Escolar Documentos
Profissional Documentos
Cultura Documentos
!%0)2%
5>
-0 Filter %ntegration
!f (e can build an efficient filter for a single rule+ does it mean (e can build an
equally efficient pac'et filtering system for multiple rulesK The ans(er is no&
An ideal pac'et filtering system should ha*e the follo(ing properties$
All the matching rules can be identified in a single scan& !t means that a pac'et
can be processed (ithout repeated tests on the same fields&
The time required for rule matching is insensiti*e to the number of rules&
8asically+ there are t(o approaches in building a pac'et filer for multiple rules& One
is to simply put together all the filters for indi*idual rules+ then test these filters one after
another& learly+ this is not a good choice& For eBample+ a pac'et (ill be tested against each
rule separately+ (hile e*ery elementary comparison common to the multiple rules (ill be
chec'ed more than once& Ci'e the eBpression Hp.e3typeI+ it is going to be compared (ith the
same *alue by all the rules for the !% protocol in the system& More o*er+ the number of
matching rules largely affects the performance of a filtering system& !n other (ords+ a
filtering system (or'ing fine for fi*e rules may become unacceptably slo( for one hundred
rules&
Another approach in building a pac'et filtering system is through a 2FA
D2eterministic Finite AutomatonE li'e automaton+ (hich can rapidly select the matching?
patterns in a single scan of input F,3G& A typical scenario in fulfilling this approach is to
preprocess all the patterns into a 2FA?li'e automaton+ then scan the pac'et fields in a left to
right manner& !n the paper (ritten by R& & Se'ar+ R& Ramesh+ and !&<& Rama'rishnan F,3G+ a
ne( concept named HAdapti*e %attern MatchingI is proposed& The basic idea is to adapt the
tra*ersal order to suit the input patterns& Simply put+ instead of bro(sing the information
from the input one by one+ (e can impro*e the system performance by s'ipping o*er those
fields that are irrele*ant for matching any pattern& A detailed discussion of this algorithm can
be found in F,3G&
The adapti*e pattern matching is a good fit for the pac'et filtering system& First+ in a
net(or' pac'et+ most of the critical information is stored in the *arious protocol headers+ li'e
!% header+ T% header or :TT% header+ etc& Aithin a protocol header+ (e may only care
5;
about a small part of fields+ e&g& source address in the !% header+ SY" flag in the T% header&
Therefore+ many fields in the protocol headers and almost the entire data portion of a pac'et
are al(ays useless for the pattern matching purpose+ because most 'no(n intrusion patterns
can be disco*ered through chec'ing partial number of fields in a pac'et& So+ by s'ipping
most irrele*ant data and eBamining only a limited number of fields of a pac'et+ (e can gain
significant performance impro*ement o*er traditional pac'et filtering approach&
!n the conteBt of pac'et filtering for net(or' intrusion detection+ an intrusion pattern
is described as a part of a matching rule in our ASC system& A direct obser*ation is more
than one rule can be matched simultaneously& For instance+ a rule Hp.s3addr44%%.yy.22.$$I can
be matched at the same time another rule H.p.s3addr44%%.yy.22.$$/ 99 .p.protocol44I!3ICM!/I is
matched& This is the difference of our filter model from that of 8%F or any other pac'et
filter& !n those filters+ only one *alue is returned by the filter function to indicate (hether the
pac'et should be captured or discarded& 8y contrast+ our filter needs to report all the rules
matched by a pac'et& Therefore+ (e need a data structure to represent either the rules already
matched or the rules to be matched at each parsing stage&
An algorithm for filter automaton construction is sho(n in Figure 9&9&
%rocedure 8uild is recursi*e and the entire automaton can be established by in*o'ing
8uild DrootE+ (here the root is a node (ith an empty matching rule set and a candidate rule
set containing all of the rules specified& !n line 1+ the candidate rule set is eBamined& !f no
potential rule can be matched+ the procedure (ill be terminated& Other(ise+ the construction
process continues from line 5 to line ,9& !n terms of pac'et filtering+ the neBt position to be
inspected refers to an offset in a pac'et& !t is computed by select function+ (hich can be
implemented through different strategies& Ae (ill discuss this function later& Once the offset
has been set up for the current node+ (e need to create a ne( node for each *alue appearing
at that offset and mar' the transition by the *alue& !n addition+ (e construct a branch
representing a *alue other than all the *alues appearing at the offset in any of the patterns in
& !f a rule can be matched after the comparison at this step+ (e can put this rule into the
matched rule set of the ne( node& Other(ise+ (e put it into the candidate rule set of the ne(
node& !f a rule (ith inequality comparison has been matched+ (e need to put that
5.
