 |
 |
|
|
|
Network intrusion detection system (NIDS) takes
necessary measures when detecting threats. Since most of the
malicious contents like phishing sites and advanced persistent
threats are transmitted on transmission control protocol (TCP),
existing measures are usually injection-based, such as injecting a
reset (RST) packet to terminate the connection or a HTTP 302
response to redirect users’ requests. Injection is a feasible measure
but is unable to scrub traffic like removing malicious contents.
Therefore, taking over malicious TCP connections instead of
injection is a more effective solution for NIDS. In this paper, we
propose an efficient and flexible solution to take over malicious
connections selectively at any period of the connections combining
with two typical deployments of NIDS. The NIDS usually works
as a passive protocol analyzer to gain high performance, when
malicious contents are detected, it will migrate TCP states to a
user-level TCP stack and work as a transparent proxy. The
migration to user-level TCP stack is flexible and graceful due to
bypassing the complexity and overhead of OS TCP stack. To
evaluate our approach, we elaborate an experiment to compare
with the migration to OS TCP stack. The result shows that the
response speed of our approach is 8x faster than the OS stack, and
more stable.
|