Browse > Article

A Bloom Filter Application of Network Processor for High-Speed Filtering Buffer-Overflow Worm  

Kim Ik-Kyun (ETRI, Information Security Division)
Oh Jin-Tae (ETRI, Information Security Division)
Jang Jong-Soo (ETRI, Information Security Division)
Sohn Sung-Won (ETRI, Information Security Division)
Han Ki-Jun (Kyungpook National University, Computer Engineering Department)
Publication Information
Journal of the Institute of Electronics Engineers of Korea TC / v.43, no.7, 2006 , pp. 93-103 More about this Journal
Abstract
Network solutions for protecting against worm attacks that complement partial end system patch deployment is a pressing problem. In the content-based worm filtering, the challenges focus on the detection accuracy and its performance enhancement problem. We present a worm filter architecture using the bloom filter for deployment at high-speed transit points on the Internet, including firewalls and gateways. Content-based packet filtering at multi-gigabit line rates, in general, is a challenging problem due to the signature explosion problem that curtails performance. We show that for worm malware, in particular, buffer overflow worms which comprise a large segment of recent outbreaks, scalable -- accurate, cut-through, and extensible -- filtering performance is feasible. We demonstrate the efficacy of the design by implementing it on an Intel IXP network processor platform with gigabit interfaces. We benchmark the worm filter network appliance on a suite of current/past worms, showing multi-gigabit line speed filtering prowess with minimal footprint on end-to-end network performance.
Keywords
Bloom Filter;
Citations & Related Records
연도 인용수 순위
  • Reference
1 E. Chien, and P. Szor, 'Blended Attacks Exploits, Vulnerabilities and. Buffer-Overflow Techniques in Computer Viruses,' In Proc. of Virus. Bulletin Conf, 2002
2 S. Bradner, J. McQuaid, 'Benchmarking Metho-dology for Network Interconnect Devices', IETF, RFC2544, 1999
3 T. Toth and C. Krugel, Accurate buffer overflow detection via abstract payload execution. In RAID, pages 274-291; 2002
4 B. Bloom. Space/time trade-offs in hash coding with allowable errors, Communication of the ACM 13(7):422-426, July 1970   DOI
5 R. Fanklin, D. Caraver, and B. Hutchings. Assisting network intrusion detection with reconfigurable hardware. In Proceedings from Field Programmable Custom Computing Machines, 2002   DOI
6 J. Gustafson. Re-evaluating Amdahl's law. Communications of the ACM, 31(5), 532--533, May 1988   DOI   ScienceOn
7 V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999   DOI   ScienceOn
8 S. Dharmapurikar and P. Krishnamurthy and T. Sproull and J. Lockwood, Deep packet inspection using parallel Bloom filters, in Hot Interconnects, (Stanford, CA), pp. 44-51, Aug. 2003
9 International Organization for Standardization Information Processing Systems. Data Communication High-Level Data Link Control Procedure. Frame Structure. ISO 3309, Oct, 1984
10 Andrei Broder, Michael Mitzenmacherz, 'Network Applications of Bloom Filter : Survey', In 40th Conference on Communication, Control, and Computing, 2002
11 L. Fan, P. Cao, J. Almeida, and A. Z. Broder. Summary cache: a scalable wide-area Web cache sharing protocol. IEEE/ACM Transac-tions on Networking, 8(3):281-293, 2000   DOI   ScienceOn
12 R. Chinchani and E. van den Berg. A fast static analysis approach to detect exploit code inside network flows. In RAID 2005
13 J, Coit, S. Staniford, and J.McAlemey. Towards faster string matching for intrusion detection or exceeding the speed of snort. In Proceedings of DISCEX II, June 2001   DOI
14 R. Sidhu and V. K. Prasanna. Fast Regular Expression Matching using FPGAs. In IEEE Symposium on Field-Programmable Custom ComputingMachines (FCCM), Rohnert Park, CA, USA, Apr. 2001
15 S. C. Rhea and J. Kubiatowicz. In Proc. of INFOCOM-02, June 2002   DOI
16 A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-Based IP traceback. In Proceedings of the ACM SIGCOMM 2001 Conference (SIGCOMM-01), volume 31:4 of Computer Communication Review, August 2001   DOI
17 M. Roesch. SNORT-lightweight intrusion detec-tion for networks. In Proceedings of the 13th Systems Administration Conference, 1999
18 J. W. Lockwood, 'Evolvable Internet Hardware Platforms', Evolvable Hardware Workshop, Long Beach, CA, USA, July 12-14, 2001, pp. 271-279   DOI
19 O. Kolesnikov and W. Lee. Advanced poly-morphic worms : Evading IDS by blending in with normal traffic. Technical report, Georgia Tech, 2004