Architecture for a hardware-based, TCP/IP content-processing system

The transmission control protocol is the workhorse protocol of the Internet. Most of the data passing through the Internet transits the network using TCP layered atop the Internet protocol (IP). Monitoring, capturing, filtering, and blocking traffic on high-speed Internet links requires the ability to directly process TCP packets in hardware. High-speed network intrusion detection and prevention systems guard against several types of threats. As the gap between network bandwidth and computing power widens, improved microelectronic architectures are needed to monitor and filter network traffic without limiting throughput. To address these issues, we've designed a hardware-based TCP/IP content-processing system that supports content scanning and flow blocking for millions of flows at gigabit line rates. The TCP splitter2 technology was previously developed to monitor TCP data streams, sending a consistent byte stream of data to a client application for every TCP data flow passing through the circuit. The content-scanning engine can scan the payload of packets for a set of regular expressions. The new TCP-based content-scanning engine integrates and extends the capabilities of the TCP splitter and the old content-scanning engine. IP packets travel to the TCP processing engine from the lower-layer-protocol wrappers. Hash tables are used to index memory that stores each flow's state.     

Measuring IP and TCP behavior on edge nodes with Tstat

Field measurements have always been the starting point for network design and planning; however, their statistical analysis beyond simple traffic volume estimation is not so common. In this paper we present and discuss Tstat, a tool for the collection and statistical analysis of TCP/IP traffic, which, in addition to recognized performance figures, infers TCP connection status from traces. Besides briefly discussing its rationale and use, we present part of the performance figures that can be obtained, and we highlight the insight that such figures can give on TCP/IP protocols and the Internet, thereby supporting the usefulness of a widespread use of Tstat or similar tools.Analyzing Internet traffic is difficult because a large amount of performance figures can be devised in TCP/IP networks, but also because many performance figures can be derived only if both directions of bidirectional traffic are jointly considered. Tstat automatically correlates incoming and outgoing packets. Sophisticated statistics, obtained through data correlation between incoming and outgoing traffic, give reliable estimates of the network performance also from the user perspective.Tstat computes over 80 different performance statistics at both the IP and TCP layers, allowing a good insight in the network performance. To support the latter statement, we discuss several of these figures computed on traffic measurements performed for a time period equivalent to more than three months spread during the years 2000–2003 on the access link of Politecnico di Torino.     

基于人工免疫理论的Shellcode检测方法

Shellcode是缓冲区溢出漏洞攻击的核心代码部分,往往嵌入到文件和网络流量载体中。针对特征码匹配等检测手段存在时间滞后、准确率低等问题,结合人工免疫理论,提出一种采用实值编码的shellcode检测方法。收集shellcode样本并进行反汇编,利用n-gram模型对汇编指令序列提取特征生成抗原,作为免疫系统未成熟检测器来源,之后经历阴性选择算法的免疫耐受过程,生成成熟检测器。对检测器进行克隆和变异,繁衍出更加优良的后代,提高检测器的多样性和亲和度。实验结果表明,该方法对非编码shellcode和多态shellcode均具有较高的检测准确率。     

Improved WWW multimedia transmission performance in HTTP/TCP overATM networks

Transmission control protocol/Internet protocol (TCP/IP) is the de facto standard of the networking world. It dynamically adjusts routing of packets to accommodate failures in channels and allows construction of very large networks with little central management. But IP packets are based on the datagram model and are not really suited to real-time traffic. In order to overcome the drawbacks, a new network technology, ATM, is proposed. ATM provides quality of service (QOS) guarantees for various classes of applications and in-order delivery of packets via connection oriented virtual circuits. Unfortunately, when ATM is to be internetworked with the existing network infrastructure, some special signaling, addressing and routing protocols are needed. IP over ATM is one of the methods proposed by IETF. It allows existing TCP/IP applications to run on ATM end-stations and ATM networks to interconnect with legacy LAN/WAN technologies. But the performance of TCP/IP over ATM leaves something to be desired. Partial packet discard (PPD) and early packet discard (EPD) are two schemes to improve its performance. This paper proposes a “selective packet retransmission” scheme for improving HTTP/TCP performance when transmitting through ATM networks. In selective packet retransmission, we take advantage of the property of humans' perception tolerance for errors to determine whether to retransmit a corrupted TCP segment or not. For lossable data, such as images, when an error occurs because of cell losses, it will not be retransmitted. The simulations show that, for the same buffer size and traffic load, selective packet retransmission performs better than PPD, EPD, and plain TCP over ATM     

Network-level polymorphic shellcode detection using emulation

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDS- embedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem.     

