A real time packet filtering module for network intrusion detection system
Date
1998
Authors
Yang, Guang
Major Professor
Advisor
Sekar, R. C.
Committee Member
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Computer networks bring us not only the benefits, such as more computing power and better performance for a given price, but also some challenges and risks, especially in the field of system security. During the past two decades, significant effort has been put into network security research and several techniques have been developed for building secure networks. Packet filtering plays an important role in many security-related techniques, such as intrusion detection, access control and firewall. A packet-filtering system constitutes the first line of defense in a computer network environment. The key issues in the packet-filtering technique are efficiency and flexibility. The efficiency refers to the ability of a filter to quickly capture network packets of interest, while the flexibility means the filter can be customized easily for different packet patterns
In this thesis, we present a real-time packet-filtering module, which can be integrated into a large-scale network intrusion detection system. The core of this packet-filtering module is a rule-based specification language ASL (Auditing Specification Language), which is used in describing the packet patterns and reactions for a network intrusion detection system. The important features of ASL that are not provided by other packet-filtering systems are protocol independence and type safety. ASL provides a number of new features that distinguish it from other languages used for intrusion detection and packet filtering, such as packet structure description and protocol constraint checking. We develop the algorithms and heuristics for constructing fast packet filter from ASL specifications. Our algorithms improve upon existing techniques in that the performance of the generated filters is insensitive to the number of rules. We discuss implementation of these algorithms and present experimental results.
Series Number
Journal Issue
Is Version Of
Versions
Series
Academic or Administrative Unit
Type
thesis