PDL Abstract

Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces

Carnegie Mellon School of Computer Science Technical Report CMU-CS-03-109. January 2003.

Gregory R. Ganger, Gregg Economou, Stanley M. Bielski

Electrical and Computer Engineering
Carnegie Mellon University
Pittsburgh, PA 15213

Self-securing network interfaces (NIs) examine the packets that they move between network links and host software, looking for and potentially blocking malicious network activity. This paper describes how self-securing network interfaces can help administrators to identify and contain compromised machines within their intranet. By shadowing host state, self-securing NIs can better identify suspicious traffic originating from that host, including many explicitly designed to defeat network intrusion detection systems. With normalization and detection-triggered throttling, self-securing NIs can reduce the ability of compromised hosts to launch attacks on other systems inside (or outside) the intranet. We describe a prototype self-securing NI and example scanners for detecting such things as TTL abuse, fragmentation abuse, “SYN bomb” attacks, and random-propagation worms like Code-Red.

KEYWORDS: Network security, intrusion detection, firewall, proxy, virus, worm, NIC

FULL PAPER: pdf / postscript