Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Handley, M. & Paxson, V. Proceedings of the USENIX Security Symposium, 2001.
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics [pdf]Paper  bibtex   
@article{ Handley01b,
  author = {Mark Handley and Vern Paxson},
  title = {Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics},
  journal = {Proceedings of the {USENIX} Security Symposium},
  year = {2001},
  annote = {The paper presents the problem with network intrusion detection systems, that it must keep the same state as the monitored receivers. An example of an attack is to use varying TTL's to make some packets reach the destination, while others dont. The NIDS then has difficulties of determining which packets are received by the destination host, and therefore has less chance of discovering an attack. The paper presents a technique known as traffic normalizing, i.e. packet header fields are normalized to safer values. All TTL's could be set to the maximum hop count in the internal network for example. For each of the IP header fields there is a discussion on potential misuse, how to normalize and the effects the change has on semantics. Also includes (without comments) an overview of UDP, TCP and ICMP normalizations.},
  url = {papers/handley01_norm-usenix-sec-01.pdf},
  submitter = {Stefan Alfredsson},
  bibdate = {Monday, August 19, 2002 at 08:27:40 (CEST)}
}
Downloads: 0