Procedure +uild )*- 1
6. * is node in utomton 7R eBtra information are attached to each node$ p is the
offset to be inspected+ m is the set of already matched rules and c is the set of
candidate rules R7
C. if )*.c is empty-
D. stop 7R if no candidate rule+ terminate the procedure R7
E. *.p = select)*.c- 7R select the neBt offset to inspect R7
F. crete ll the possible brnches of node * 7R each branch has a edge to it
from *+ (ith corresponding *alue R7
?. for ech rule r in *.c
H. if r hs test rele*nt to *.p
4. if test for e"ulity
J. dd r into mtched rule set if r cn be mtched
fter this test& otherIise dd r into cndidte rule set of the
brnch Iith corresponding *lue
65. if test for ine"ulity
66. dd r into mtched rule set if r cn be mtched
fter this test& otherIise dd r into cndidte rule set of ll
brnches eNcept the brnch Iith corresponding *lue
6C. else 7R all the test in r are irrele*ant to *&p R7
6D. dd r into cndidte rule set of ll brnches
6E. for ech brnch *Q
6F. +uild)*Q- 7R recursi*ely call 8uild for */ R7
8
Figure -- Algorit6m for Automaton Construction
rule into e*ery ne(ly created node+ eBcept the one (ith the equal *alue& Same method
applies to the candidate rule set& !f the offset does not appear in any comparison of a rule+
that rule should be added into the candidate rule set for all the branches& The reason is that
you cannot rule out the possibility that the rule (ill be matched after this comparison&
5-
The easiest (ay to illustrate the algorithm is through an eBample& onsider the
follo(ing matching rules for our ASC pac'et filtering system&
"0: pac+et.p/ - .p.e3type 44 6786"3I!/ 99 .p.protocol D4I!37C!/
99 .p.protocol D4 I!3ED!/ 99 .p.protocol D4 I!3ICM!/
99 .p.protocol D4 I!3I?M!/
"1: pac+et.p/ - .p.e3type 44 6786"3I!/ 99 .p.protocol 44I!3ED!/
99 .p.udp3sport 44 6C8>3!>"7/ 99 .p.udp3dport 44 C8A"?6N3!>"7/
"F: pac+et.p/ - .p.e3type 44 6786"3I!/ 99 .p.protocol 44I!37C!/ 99 .p.tcp3flag 44 GN/
"H: pac+et.p/ - .p.e3type 44 6786"3I!/ 99 .p.protocol 44I!37C!/ 99 .p.tcp3flag 44 ACI/
Ae remo*ed the reaction part from each rule intending to focus only on the condition part+
(hich consists of the pac'et patterns (e need to match& Rule , is the eBact description of !%
)n'no(n %rotocol attac'+ (here all of the necessary type chec'ing related conditions ha*e
been added& A pre*iously mentioned denial of ser*ice intrusion :ARGE" and E:O is
mapped by rule 1& !t is one instance of this intrusion& Other instances can be obtained by
changing the source and destination )2% ports& The third and forth rule consist partly of the
intrusion pattern of SY" flooding+ in (hich+ a SY" pac'et or an A4 pac'et is matched
separately& The corresponding automaton for abo*e rules is constructed by applying the
procedure 8uild as sho(n in Figure 9&>&
As (e mentioned earlier+ se*eral strategies can be employed in implementing the
function elect+ (hich is used to determine the neBt offset in a pac'et to inspect&
S,+1+3+5T
ET:ER0!% p&e0typ
e
S,+1+3+5T
ST
S3+5T
S.T S0T ST
!%0T%
S1T
!%0)2%
!%0!M%
p&protocol
!%0!GM%
ST ST S$T SY"
A4
p&udp0spor
t
p&tcp0fla
g
E:O0%ORT
ST
:ARGE"0%ORT
p&udp0dpo
rt
ST S(T
S,+ (T ??
, U candidate rule+
( U matched rule&
S1T
9=
Figure -4 Sample Automaton for R$=R0
Select an offset such that the number of distinct *alues appearing at the node is
minimi2ed& Aith this criterion+ (e attempt to minimi6e the number of transitions
out of a state&
Select an offset such that the number of distinct *alues appearing at the node is
ma%imi2ed& The moti*ation here is that the candidate sets associated (ith each
transition is li'ely to be smaller&
Select an offset such that the number of rules that in*ol*e a test at this offset is
maBimi6ed&
Select an offset such that the number of duplicated rules after the current
comparison is minimi6ed& This strategy (ill reduce the possible redundant
comparisons performed in future&
!n the sample automaton+ (e adopt the third strategy+ (hich tries to in*ol*e as many as
possible rules in one offset chec'ing& :o(e*er+ this can be easily changed for an indi*idual
problem&
-- Rule #reprocessing
Some preprocessing needs to be done for an ASC rule+ before it can be used in
automaton constructing&
8.8.1 ,ule Deco#position
8efore any t(o rules can be processed into a single automaton+ (e need to filter out
each indi*idual comparison eBpression& Other(ise+ (e are not able to find the pac'et offset
chec'ed by more than one rule+ or e*en among different comparison eBpressions (ithin the
same rule& Ta'e the follo(ing t(o rules as an eBample$
"0: pac+et.p/ - .p.protocol 44I!37C!/ 99 .p.tcp3flag 44 GN/
"1: pac+et.p/ - .p.protocol 44I!37C!/ 99 .p.tcp3flag 44 ACI/
9,
E*ery pac'et offset eBamined in R, also appears in R1& And+ the con#unction among the
comparison eBpressions are all HMMI& So+ (e can decompose the conditions of R, and R1
into four sub?rules$
"00: .p.protocol 44I!37C!/ "01: .p.tcp3flag 44 GN/
"10: .p.protocol 44I!37C!/ "11: .p.tcp3flag 44 ACI/
!t is tri*ial to pro*e that R, can be satisfied if and only if both R,, and R,1 are satisfied&
Things (ill become a little bit complicated+ if the con#unction HPPI is used in the rule&
"e*ertheless+ (e can a*oid using HPPI in a rule condition by mo*ing HPPI out of a rule and
ma'ing a single rule become multiple rules at the highest le*el& So+ (ithin a single rule+ all
the comparison eBpression are connected by HMMI&
The follo(ing simple recursi*e algorithm can be employed to turn a single rule into
multiple sub?rules&
Procedure !ctor)c- 1
6. c is the condition inside rule to be fctored 7R in reality+ a rule is al(ays
represented by an eBpression tree R7
C. if )c is in the form of Rc6 MM cCS- 1
D. !ctor)c6-( 7R recursi*ely call Factor for c, R7
E. !ctor)cC-( 7R recursi*ely call Factor for c1 R7
F. 8 else if )c is in the form of ReNpr6 opertor eNprCS- 1 7R operator can be
VNN/+ VQN/+ etc& R7
?. crete neI subLrule for the rule being fctored
H. 8
8
8.8.2 Constraint Stac4 Construction
After the decomposition step is finished+ a rule becomes a collection of comparison
