: Miyuki Hanaoka, Kenji Kono, Makoto Shimamura, Satoshi YamaguchiAbstract:Exploiting layer/ context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately layerl-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing (1) complete prevention, (2) performance, (3) application transparency, or (4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying it even if it has not been checked yet. Although the forwarded Packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent Packets. Testing of a prototype in linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order Packets.
Satoshi Yamaguchi - One of the best experts on this subject based on the ideXlab platform.
-
an efficient tcp reassembler mechanism for layer7 aware network intrusion detection prevention systems
International Symposium on Computers and Communications, 2007Co-Authors: Miyuki Hanaoka, Kenji Kono, Makoto Shimamura, Satoshi YamaguchiAbstract:Exploiting layer/ context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately layerl-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing (1) complete prevention, (2) performance, (3) application transparency, or (4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying it even if it has not been checked yet. Although the forwarded Packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent Packets. Testing of a prototype in linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order Packets.
Makoto Shimamura - One of the best experts on this subject based on the ideXlab platform.
-
tcp reassembler for layer7 aware network intrusion detection prevention systems
IEICE Transactions on Information and Systems, 2007Co-Authors: Miyuki Hanaoka, Makoto Shimamura, Kenji KonoAbstract:Exploiting layer7 context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Layer7 context enables us to inspect message formats and the message exchanged order. Unfortunately, layer7-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP and IP reassembly without losing 1) complete prevention, 2) performance, 3) application transparency, or 4) transport transparency. Complete prevention means that the NIDS/NIPS should prevent malicious messages from reaching target applications. Application transparency means not requiring any modifications to and/or reconfiguration of server and client applications. Transport transparency is not to disrupt the end-to-end semantics of TCP/IP. To the best of our knowledge, none of the existing approaches meet all of these requirements. We have developed an efficient mechanism for layer7-aware NIDS/NIPSs that does meet the above requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying the Packet even if it has not been checked yet by an NIDS/NIPS sensor. Although the forwarded Packet might turn out to be a part of an attack message, the store-through mechanism can successfully defend against the attack by blocking one of the subsequent Packets that contain another part of attack message. Testing of a prototype in Linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order and IP-Fragmented Packets. In addition, the experimental results suggest that the CPU and memory usage incurred by our store-through is not significant.
-
an efficient tcp reassembler mechanism for layer7 aware network intrusion detection prevention systems
International Symposium on Computers and Communications, 2007Co-Authors: Miyuki Hanaoka, Kenji Kono, Makoto Shimamura, Satoshi YamaguchiAbstract:Exploiting layer/ context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately layerl-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing (1) complete prevention, (2) performance, (3) application transparency, or (4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-Fragmented Packet immediately after copying it even if it has not been checked yet. Although the forwarded Packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent Packets. Testing of a prototype in linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order Packets.
Hyun Gon Kim - One of the best experts on this subject based on the ideXlab platform.
-
a secure 6lowpan re transmission mechanism for Packet fragmentation against replay attacks
Journal of the Korea Society of Computer and Information, 2009Co-Authors: Hyun Gon KimAbstract:The 6LoWPAN(IPv6 Low-power Wireless Personal Area Network) performs IPv6 header compression, TCP/UDP/IGMP header compression, Packet fragmentation and re-assemble to transmit IPv6 Packet over IEEE 802,15.4 MAC/PHY. However, from the point of view of security. It has the existing security threats issued by IP Packet fragmenting and reassembling, and new security threats issued by 6LoWPAN Packet fragmenting and reassembling would be introduced additionally. If Fragmented Packets are retransmitted by replay attacks frequently, sensor nodes will be confronted with the communication disruption. This paper analysis security threats introduced by 6LoWPAN fragmenting and reassembling, and proposes a re-transmission mechanism that could minimize re-transmission to be issued by replay attacks. Re-transmission procedure and Fragmented Packet structure based on the 6LoWPAN standard(RFC4944) are designed. We estimate also re-transmission delay of the proposed mechanism. The mechanism utilizes timestamp, nonce, and checksum to protect replay attacks. It could minimize reassemble buffer overflow, waste of computing resource, node rebooting etc., by removing Packet fragmentation and reassemble unnecessary.