基于隐马尔可夫模型的加密恶意流量检测

近年来,随着网络加密技术的普及,使用网络加密技术的恶意攻击事件也在逐年增长,依赖于数据包内容的传统检测方法如今已经无法有效地应对隐藏在加密流量中的恶意软件攻击.为了能够应对不同协议下的加密恶意流量检测,提出了基于ProfileHMM的加密恶意流量检测算法.该方法利用生物信息学上的基因序列比对分析,通过匹配关键基因子序列,实现识别加密攻击流量的能力.通过使用开源数据集在不同条件下进行实验,结果表明了算法的有效性.此外,设计了两种规避检测的方法,通过实验验证了算法具有较好的抗规避检测的能力.与已有研究相比,该工作具有应用场景广泛以及检测准确率较高的特点,为基于加密流量的恶意软件检测研究领域提供了一种较为有效的解决方案.     

在IP包过滤中状态TCP包的过滤研究与设计

IP包过滤防火墙是构造整体网络安全系统的必不可少的部分。传统的IP包过滤防火墙有许多的缺陷,解决方法之一是使防火墙具有状态过滤能力。以TCP为例,状态过滤机制不仅能根据ACK标志和源、目的地址及端口号进行过滤,还能根据TCP包里的序列号和窗口大小来决定对该包的操作。这样可以防止一些利用TCP滑动窗口机制的攻击。在IP包过滤里加入状态过滤机制不仅能阻止更多的恶意包通过,还能提高IP包过滤的过滤速率(这对防火墙来说是很重要的)。     

基于重尾特性的SYN洪流检测方法

单独以SYN/TCP值判断网络是否发生SYN洪流攻击的检测效率较低,且SYN 洪流攻击不能模拟正常网络流量的重尾分布特性。该文提出将SYN/TCP的统计阈值和流量重尾特性相结合来检测SYN洪流攻击的方法,并用MIT的林肯实验室数据进行了实验。实验证明该方法简便、快捷、有效。     

基于收发平衡判定的TCP流量回放方法

基于真实网络流量的互动式回放测试是当前针对防火墙、IPS等串接型安全设备进行测评的最新方法.文中在分析现有基于状态判定的TCP流量互动式回放方法基础之上,引入收发平衡机制,提出了一种基于收发平衡和状态判定相结合的新的TCP流量回放方法.通过在发送TCP数据包前优先进行收发平衡判定将数据包发送出去,提出的方法能够有效减少TCP流量在发送过程中的状态判定开销,提高回放性能.对引入收发平衡机制前后的TCP流量回放方法的差异进行了分析比较.从单个TCP会话特性、并发会话流量特性、网络传输延迟与丢包等角度分析验证了影响引入收发平衡机制后的算法有效性的因素.实际流量实验表明,文中所提方法在回放TCP流量时性能有显著提升,适用于在更大规模的流量环境下对防火墙、IPS等串接型网络安全设备进行测评.     