eBpressions& For eBpressions in*ol*ing a pac'et *ariable+ (e need to ta'e care of constraint
chec'ing for each field access&
As (e mentioned earlier in this chapter+ (hen a field access (ithin a pac'et is
accessed+ (e need to chec' the type of the *ariable+ such as an ether_hdr or an ip_hdr&
91
This can be done through recursi*e name loo'up in all child structures of the base structure
ether_hdr+ as long as each filed name is unique throughout the pac'et structure hierarchy&
After type chec'ing+ (e are able to locate the parent structure of the *ariable and e*en its
parent/s parent structure through the inheritance relationship among the pac'et structures&
Follo(ing the parent lin's+ (e can easily collect all the constraints for the *ariable and then
build them into a corresponding constraint stac'&
An algorithm in pseudo code is used to sho( the procedure for constraint stac'
construction&
Procedure Cons+uild)p& f- 1
6. p is pcGet *rible Iith correct type informtion( f is field
Iithin p
C. s = structof)p-( 7R structofDpE returns the corresponding structure type for p R7
D. for ech field fQ of s tht ppers before f 7R iterate in re*erse order R7
E. if fQ hs constrint
F. push the constrint into the stcG 7R add constraint for the
field in the same structure R7
?. if s hs constrint
H. push the constrint into the stcG 7R add constraint for the (hole
structure R7
4. pQ = prentof)p- 7R parentofDpE returns the parent structure type for pL if p is the
base structure+ returns null R7
J. fQ = lstfieldof)pQ- 7R lastfieldofDpE returns the last field inside a structure p R7
65. if )pQ ;= null-
66. Cons+uild)pQ.fQ-( 7R recursi*ely call ons8uild for p/f/ R7
8
Applying this algorithm to the eBpression Hp.tcp3flag 44 GNI+ (e can obtain the
constraint stac' sho(n as follo(s DFigure 9&;E&
p.e_type == ETHER_IP
p.protocol == IP_TCP
93
Figure -1 Sample Constraint Stack for Bp.tcp9fla -- S'"C
-4 Automaton Construction
)p to this point+ all the pac'et?matching rules ha*e been con*erted into lists of
eBpression stac's (ith necessary constraints inside the stac'& "eBt step is to build the
automaton (ith the algorithm (e de*eloped at the Section 9&5&
8.:.1 ;ffset Selection
!n the process of automaton construction+ choosing the right *ariable or offset of a
pac'et *ariable to be tested at a comparison step is crucial in reducing the automaton si6e or
matching time for a pac'et pattern& The function elect is created for this purpose& !n the
implementation of ASC?%FM+ (e support all the heuristics mentioned in Section 9&5&
One heuristic (e al(ays use is to minimi6e the number of duplicated rules after a
comparison+ (hile preferring fields that lead to creation of small number of branches& The
obser*ation of this heuristic is that it can significantly reduce the si6e of the created
automaton& A rule (ill be duplicated into all the branches after a comparison node+ if the
*ariable or offset that is chec'ed in the comparison node is irrele*ant to the rule& Ae then
define the duplicate indeB of a *ariable as the product of the number of rules not in*ol*ed in
eBamining it and the number of branches of the *ariable& For instance+ (e ha*e 9 rules in
total+ (hile 3 of (hich do not chec' the *ariable % and the left 1 rules ha*e the eBpression
%440 and %441 separately& Then (e can calculate the duplicate indeB of B as$
,I)N- = D @ D = J
!n the elect function+ (e compute the duplicate indeB for each *ariable and choose the
*ariable (ith the minimal *alue& !n case t(o *ariables ha*e the same duplicate indeB+ (e
(ill select the one (ith less number of branches& See the follo(ing three rules D(e ha*e
omitted the reaction partE$
"0: .% 44 0/ 99 .y 44 0/
p.tcp_la! == "#$
95
"1: .% 44 1/ 99 .y 44 0/
"F: .% 44 F/ 99 .y 44 0/
8oth *ariable % and y ha*e the same duplicate indeB =& Ae can build the automaton in either
(ay sho(n in Figure 9&.& :o(e*er+ it is ob*ious that choosing *ariable y first can reduce the
si6e of target automaton&
C6oose y first; t6en A
Figure -@ Sample Automaton
Most operations to a net(or' pac'et are equality and inequality comparisons+ (hich
can be handled *ery (ell by the elect function& For the comparisons li'e W+ WN+ X+ or XN+ (e
can consider the (hole eBpression as a single boolean *ariable (ith t(o branches , and =+
representing true and false separately& Then (e can apply the elect function in the same
(ay as to the *ariable (ith equality and inequality comparisons& :o(e*er+ there is another
'ind of operation (ith a pac'et *ariable+ bit?(ise operation+ especially bit?and& A typical
situation happens (hen (e (ant to eBamine the net(or' address of a pac'et+ li'e in
p.d_ddrM5N!!!!!!55 == 5N?FEDC655& !n the eBpression+ the heBadecimal *alue
5N!!!!!!55 is the net(or' mas' for an !% address+ assuming (e are in a class net(or'&
y y
,
3 1
y
B
,
, , ,
y
B
, y
,
3 , 3
1 1
B
C6oose A first; t6en y
99
The bit?and operation brings some difficulty (hen (e apply the elect function& Suppose (e
ha*e follo(ing t(o rules$ one has an eBpression p.s_ddr == 5N4H?FEDC6+ (hile the other
one includes an eBpression p.s_ddrM5N!!!!!!55 == 5N4H?FED55&
A solution for this problem is to further decompose the eBpressions& !n the abo*e
case+ (e can con*ert the eBpression p.s_ddr == 5N4H?FEDC6 into t(o sub?eBpressions as
follo(s$
Dp.s_ddrMoN!!!!!!55==5N4H?FED55-MM)p.s_ddrM5N555555!!==5N555555C6-
After doing this+ (e can apply the elect function again and obtain the common offset
s_ddrMoN!!!!!!55&
8.:.2 Su$5Auto#aton Sharin
)nder certain circumstance+ some redundancy may eBist among different sub?
automata in a large automaton& onsider the follo(ing automaton built for the t(o simple
rules listed belo( DFigure 9&-E$
"0: pac+et.p/ - p.icmp3type 44 6C8>3"6J
"1: pac+et.p/ - p.s3addr 44 K%)LMNHF10
Figure -E 'noptimi8ed Automaton
S,+1T
S$T
S(T
S1T
S,+1T
S,+1T ST
S$+(T ST S(T
ET:ER0!%
p&e0typ
e
!%0!M%
E:O0REY
=B.;>9531,
S$+1T
p&s0add
r
S1T
=B.;>9531,
p&icmp0typ
e
p&protoco
l
p&s0add
r
p&s0add
r
ST
=B.;>9531,
! !!
!!!
