• Title/Summary/Keyword: 시그너쳐 기반 필터링

Search Result 2, Processing Time 0.015 seconds

The Design and Implementation of High Performance Intrusion Prevention Algorithm based on Signature Hashing (시그너처 해싱 기반 고성능 침입방지 알고리즘 설계 및 구현)

  • Wang, Jeong-Seok;Jung, Yun-Jae;Kwon, H-Uing;Chung, Kyu-Sik;Kwak, Hu-Keun
    • The KIPS Transactions:PartC
    • /
    • v.14C no.3 s.113
    • /
    • pp.209-220
    • /
    • 2007
  • IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance US working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

Detection Of Unknown Malicious Scripts using Code Insertion Technique (코드 삽입 기법을 이용한 알려지지 않은 악성 스크립트 탐지)

  • 이성욱;방효찬;홍만표
    • Journal of KIISE:Information Networking
    • /
    • v.29 no.6
    • /
    • pp.663-673
    • /
    • 2002
  • Server-side anti-viruses are useful to protect their domains, because they can detect malicious codes at the gateway of their domains. In prevailing local network, all clients cannot be perfectly controlled by domain administrators, so server-side inspection, for example in e-mail server, is used as an efficient technique of detecting mobile malicious codes. However, current server-side anti-virus systems perform only signature-based detection for known malicious codes, simple filtering, and file name modification. One of the main reasons that they don't have detection features, for unknown malicious codes, is that activity monitoring technique is unavailable for server machines. In this paper, we propose a detection technique that is executed at the server, but it can monitor activities at the clients without any anti-virus features. we describe its implementation.