基于Bi-LSTM和自注意力的恶意代码检测方法

针对当前恶意代码检测方法严重依赖人工提取特征和无法提取恶意代码深层特征的问题,提出一种基于双向长短时记忆(Bidirectional Long Short Term Memory,Bi-LSTM)模型和自注意力的恶意代码检测方法。采用Bi-LSTM自动学习恶意代码样本字节流序列,输出各时间步的隐状态;利用自注意力机制计算各时间步隐状态的线性加权和作为序列的深层特征;通过全连接神经网络层和Softmax层输出深层特征的预测概率。实验结果表明该方法切实可行,相较于次优结果,准确率提高了12.32%,误报率降低了66.42%。     

基于Snort的边界数据包安全性检测

无论是蠕虫病毒、木马或是其他的网络攻击行为,无不向目标网络发送恶意数据包,以达到恶意攻击的目的.网络监控成为检测来自外部网络的数据包安全性的重要手段,Snort作为防火墙的补充广泛应用于网络内部,监控网络流量、数据包安全等.将Snort IDS部署在网络边界,基于CVE漏洞库建立本地Snort特征库,以检测所有通过边界的数据包,保护内网安全.     

基于CNN-SIndRNN的恶意TLS流量快速识别方法

传统浅层机器学习方法在识别恶意TLS流量时依赖专家经验且流量表征不足,而现有的深度神经网络检测模型因层次结构复杂导致训练时间过长。提出一种基于CNN-SIndRNN端到端的轻量级恶意加密流量识别方法,使用多层一维卷积神经网络提取流量字节序列局部模式特征,并利用全局最大池化降维以减少计算参数。为增强流量表征,设计一种改进的循环神经网络用于捕获流量字节长距离依赖关系。在此基础上,采用独立循环神经网络IndRNN单元代替传统RNN循环单元,使用切片并行计算结构代替传统RNN的串行计算结构,并将两种类型深度神经网络所提取的特征拼接作为恶意TLS流量表征。在CTU-Maluware-Capure公开数据集上的实验结果表明,该方法在二分类实验上F1值高达0.965 7,在多分类实验上整体准确率为0.848 9,相比BotCatcher模型训练时间与检测时间分别节省了98.47%和98.28%。     

Preventing TCP performance interference on asymmetric links using ACKs-first variable-size queuing

In developing network-enabled embedded systems, developers are often forced to spend a great deal of time and effort analyzing and solving network performance problems. In this paper, we address one such problem: TCP performance interference on an asymmetric link. The upload or download throughput abruptly degrades if there is simultaneously upload and download TCP traffic on the link. While the problem has been addressed by many researchers, their solutions are incomplete as they only improve throughput in one direction, require TCP protocol modifications in end-user devices or are effective for a limited range of network configurations.In order to overcome such limitations, we propose ACKs-first variable-size queuing (AFVQ) for a gateway. In doing so, we have derived an analytic model of the steady-state TCP performance with bidirectional traffic to clearly identify the two sources of the problem: the excessive queuing delay of ACK packets and the excessive number of ACK packets in the queue. Our AFVQ mechanism is designed to directly eliminate the two causes. Specifically, we have based AFVQ on two policies. First, ACKs-first scheduling is used to shorten the queuing delay of ACK packets. Second, the queue size for ACK packets is dynamically adjusted depending on the number of data packets queued in the gateway so that the number of ACK packets is reduced when packets are congested in the gateway. By applying the two policies simultaneously at the uplink and downlink output queue in the gateway, AFVQ achieves balanced TCP throughput improvements in both directions. In this way, it breaks circular dependencies between upload and download traffic.We have implemented AFVQ in our ADSL-based residential gateway using the traffic control module of the Linux kernel. Our gateway yields 95.2% and 93.8% of the maximum download and upload bandwidth, respectively. We have also evaluated the proposed mechanism using the ns-2 simulator over a wide range of network configurations and have shown that AFVQ achieves better upload and download throughput than other representative gateway-based mechanisms such as ACQ, ACKs-first scheduling and ACK Filtering.     