9>
You may ha*e noticed that the same automaton after the testing for field s_ddr
occurred at different place of the automaton& !n a larger automaton+ this duplication may be
e*en (orse& The reason is that the Cuild procedure is eBecuted at different node recursi*ely&
Each run is independent and is not a(are that the same automaton has been established
some(here else&
One (ay to sol*e this problem is that (hene*er a procedure needs to create a ne(
node+ let it first loo's up all the eBisting nodes in order to a*oid duplicate& :o(e*er+ this
loo'up is not tri*ial& The comparison of the same offset of a pac'et *ariable is not strong
enough in deciding (hether t(o nodes are identical& As sho(n in the Figure 5&-+ although
the node ! has the same offset compared as that of node !! and !!!+ it cannot be substituted by
either node !! or !!!+ for it has different matching rule set and candidate rule set& A sufficient
condition for t(o nodes to be equi*alent is both of them ha*e the same comparing *ariables+
matching rule sets and candidate rule sets& !n addition+ for a rule in both nodes/ candidate
sets+ it must ha*e the same tests remaining for each rule& All of these ma'e the eBact input
for our Cuild procedure and elect function& Therefore+ the same input guarantees the node
to be created (ill be same as (ell& An optimi6ed *ersion of automaton is sho(n as follo(s
DFigure 9&,=E&
Figure -$F Optimi8ed Automaton
S,+1T
S$T S(T
S1T
S,+1T
S,+1T ST
S$+(T
ET:ER0!%
p&e0typ
e
!%0!M%
E:O0REY
=B.;>9531,
S$+1T
p&s0add
r
p&icmp0typ
e
p&protoco
l
p&s0add
r
ST
=B.;>9531,
9;
-1 Code /eneration
The ultimate result from our ASC?%FM is an eBecutable code snippet+ (hich can be
used in de*eloping the runtime pac'et filter&
Ahat a pac'et filter does is almost the same as an automaton chec' through an input
stream& A portion of a pac'et (ill be compared (ith some *alue at a node and the automaton
(ill then mo*e to the branch (ith matched *alue label& Ahen a left node is reached+ no
further comparison (ill be made& !nstead+ the reaction specified in the rule definition (ill be
triggered for all matched rules& The code generated by ASC?%FM should eBactly reproduce
this process& Ta'e the follo(ing t(o rules as an eBample+ (e (ill see (hat the generated
code loo's li'e&
EBample rules$
"0: pac+et.p/ - .p.e3type44K%)KK/ 99 .p.protocol40/ 99 .p.icmp3type44)/
message.#ICM! 6C8> "e&uest'/5
"1: pac+et.p/ - .p.e3type44K%)KK/ 99 .p.protocol40/ 99 .p.icmp3type44K/
message.#ICM! 6C8> "eply'/5
EBample ode generated by ASC?%FM$
*oid smple_code)const u_chr @p- 1
if ))@))unsigned short @-)p76C--- == 4- 1
if ))@))unsigned chr @-)p7CD--- == 6- 1
if ))@))unsigned chr @-)p7DE--- == 4- 1
messge)%ICTP ECAO Re"uest%-(
8
else if ))@))unsigned chr @-)p7DE--- == 5- 1
messge)%ICTP ECAO Reply%-(
8
else 1
8
8
else 1
8
8
else 1
8
9.
8
There are a number of issues need to be mentioned around code generation& First of
all+ an incoming pac'et is treated as a byte stream& This is a natural design and can be easily
implemented through *arious pac'et capture facilities& The type information of a pac'et field
is enforced through proper pointer casting as sho(n in the sample code& One thing needs to
be ta'en into consideration for a pac'et field larger than . bits is byte order& "ormally+ (e
need to con*ert the filed in a pac'et from net(or' order into host order before it can be
compared (ith any *alue specified in the rule definition& :o(e*er+ in order to sa*e the
precious time at runtime+ (e should ma'e the re*erse con*ersion on the predefined *alues&
!n other (ords+ (e can change those *alues from host order into net(or' order at compile
time&
An important issue that may affect the runtime performance of the future pac'et filter
is the (ay (e handle the comparison and do the branching& !n the abo*e sample code+ (e
simply used if?else statement pro*ided in & !t may (or' fine for the *ariable+ (hich has the
number of branches less than 3& !n case there are a large number of branches for a *ariable+
this scheme may greatly degrade the efficiency for a runtime pac'et filter& An alternati*e is
binary search+ in (hich the branches of a *ariable need to be sorted before code generation&
!n our implementation+ (e adopt binary search for each node (ith the number of branches
more than 3& At runtime+ this 'ind of node can be processed in log1
"
time+ (here " is the
number of branches& A further impro*ement can be achie*ed by using #ump?table or hash?
table if the number of branches become *ery large&
-@ &ata /eneration
Static pac'et data can be *ery helpful in the design phase for a real?time pac'et?
filtering system& !t can be used in testing and performance analysis& An ideal data source
should meet the follo(ing requirements&
Interpretable by other systems& !f the generated data can be fed into other pac'et?
filtering system+ li'e tcpdump+ (e can then easily compare our implementation
(ith others&
9-
6asy to specify& On one hand+ a user is able to setup e*ery field inside a pac'et&
On the other hand+ data integrity must be guaranteed+ i&e& there should be no
conflict among dependent fields and all of the required fields must be filled in
ad*ance automatically& For instance+ (hene*er a )2% pac'et is specified+ the
e_type field of ether_hdr must be set to ETAER_IP as default&
Controllable distribution& Ahen a large amount of data needs to be produced+ (e
may (ant a statistically controlled distribution of *arious pac'et 'inds+ li'e 91Z
T% pac'ets+ 13Z)2% pac'ets+ as (ell as 19Z !M% and !GM% pac'ets&
The first requirement can be easily achie*ed (ith the help of libpcp& After some
modification of libpcp A%!+ (e are able to produce pac'et data file (ith the compatible
format as the file used by tcpdump&
!n terms of field dependence and type chec'ing+ the constraint stac' concept in our
ASC language design and pointer type casting in the code generation can be a potential
solution& As (e ha*e described in hapter 3+ (hene*er an automaton is constructed+ all the
required fields are chec'ed before a pac'et field is accessed& Therefore+ (e propose to
con*ert each reading operation on a pac'et field into (riting a certain *alue on a pseudo
pac'et+ for the purpose of data generation&
8efore *arious pac'ets can be generated+ a user should ha*e a con*enient (ay in
specifying the distribution percentage for each pac'et 'ind& Ae then eBtend our ASC
language specification intending to pro*ide a (eight field for each rule& Follo(ing are some
eBamples$
"0: .% 44 0/ O (K.H*
"1: .% 44 1/ O (K.M*
"F: .y 44 0/ O (K.1*
"H: .y 44 1/ O (K.)*
8ecause (e are focusing on the data generation+ both pattern and reaction part ha*e been
omitted from rule definition& The number at the end of each rule is the (eight field+ (hich is
the eBpected percentage for this pattern in the final data generation& There is a little
difference (hen a rule is specified for the purpose of pac'et generation+ i&e& all the fields
>=
occurring in the rule must be eBplicitly specified& !t means if you ha*e a rule
p.s_ddr==p.d_ddr+ you ha*e to change it to )p.s_ddr==5N4H?FEDC6- MM
)p.d_ddr==5N4H?FEDC6-& The reason for doing that is to facilitate the pac'et generation&
!n order to achie*e the distribution specified in the rule definition+ (e need to build
the (eight into the nodes of the automaton and apply it (hen the code is generated& The (ay
(e calculate the (eight is as follo(s$
,or a left node$ the (eight is computed by multiplying all the (eight specified by
the matched rules& This is simply based on the obser*ation that the possibility of
matching t(o rules is the product of the possibility of matching each single rule&
,or an internal node$ the (eight is the sum of all the (eight of its child nodes&
Figure 9&,, sho(s the (eighted automaton built for the pre*ious eBample rules&
Figure -$$ *eig6ted Automaton
B
y
,
, 1 , 1
1
,&= N =&5O=&>
6
=&5N=&=.R=&31 =&>N=&,1O=&5.
