Authors: N. Sertac Artan, H. Jonathan Chao
Addresses: Department of Electrical and Computer Engineering, Polytechnic University, 5 MetroTech Center, Brooklyn, NY 11201, USA. ' Department of Electrical and Computer Engineering, Polytechnic University, 5 MetroTech Center, Brooklyn, NY 11201, USA
Abstract: Worm epidemics in the last few years have shown that manual defences against worm epidemics are not practical. Recently, various automatic worm identification methods have been proposed to be deployed at high-speed network nodes to respond in time to fast infection rates of worms. Unfortunately, these methods can easily be evaded by fragmentation of the worm packets. The straightforward defragmentation method is not applicable for these high-speed nodes due to its high storage (memory) requirement. In this paper, this multipacket signature detection problem is addressed using a defragmentation-free, space-efficient solution. A new data structure – Prefix Bloom Filters (PBFs) – along with a new heuristic, called the Chain Heuristic (CH) is proposed to significantly reduce the storage requirement of the problem, so that multipacket signature detection becomes feasible for high-speed network nodes.
Keywords: multipacket signature detection; deep packet inspection; prefix bloom filters; PBFs; intrusion detection; intrusion prevention; chain heuristic; networks; security; worm packets; storage requirement.
International Journal of Security and Networks, 2007 Vol.2 No.1/2, pp.122 - 136
Published online: 16 Mar 2007 *Full-text access for editors Access for subscribers Purchase this article Comment on this article