基于shellcode检测的缓冲区溢出攻击防御技术研究

缓冲区溢出攻击对计算机和网络安全构成极大威胁。从缓冲区溢出攻击原理和shellcode实现方式出发，提出针对shellcode的溢出攻击防御技术。描述shellcode获取控制权前后，从代码特点、跳转方式及shellcode恶意功能实现过程等方面入手，检测并阻止shellcode以对抗溢出攻击的几种技术。最后对这些技术的优缺点进行比较分析，指出其中较为优秀的方法，并就更全面提高系统安全性提出了一些建议。     

基于多核NPU的TCP数据接收卸载

目前以太网的发展速度远高于存储器和CPU的发展速度,存储器访问和CPU处理网络协议已经成为TCP的性能瓶颈。网络带宽的不断增大对CPU造成了沉重的负担,大约需要1GHz的CPU处理资源对1Gbps的网络流量进行协议处理。为此,使用多核NPU作为NIC,实现TCP接收数据路径中的校验和计算、报文乱序重组功能,并将合并之后的大报文经Linux网卡驱动程序交由协议栈处理,从而减少协议栈处理报文和网卡产生中断的数量,提升端系统的TCP性能。在10Gbps以太网络中,实验取得4.9Gbps的TCP接收数据吞吐量。     

主动队列管理中P I 字节模式和包模式

主动队列管理(AQM)是近年来TCP端到端拥塞控制的一个研究热点，其中PI拥塞控制机制是建立在RED拥塞控制基础上的一种控制机制．PI机制基于两种方法控制网络拥塞现象：跟踪实时队列长度及拥塞情况下以一定概率丢弃到达队列的数据包．以上方法的计算可以基于包数目或字节数，而方法选择的不同对网络会产生不同的影响．仿真量化性地测定使用不同队列计算和标注方法情况下对通信性能产生的影响．同时，PI控制器与RED控制器在相同模式和参数设置下进行比较，可显示出PI控制具有一定的优越性．     

Detection of shellcodes in drive-by attacks using kernel machines

In this paper, we propose a light-weight framework using kernel machines for the detection of shellcodes used in drive-by download attacks. As the shellcodes are passed in webpages as JavaScript strings, we studied the effectiveness of the proposed approach on about 9850 shellcodes and 10000 JavaScript strings collected from the wild. Our analysis shows that the trained SVMs (Support Vector Machines) classified with an accuracy of over 99 %. Our evaluation of the trained SVM models with different proportions of training datasets proved to perform consistently with an average accuracy of 99.51 % and the proposed static approach proved to be effective against detecting even the polymorphic shellcode variants. The performance of our approach was compared to an emulation based approach and observed that our approach performed with slightly better accuracies by consuming about 33 % of the time consumed by the emulation based approach.     

漏桶模型下GPS调度系统的性能分析

着重分析了在数据流分别由线性漏桶和分形漏桶模型进行约束和整形的情况下，GPS(Generalized Processor Sharing)通用处理器共享调度系统的排队性能，给出了最大队长和最大时延的估算方法，并将理论分析与实验结果做了一定对比．文章分析指出，对UDP流和聚集程度不高的TCP流，用线性漏桶模型是有效的；而对于聚集程度较高的TCP流，用分形漏桶模型来描述其流量则比较合适．     

On the challenge and design of transport protocols for MMORPGs

Although MMORPGs are becoming increasingly popular as well as a highly profitable Internet business, there is still a fundamental design question: Which transport protocol should be used—TCP, UDP, or some other protocol? In this paper, we first evaluate whether TCP is suitable for MMORPGs, and then propose some novel transport strategies for this genre of games. Our analysis of a trace collected from a TCP-based MMORPG called ShenZhou Online indicates that TCP is unwieldy and inappropriate for MMORPGs. We find that the degraded network performance problems are due to the following characteristics of MMORPG traffic: 1) tiny packets, 2) a low packet rate, 3) application-limited traffic generation, and 4) bi-directional traffic. Since not all game packets require reliable transmission or in-order delivery, transmitting all packets with a strict delivery guarantee causes high delays and delay jitters. Therefore, our proposed transport strategies assign game packets with appropriate levels of transmission guarantee depending on the requirements of the packets’ contents. To compare the performance of our approach with that of existing transport protocols, we conduct network simulations with a real-life game trace from Angel’s Love. The results demonstrate that our strategies significantly reduce the end-to-end delay and delay jitter of packet delivery. Finally, we show that our strategies effectively raise satisfaction levels of the game players.     

Detecting Malicious Packet Losses

In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.