=&5.N=&>R=&. =&,1N=&>R=&1 =&31N=&5R=&. =&=.N=&5R=&1
>,
C"A#TER 4 E5#ER%3ENTAL RES'LTS AN& CONCL'S%ON
!n this thesis+ (e presented a con*enient+ eBpressi*e and safe language for describing
intrusion patterns and reactions& The primary contribution of this language to a pac'et filter
construction is independence from the communication protocol and type safety in pac'et
manipulation operations& Ae de*eloped an algorithm and implementation for pac'et filtering
that is based on adapti*e pattern matching technique+ (hich is important for impro*ing the
pac'et filter performance and scalability&
4$ %ntrusion &etection 'sing ASL
At the end of chapter 5+ (e once listed some sample intrusion patterns (ritten in
ASC& !n the real system+ (e eBtended those eBamples and created a number of ne( patterns
for the attac's such as Smurf+ Cand+ and so on& More eBamples can be found in AppendiB 8&
@P murf .Intermediate ite/ P@
pac+et.p/ - .p.icmp3type 44 ICM!36C8>37G!63"6JE67/
99 .p.d3addr 44 B>CAB3C">ADCA73ADD"/
message.#murf'/5
@P Band Attac+ P@
pac+et.p/ - .p.s3addr 44 p.d3addr/
message.#Band attac+'/5
Our pac'et filter can fetch a pac'et either from a tcpdump file or directly from real
net(or' traffic& Ae also performed testing on some data files generated by our ASC0%FM
itself& This greatly facilitates our testing (or'+ for some attac's are not easy to be simulated
through attac'ing program or by capturing real net(or' traffic& The final result sho(s that
our pac'et filter can efficiently detect DpotentialE net(or' intrusions&
>1
4( #reliminary #erformance Testing
%erformance is a 'ey criterion in e*aluating a real?time net(or' pac'et filter& !n this
section+ (e did some preliminary performance study through a simple utility program+ (hich
is used to collect the number of pac'ets arri*ed for each net(or' ser*ice& Ae compared our
runtime pac'et filter and 8%F pac'et filter for this eBample&
:.2.1 S,<STAT& Ser/ice Statistics
4no(ing the number of pac'ets arri*ed for each net(or' ser*ice+ e&g& TEC"ET+
SMT%+ or :TT%+ can be helpful for the net(or' management purpose+ li'e chec'ing the
traffic load for each machine in the net(or'& !n addition+ it may also useful in detecting
some malicious net(or' beha*iors& For eBample+ if a large number of connection?request
pac'ets are detected at login ser*ice port in a short period of time+ it is possible that some
hac'er is trying to brea' into your system through pass(ord guessing& Follo(ing are some
code snippets in the ASC rule definition for SR<STAT$
pac+et.p/ - -; p+t3total ::5
pac+et.p/ - .p.icmp3type 44 ICM!36C8>37G!63"6JE67/
-; icmp3echo3re&uest ::5
pac+et.p/ - .p.tcp3dport 44 !>"73877!/
-; tcp3http ::5
pac+et.p/ - .p.udp3dport 44 !>"73N,/
-; udp3nfs ::5
O
The idea is straightfor(ard& Ahene*er a pac'et to(ards a ser*ice is captured+ a
corresponding counter for that ser*ice (ill be incremented& !n addition+ a counter for all the
recei*ed pac'ets (ill be incremented as (ell+ no matter the incoming pac'et is an !M%
request or a message to the "FS ser*er& )sually+ pac'et filtering is ser*ice specific& This
means a pac'et filter can be used to collect ho( many login attempts ha*e been recei*ed
from host foo or ho( many times the finger ser*ice is required& !n SR<STAT+ (e #ust count
the number of pac'ets recei*ed by each ser*ice&
An obser*ation from this utility program is that there may be a large number of
patterns for a pac'et filter+ (hile the number of pac'et fields co*ered by these patterns are
>3
quite small& For instance+ SR<STAT can ha*e o*er one hundred patterns specified if (e
(ant to monitor all of normal )"!@ net(or' ser*ices& :o(e*er+ these patterns may only
access a small number of fields in a pac'et+ such as tcp_dport and udp_dport& !n this case+
the processing time of our pac'et filter (ill not change too much+ because it largely
dependent on the number of pac'et fields accessed instead of the number of pac'et patterns&
:.2.2 Perfor#ance Co#parison& AS6 /s. 7P0
Ae also performed some preliminary performance testing on our ASC pac'et filter
and 8%F pac'et filter& Our focus in this thesis is mainly on the filter model+ especially (hen
the number of pac'et patterns becomes relati*ely large& Therefore+ (e do not consider the
issues+ li'e 'ernel buffering or 'ernel filtering+ (hich are implementation techniques that can
be applied to all filter models&
!n our test for the filter performance+ (e compared our runtime ASC filter (ith 8%F
under the conditions+ (here different numbers of patterns are specified for a filter& To
eliminate the random factors introduced by the li*e net(or' traffic+ (e used static tcpdump
files as the data source for both filters&
First+ (e tested our ASC filter (ith different branching mechanism used& Figure >&,
sho(s that the processing time for our filter+ (hen sequential comparison is used increases
significantly as more patterns are specified for the filter& This is to be eBpected as the number
of comparison operations introduced by sequential comparison increases linearly (ith the
number of patterns& 8inary search can impro*e the filter performance& An efficient hashing
function can impro*e the filter performance e*en more (hen the number of branches are
moderate D5 or moreE&
!n the neBt test+ (e run both of our ASC filter and 8%F o*er the same set of pac'ets&
Figure >&1 displays the final results& !n terms of absolute performance+ 8%F is mush slo(er+
partly because the 8%F filter eBecutes interpreter code *ersus the compiled code in our
approach& !n addition+ (e found that the processing time for our ASC filter does not change
too much as the number of patterns increased&
>5
Figure 4$ Branc6ing 3ec6anism Comparison for ASL Filter
Figure 4( #erformance Comparison
4. Conclusion
The methods used by net(or' intrusions can be different from one to another&
:o(e*er+ the nature of most net(or' intrusions is based on HmaliciousI net(or' traffic+
ASL vs. BPF
0
0.5
1
1.5
2
2.5
3
3.5
4
1 4 8 16 32
Number of Patterns
P
r
o
c
e
s
s
i
n
g
T
i
m
e
f
o
r
1
P
a
c
k
e
t
(
M
i
c
r
o
s
e
c
o
n
d
)
BPF
ASL
Brancing Mecanism !om"arison
0.000
0.200
0.400
0.600
0.800
1.000
1.200
1 4 8 16 32
Number of Patterns
P
r
o
c
e
s
s
i
n
g
T
i
m
e
f
o
r
1
P
a
c
k
e
t
(
M
i
c
r
o
s
e
c
o
n
d
)
Sequential
Comparison
Binary Sear!
