Abstract
Traditional security mechanisms such as signature based intrusion detection systems (IDSs) attempt to find a perfect match of a set of signatures in network traffic. Such IDSs depend on the availability of a complete application data stream. With emerging protocols such as Multipath TCP (MPTCP), this precondition cannot be ensured, resulting in false negatives and IDS evasion. On the other hand, if approximate signature matching is used instead in an IDS, a potentially high number of false positives make the detection impractical. In this paper, we show that, by using a specially tailored partial signature matcher and knowledge about MPTCP semantics, the Snort3 IDS can be empowered with partial signature detection. Additionally, we uncover the type of Snort3 rules suitable for the task of partial matching. Experimental results with these rules show a low false positive rate for benign traffic and high detection coverage for attack traffic.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Source code available at https://github.com/randomsecguy/.
References
Afzal, Z., Lindskog, S.: IDS rule management made easy. In: 8th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), Piteşti, Romania (2016)
Afzal, Z., Garcia, J., Lindskog, S., Brunstrom, A.: Slice distance: an insert-only Levenshtein distance with a focus on security applications. In: 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, France, 26–28 February 2018, pp. 1–5 (2018)
Afzal, Z., Lindskog, S.: Multipath TCP IDS evasion and mitigation. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 265–282. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23318-5_15
Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975)
Alexa: The top 500 sites on the web (2019). https://www.alexa.com/topsites
Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3(3), 186–205 (2000)
Bonaventure, O.: Apple seems to also believe in Multipath TCP (2013). http://perso.uclouvain.be/olivier.bonaventure/blog/html/2013/09/18/mptcp.html
Bonaventure, O.: In Korea, Multipath TCP is pronounced GIGA path (2015). http://blog.multipath-tcp.org/blog/html/2015/07/24/korea.html
Bonaventure, O., Seo, S.: Multipath TCP deployments (2016). https://www.ietfjournal.org/multipath-tcp-deployments/
Caswell, B., Beale, J.: Snort 2.1 Intrusion Detection. Elsevier, Amsterdam (2004)
Chitrakar, A.S., Petrovic, S.: Constrained row-based bit-parallel search in intrusion detection. In: 11th Norwegian Information Security Conference (NISK), Bergen, Norway, November 28–30 (2016)
Ford, A., Raiciu, C., Handley, M., Bonaventure, O., Paasch, C.: TCP extensions for multipath operation with multiple addresses. Standards Track RFC 6824 (2019)
Foster, H.A.: Why does MPTCP have to make things so complicated? (2016). https://calhoun.nps.edu/handle/10945/50546
Garcia, J.: A fragment hashing approach for scalable and cloud-aware network file detection. In: 9th IFIP International Conference on New Technologies, Mobility and Security, (NTMS), Paris, France, 26–28 February 2018, pp. 1–5 (2018)
Ptacek, T.H., Newsham, T.N., Simpson, H.: Insertion, evasion, and denial of service: eluding network intrusion detection. Secure Networks (1999)
Hamming, R.W.: Error detecting and error correcting codes. Bell Labs Tech. J. 29(2), 147–160 (1950)
Jingping, J., Kehua, C., Jia, C., Dengwen, Z., Wei, M.: Detection and recognition of atomic evasions against network intrusion detection/prevention systems. IEEE Access 7, 87816–87826 (2019)
Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions and reversals. Sov. Phys. Dokl. 10, 707–710 (1966)
Ma, J., Le, F., Russo, A., Lobo, J.: Detecting distributed signature-based intrusion: the case of multi-path routing attacks. In: IEEE Conference on Computer Communications (INFOCOM) 2015, Kowloon, Hong Kong, 26 April–1 May 2015, pp. 558–566 (2015)
Navarro, G.: A guided tour to approximate string matching. ACM Comput. Surv. 33(1), 31–88 (2001)
Pearce, C., Zeadally, S.: Ancillary impacts of Multipath TCP on current and future network security. IEEE Internet Comput. 19(5), 58–65 (2015)
Petrovic, S.V., Golic, J.D.: String editing under a combination of constraints. Inf. Sci. 74(1–2), 151–163 (1993)
Russ Combs: Project Snort++, a.k.a. snort 3.0. https://blog.snort.org/2014/12/project-snort-aka-snort-30.html
The Snort Team: Snort official website. https://www.snort.org/
Winkler, W.E.: String comparator metrics and enhanced decision rules in the Fellegi-Sunter model of record linkage. In: Proceedings of the Section on Survey Research, pp. 354–359 (1990)
Acknowledgment
The work is being carried out in the High Quality Networked Services in a Mobile World project funded partly by the Knowledge Foundation of Sweden. The authors are grateful to Henry Foster for providing the building blocks required for this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Afzal, Z., Garcia, J., Lindskog, S., Brunstrom, A. (2019). Using Partial Signatures in Intrusion Detection for Multipath TCP. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-35055-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35054-3
Online ISBN: 978-3-030-35055-0
eBook Packages: Computer ScienceComputer Science (R0)