| As the development of network techniques, network attacks evolves from simple and individual to complex and cooperative, sophisticated attackers can even lead attacks illuding NIDS (Network Intrusion Detection System) which cause negative alerts, thus result in great challenge to Network Intrision Detection to keep its accuracy.Therefore, relating works is introduced and research work on network attacks illuding Network Intrusion Detection which make use of the ambiguous network traffic is carried out at beginning of this dissertation. The process of network packets in different systems can be inconsistent according to different network protocol stack implementations and different network locations. Thus, NIDS cannot determine whether the packets will be received by end-systems and how they will be interpreted and processed. This inconsistence in different systems is socalled"ambiguity", however, there is still no accuracy definition of"ambiguity". Furthermore, the definition of ambiguity is described in detail as well as the ambiguity in IP, ICMP, TCP and UDP network protocols. An Ambiguity Eliminator for NIDS is then presented. It locates in the path of network streams and normalizes network traffic from ambiguous to well-behaved by such as reassembling overlapping IP fragments and correcting overlapping TCP segments, which is aimed at removing the ambiguity and making both Insertion and Evasion attacks be detected by NIDS. In this paper, besides detailed design and implementation of Ambiguity Eliminator for NIDS as a prototype system, the result of both system's function and performance tests are presented.The system can effectively eliminate ambiguity in network traffic seen by NIDS. Moreover, the performance is ensured as the system is implemented as a part of operating system kernel. The paper plays a positive role in researching attacks described above as well as protecting NIDS's accurancy. |
PDF Full Text Request