"as!in# $a%le
>9
(hich either has in*alid *alue inside a field of a pac'et+ or features incorrect combination or
sequence of pac'et segments& Aith this obser*ation+ (e can use pac'et?filtering technique in
building net(or' intrusion detection systems&
:o(e*er+ pac'et filter faces ne( challenges for the intrusion detection purpose+ li'e
high?*olume data+ no pac'et dropping+ and requirement for system fleBibility and scalability&
!n this thesis+ (e borro(ed some idea from the adapti*e pattern matching technique and
applied it to our pac'et?filtering module for a large?scale intrusion detection frame(or'&
One of the 'ey components in our approach is a specification language ASC+ (hich is
used to describe the patterns for the pac'ets to be captured& ASC pro*ides a number of
features in facilitating pattern (riting and filter construction+ such as pac'et structure
description and automatic pac'et type chec'ing&
8uilding an efficient filter is crucial to the o*erall system performance& Ae presented
an elegant algorithm in filter construction& The main concern is ho( to select a *ariable or an
offset inside a pac'et to be inspected at a node of a filter automaton& The primary goal is to
minimi6e pattern matching time and the si6e of the automaton&
ASC?%FM pro*ides a no*el and elegant (ay in pac'et filter design and
implementation for net(or' intrusion detection systems& :o(e*er+ there are still many
topics need to be in*estigated in the field of pac'et filtering and net(or' intrusion detection+
such as in 'ernel integration of pac'et filtering module&
>>
A##EN&%5 A #AC,ET &ATA STR'CT'RES FOR ASL
Ethernet Aeder/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
<define ETAER_9EB ?
struct ether_hdr
1
byte e_dst$ETAER_9EB'(
byte e_src$ETAER_9EB'(
short e_type(
8
ARP/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
<define ETAER_IP 5N5455
<define ETAER_ARP 5N545?
struct rp_hdr / struct ether_hdr Iith e_type == ETAER_ARP
1
short r_hrd( =@ !ormt of hrdIre ddress @=
short r_pro( =@ !ormt of protocol ddress @=
byte r_hln( =@ 9ength of hrdIre ddress @=
byte r_pln( =@ 9ength of protocol ddress @=
short r_op( =@ ARP opcode )commnd-. @=
8
=@ ARP protocol AAR,>ARE identifiers @=
<define ARPAR,_ETAER 6 =@ Ethernet 65Tbps @=
=@ ARP protocol PROTOCO9 identifiers @=
<define ARPPRO_IP 5N5455 =@ IP @=
=@ ARP protocol opcodes @=
<define ARPOP_REUOEST 6 =@ ARP re"uest @=
<define ARPOP_REP9V C =@ ARP reply @=
<define ARPOP_RREUOEST D =@ RARP re"uest @=
<define ARPOP_RREP9V E =@ RARP reply @=
struct ether_ip_rp / struct rp_hdr Iith
)r_hrd == ARPAR,_ETAER- MM )r_pro == ARPPRO_IP-
1
byte rp_sh$ETAER_9EB'(=@ sender hrdIre ddress @=
int rp_sp( =@ sender protocol ddress @=
byte rp_th$ETAER_9EB'(=@ trget hrdIre ddress @=
int rp_tp( =@ trget protocol ddress @=
8
IP/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
struct ip_hdr / struct ether_hdr Iith e_type == ETAER_IP MM ihl == F
1
bit *ersion$E'( =@ ip *ersion @=
>;
bit ihl$E'( =@ heder length @=
byte tos( =@ type of ser*ice @=
short tot_len( =@ totl length @=
short id( =@ identifiction @=
bit flg$D'( =@ flgs @=
bit frg_off$6D'( =@ frgment offset @=
byte ttl( =@ time to li*e @=
byte protocol( =@ protocol @=
short checG_sum( =@ heder checGsum @=
ip_ddr s_ddr( =@ source ip ddress @=
ip_ddr d_ddr( =@ destintion ddress @=
8
struct ip_pGt / struct ip_hdr
1
byte ip_dt$tot_len L ihl'(
8
ICTP/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
=@ IP protocol PROTOCO9 identifiers. @=
<define IP_ICTP 5N5556 =@ ICTP @=
<define IP_IWTP 5N555C =@ IWTP @=
<define IP_TCP 5N555? =@ TCP @=
<define IP_O,P 5N5566 =@ O,P @=
struct icmp_hdr / struct ip_hdr Iith protocol == IP_ICTP
1
byte icmp_type( =@ icmp messge type @=
byte icmp_code( =@ icmp messge code @=
short icmp_csum( =@ checGsum for entire messge @=
8
struct icmp_pGt / struct icmp_hdr
1
byte icmp_dt$tot_len L ihl L siPeof)icmp_hdr-'(
8
<define ICTP_ECAO_TVPE_REUOEST 4
<define ICTP_ECAO_TVPE_REP9V 5
<define ICTP_ECAO_CO,E 5
struct icmp_echo_re"uest / struct icmp_hdr Iith
)icmp_type == ICTP_ECAO_TVPE_REUOEST-
MM )icmp_code == ICTP_ECAO_CO,E-
1
byte icmp_echoid( =@ identifier @=
byte icmp_echose"( =@ se"uence number @=
byte icmp_echodt$tot_len L ihl L siPeof)icmp_hdr- L C'(
8
struct icmp_echo_reply / struct icmp_hdr Iith
)icmp_type == ICTP_ECAO_TVPE_REP9V- MM )icm_code == ICTP_ECAO_CO,E-
1
>.
