tailieunhanh - Protocol Scrubbing: Network Security Through Transparent Flow Modification

Every company is always at risk of having trade secrets compromised, intellectual property stolen, and business plans revealed in an untimely manner. Industrial espionage and spying remain at a high level and are practiced on an international scale. An organization’s privacy planning process needs to take these threats into consideration. However, theft of proprietary information is only part of an organization’s vulnerability in privacy wars. How it uses the information it collects about its customers, or even its suppliers, can also increase its vulnerability. One of an organization’s greatest points of vulnerability is a lack of knowledge about the types of data it has and. | IEEE ACM TRANSACTIONS ON NETWORKING VOL. 12 NO. 2 APRIL 2004 261 Protocol Scrubbing Network Security Through Transparent Flow Modification David Watson Matthew Smart G. Robert Malan Member IEEE and Farnam Jahanian Member IEEE Abstract This paper describes the design and implementation of protocol scrubbers. Protocol scrubbers are transparent interposed mechanisms for explicitly removing network scans and attacks at various protocol layers. The transport scrubber supports downstream passive network-based intrusion detection systems by converting ambiguous network flows into well-behaved flows that are unequivocally interpreted by all downstream endpoints. The fingerprint scrubber restricts an attacker s ability to determine the operating system of a protected host. As an example this paper presents the implementation of a TCP scrubber that eliminates insertion and evasion attacks attacks that use ambiguities to subvert detection on passive network-based intrusion detection systems while preserving high performance. The TCP scrubber is based on a novel simplified state machine that performs in a fast and scalable manner. The fingerprint scrubber is built upon the TCP scrubber and removes additional ambiguities from flows that can reveal implementation-specific details about a host s operating system. Index Terms Intrusion detection network security protocol scrubber stack fingerprinting. I. Introduction AS SOCIETY grows increasingly dependent on the Internet for commerce banking and mission-critical applications the ability to detect and neutralize network attacks is becoming increasingly significant. Attackers can use ambiguities in network protocol specifications to deceive network security systems. Passive entities can only notify administrators or active mechanisms after attacks are detected. However the response to this notification may not be timely enough to withstand some types of attacks such as attacks on infrastructure control protocols. Active .