Finding and Containing Enemies within the Walls with Self-Securing Network Interfaces

Abstract

Self-securing network interfaces (NIs) examine the packets that they move between network links and host software, looking for and potentially blocking malicious network activity. This paper describes how self-securing network interfaces can help administrators to identify and contain compromised machines within their intranet. By shadowing host state, self-securing NIs can better identify suspicious traffic originating from that host, including many explicitly designed to defeat network intrusion detection systems. With normalization and detection-triggered throttling, self-securing NIs can reduce the ability of compromised hosts to launch attacks on other systems inside (or outside) the intranet. The authors describe a prototype self-securing NI and example scanners for detecting such things as TTL abuse, fragmentation abuse, "SYN bomb" attacks, and random-propagation worms like Code-Red.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2003
Accession Number
ADA490126

Entities

People

  • Gregg Economou
  • Gregory R. Ganger
  • Stanley M. Bielski

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Computer Network Security
  • Computer Networks
  • Computer Programming
  • Computers
  • Denial Of Service Attack
  • Detection
  • Detectors
  • Electronic Mail
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Network Protocols
  • Networks
  • Operating Systems
  • Software Design
  • Transport Protocols

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Cybersecurity.