byte icmp_echoid( =@ identifier @=
byte icmp_echose"( =@ se"uence number @=
byte icmp_echodt$tot_len L ihl L siPeof)icmp_hdr- L C'(
8
<define ICTP_,ESOBREA_TVPE D
struct icmp_unrech / struct icmp_hdr Iith
icmp_type == ICTP_,ESOBREA_TVPE
1
short icmp_reser*ed(
ip_hdr icmp_iphdr(
byte icmp_dt$4'(
8
<define ICTP_SRCUOEB_TVPE E
<define ICTP_SRCUOEB_CO,E 5
struct icmp_s"uench / struct icmp_hdr Iith
icmp_type == ICTP_SRCUOEB_TVPE
1
short icmp_reser*ed(
ip_hdr icmp_iphdr(
byte icmp_dt$4'(
8
O,P/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
struct udp_hdr / struct ip_hdr Iith protocol == IP_O,P
1
byte udp_sport( =@ source port number @=
byte udp_dport( =@ destintion port number @=
byte udp_len( =@ heder 7 dt length @=
byte udp_csum( =@ checGsum for heder M dt @=
8
struct udp_pGt / struct udp_hdr
1
byte udp_dt$udp_len L siPeof)udp_hdr-'(=@ dt @=
8
TCP/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
struct tcp_hdr / struct ip_hdr Iith protocol == IP_TCP
1
short tcp_sport( =@ source port number @=
short tcp_dport( =@ destintion port number @=
int tcp_se"( =@ se"uence number @=
int tcp_cG( =@ cGnoIledge number @=
bit tcp_hlen$E'( =@ heder length @=
bit tcp_reser*ed$?'( =@ reser*ed @=
bit tcp_urg( =@ flgs @=
bit tcp_cG(
bit tcp_psh(
bit tcp_rst(
>-
bit tcp_syn(
bit tcp_fin(
short tcp_Iin( =@ IindoI siPe @=
short tcp_csum( =@ checGsum for heder M dt @=
short tcp_urp( =@ urgent pointer @=
8
struct tcp_pGt / struct tcp_hdr
1
byte tcp_dt$tot_len L ihl L tcphlen'(
8
,BS/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
<define ,BS_PORT FD
struct dns_hdr / struct udp_hdr Iith
)udp_sport == ,BS_PORT- XX )udp_dport == ,BS_PORT-
=@ either to dns port or from dns port @=
1
short dns_id( =@ identifier @=
short dns_flgs( =@ flgs @=
short dns_n"ues( =@ Bo. of "uestions @=
short dns_nns( =@ Bo. of nsIers RR @=
short dns_nuth( =@ Bo. of uthority RRs @=
short dns_ndd( =@ Bo. of dditionl RRs @=
8
struct dns_"ues
1
string dns_"nme( =@ "uery nme @=
short dns_"type( =@ "uery type @=
short dns_"clss( =@ "uery clss @=
8
struct dns_rr_hdr
1
string dnme( =@ domin nme @=
short type( =@ RR type @=
short clss( =@ RR clss @=
int ttl( =@ time to li*e @=
8
<define ,BS_UOERV_A 6
struct dns_rr_A / struct dns_rr_hdr rrhdr Iith rrhdr.type == ,BS_UOERV_A
1
short rdlen( =@ resource dt length @=
ip_ddr rdt$rdlen'(
8
struct dns_pGt_A / struct dns_hdr dnshdr
1
struct dns_"ues d"ues$n"ues'( =@ dns "uestions @=
struct dns_rr_A dns$nns'( =@ dns nsIer RRs @=
;=
struct dns_rr_A duth$nuth'( =@ dns uthority RRs @=
struct dns_rr_A ddd$ndd'( =@ dns dditionl RRs @=
8
RIP/
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
<define RIP_PORT FC5
struct rip_hdr / struct udp_hdr Iith
)udp_sport == RIP_PORT- XX )udp_dport == RIP_PORT-
=@ either to rip port or from rip port @=
1
byte rip_commnd( =@ rip commnd @=
byte rip_*ersion( =@ rip *ersion @=
short rip_Pero( =@ must be Pero @=
8
struct rip_rec
1
short rip_fid( =@ ddress fmily identifier @=
short rip_Pero( =@ must be Pero @=
int rip_ipddr( =@ ip ddress @=
int rip_Pero$C'( =@ must be Pero @=
int rip_metric( =@ metric @=
8
strcut rip_pGt / struct rip_hdr
1
rip_rec riprec$)udp_len L siPeof)struct rip_hdr--
= siPeof)struct rip_rec-'(
8
;,
A##EN&%5 B %NTR'S%ON #ATTERN SA3#LES
,& !% )n'no(n %rotocol
Todule IPOnGnoInProtocol)- 1
pcGet)p-X)p.protocol ;= IP_TCP- MM )p.protocol ;= IP_O,P-
MM )p.protocol ;= IP_ICTP- MM )p.protocol ;= IP_IWTP-
messge)RIP OnGnoIn ProtocolS-(
8
1& %ing of 2eath
Todule Pingof,eth)- 1
pcGet)p-X)p.tot_len 7 p.frg_off 3 TAY_IP_SIZE-
messge)RPing of ,ethS-(
8
3& hargen+ Echo+ Time+ 2aytime
Todule CET,)sPort& dPort- 1
pcGet)p-X)p.udp_sport == sPort- MM )p.udp_dport == dPort-
messge)RCET, AttcGS-(
8
5& Finger 8uffer O*erflo(
<define !IBWER,_PORT HJ
Todule !ingerO*erfloI)- 1
pcGet)p-X)p.tcp_dport == !IBWER,_PORT-
MM )p.tot_len [ p.ihl [ p.tcp_hlen- 3 TAY_!IBWER_9EB-
messge)R!inger +uffer O*erfloIS-(
8
9& CA"2 Attac'
Todule 9AB,)- 1
pcGet)p-X)p.s_ddr == p.d_ddr- messge)R9AB, AttcGS-(
8
;1
>& Smurf D!ntermediate SiteE
Todule Smurf)- 1
pcGet)p-X)p.icmp_type == ICTP_ECAO_TVPE_REUOEST-
MM )p.d_ddr == 9OCA9_BET_+ROA,CAST_A,,R-
messge)RSmurf AttcGS-(
8
;& !% Spoofing
=@ for eNternl interfce @=
Todule IPSENternl)- 1
pcGet)p-X)p.s_ddrMIBSI,E_BET_TASK == IBSI,E_BET_A,,R-
messge)RIPS ENternlS-(
