Improving the resilience of an IDS against performance throttling attacks
Document typeConference report
Rights accessRestricted access - publisher's policy
Intrusion Detection Systems (IDS) have emerged as one of the most promising ways to secure systems in the network. To be effective against evasion attempts, the IDS must provide tight bounds on performance. Otherwise an adversary can bypass the IDS by carefully crafting and sending packets that throttle it. This can render the IDS ineffective, thus resulting in the network becoming vulnerable. We present a performance throttling attack mounted against the computationally intensive string matching algorithm. This algorithm performs string matching by traversing a finite-state-machine (FSM). We observe that there are some input bytes that sequentially traverse a chain of 30 pointers. This chain of traversal drastically degrades performance, and we observe a 22X performance drop in comparison to the average case performance. We investigate hardware and software mechanisms to counter this performance degradation. The software mechanism is targeted for commodity general purpose CPUs. While the hardware-based mechanism uses a parallel traversal suitable for network processor architectures. Our results show that our proposed mechanisms significantly improves (by over 3X magnitude) string matching algorithm’s worst performing cases.
CitationSreekar Shenoy, G.; Tubella, J.; González, A. Improving the resilience of an IDS against performance throttling attacks. A: International Conference on Security and Privacy in Communication Networks. "Security and Privacy in Communication Networks: 8th International ICST Conference, SecureComm 2012: Padua, Italy, September 3-5, 2012: revised selected papers". Sydney: Springer, 2012, p. 167-184.