8
=@ for internl interfce @=
Todule IPSInternl)- 1
pcGet)p-X)p.s_ddrMIBSI,E_BET_TASK ;= IBSI,E_BET_A,,R-
messge)RIPS InternlS-(
8
.& SY" Flooding
Todule SVB!looding)- 1
pcGet)p-X)p.tcp_flg == SVB-
nSyn = nSyn 7 6(
e*ery predefined inter*l& checG
if )nSyn 3 SVB_TARESAO9,-
messge)RSVB !loodingS-(
else
nSyn = 5(
pcGet)p-X)p.tcp_flg == ACK-
if )nSyn 3 5-
nSyn = nSyn [ 6(
8
;3
-& %ing Flooding
Todule Ping!looding)- 1
pcGet)p-X)p.icmp_type == ICTP_ECAO_TVPE_REUOEST-
nPing = nPing 7 6(
e*ery predefined inter*l& checG
if )nPing 3 PIBW_TARESAO9,-
messge)RPing !loodingS-(
else
nPing = 5(
8
,=& R!% Trace
<define D
Todule RIPTrce)- 1
pcGet)p-X)p.rip_commnd == RIP_TRACE_COTTAB,-
messge)RRIP Trce Commnd OnS-(
8
;5
REFERENCES
F,G Carry J& :ughes+ Jr& Actually )seful !nternet Security Techniques+ "e( Riders
%ublishing+ !ndianapolis+ !"+ ,--9&
F1G R& :eady+ G& Cuger+ A& Maccabe+ and 8& Mu'her#ee& A Method To 2etect !ntrusi*e
Acti*ity in a "et(or'ed En*ironment& !n !roceedings of the 0H
th
National Computer
ecurity Conference+ pages 3>1?3;,+ October ,--,&
F3G Abdela6i6 Monn#i& Canguages and Tools for Rule?8ased 2istributed !ntrusion
2etection+ %h2 thesis+ Facultes )ni*ersitaires+ "otre?2ame de la %aiB+ 8elgium+
September ,--;&
F5G A& R& Ste*ens& T%7!% !llustrated <ol& , U The %rotocols+ Addison?Aesley %ublishing
ompany+ !nc& Reading+ MA+ ,--5&
F9G S& M& 8ello*in& Security %roblems in the T%7!% %rotocol Suite, Computer
Communications "evie$+ <ol& ,-+ "o& 1+ pp& 31?5.+ April ,-.-&
F>G Morris R& A Aea'ness in the 5&1 8S2 )"!@ T%7!% Soft(are, Computer cience
7echnical "eport No 00L+ ATMT 8ell Caboratories+ Murray :ill+ "J+ ,-.9&
F;G ERT& T% SY" Flooding and !% Spoofing Attac's+ arnegie Mellon )ni*ersity+
%ittsburgh+ %A+ September ,-->&
F.G & obb and S& obb& 2enial of Ser*ice+ ecure Computing+ pp&9.?>=+ July ,--;&
F-G & C& Schuba+ !&<& 4rsul+ Ma'us G& 4uhn+ E&:& Spafford+ A& Sundaram+ 2& [amboni&
Analysis of a 2enial of Ser*ice Attac' on T%+ %urdue )ni*ersity+ Aest Cafayette+
!"+ ,-->&
F,=G S& 2ash& !ntegration of 2"SSE D'ey?ser*erE (ith Ssh Application+ MS thesis+ !o(a
State )ni*ersity+ Ames+ !A+ ,--;&
F,,G A& R& Ste*ens& )"!@ "et(or' %rogramming <ol& , U "et(or' A%!s$ Soc'ets and
@T!+ Second Edition+ %rentice :all %TR+ )pper Saddle Ri*er+ "J+ ,--.&
F,1G <ern %aBson& 8ro$ A System for 2etecting "et(or' !ntruders in Real?Time+ Ca(rence
8er'eley "ational Caboratory+ 8er'eley+ A+ ,--.&
;9
F,3G R& & Se'ar+ R& Ramesh+ !& <& Rama'rishnan& Adapti*e %attern Matching+ 8ellcore+
Morristo(n+ "J+ ,--3&
F,5G Ste*en Mcanne+ <an Jacobson& The 8S2 %ac'et Filter$ A "e( Architecture for
)ser?le*el %ac'et apture+ Ca(rence 8er'eley Caboratory+ 8er'eley+ A+ ,--1&
F,9G 8is(anath Mu'her#ee+ C& Todd :eberlein+ 4arl "& Ce*itt& "et(or' !ntrusion
2etection+ I666 Net$or++ pp&1>?5,+ May7June ,--5&
F,>G Frederic' 8& ohen& A "ode on 2istributed oordinated Attac's+ omputer M
Security+ pp&,=3?,1,+ *,9+ ,-->&
F,;G Ste*en heung+ 4arl "& Ce*itt& %rotecting Routing !nfrastructures from 2enial of
Ser*ice )sing ooperati*e !ntrusion 2etection+ )ni*ersity of alifornia+ 2a*is+ A+
,--;&
F,.G hristoph C& Schuba& Addressing Aea'ness in the 2omain "ame System %rotocol+
OAST Caboratory+ %urdue )ni*ersity+ Aest Cafayette+ !"+ ,--3&
F,-G Eugene :& Spafford& The !nternet Aorm !ncident+ 7echnical "eport CD-7"-QQF+
%urdue )ni*ersity+ Aest Cafayette+ !"+ September ,-+ ,--,&
;>
AC,NO*LE&/E3ENTS
! (ish to eBpress my sincere appreciation to 2r& R& & Se'ar+ my ma#or professor+ for
his full support+ *aluable ad*ice and assistance to carry out and complete this research&
! (ould li'e to than' 2r& Johnny Aong for his help in my graduate study& :is
encouragement and support ma'es my t(o years study at !o(a State )ni*ersity the most
re(arding time in my life&
The contribution of 2r& 2oug Jacobson as committee member is greatly
ac'no(ledged&
Many than's to %remchand )ppuluri+ Ra*i <an'amamidi and Yong ai for their help
to my research and study&
Finally+ than's for the lo*e from my parents and my (ife+ Ci Fang& Aithout their
support+ ! (ould not ha*e completed this research&
This pro#ect is supported by 2efense Ad*anced Research %ro#ect Agency\s
!nformation Technology Office D2AR%A?!TOE under the !nformation System Sur*i*ability
program+ under contract number F3=>=1?-;??=155&
;;