Overlapping data in network protocols: bridging OS and NIDS reassembly gap
- URL: http://arxiv.org/abs/2504.21618v1
- Date: Wed, 30 Apr 2025 13:15:50 GMT
- Title: Overlapping data in network protocols: bridging OS and NIDS reassembly gap
- Authors: Lucas Aubard, Johan Mazel, Gilles Guette, Pierre Chifflier,
- Abstract summary: A Network Intrusion Detection System (NIDS) that tries to reassemble a given flow data has to use the same reassembly policy as the monitored host.<n>We show that 1) OS reassembly policies evolve over time and 2) all the tested NIDSes are still vulnerable to overlap-based evasion and insertion attacks.
- Score: 0.22499166814992436
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: IPv4, IPv6, and TCP have a common mechanism allowing one to split an original data packet into several chunks. Such chunked packets may have overlapping data portions and, OS network stack implementations may reassemble these overlaps differently. A Network Intrusion Detection System (NIDS) that tries to reassemble a given flow data has to use the same reassembly policy as the monitored host OS; otherwise, the NIDS or the host may be subject to attack. In this paper, we provide several contributions that enable us to analyze NIDS resistance to overlapping data chunks-based attacks. First, we extend state-of-the-art insertion and evasion attack characterizations to address their limitations in an overlap-based context. Second, we propose a new way to model overlap types using Allen's interval algebra, a spatio-temporal reasoning. This new modeling allows us to formalize overlap test cases, which ensures exhaustiveness in overlap coverage and eases the reasoning about and use of reassembly policies. Third, we analyze the reassembly behavior of several OSes and NIDSes when processing the modeled overlap test cases. We show that 1) OS reassembly policies evolve over time and 2) all the tested NIDSes are (still) vulnerable to overlap-based evasion and insertion attacks.
Related papers
- Predictive-CSM: Lightweight Fragment Security for 6LoWPAN IoT Networks [0.0]
This work explores a defense strategy that takes a more adaptive, behavior-aware approach to this problem.<n>Our system, called Predictive-CSM, introduces a combination of two lightweight mechanisms.<n>We put this system to the test using a set of targeted attack simulations, including early fragment injection, replayed headers, and flooding with fake data.
arXiv Detail & Related papers (2025-06-02T15:15:18Z) - Multimodal Instruction Disassembly with Covariate Shift Adaptation and Real-time Implementation [3.70729078195191]
We introduce a new miniature platform, RASCv3, that can simultaneously collect power and EM measurements from a target device.<n>We devise a new approach to combine and select features from power and EM traces using information theory.<n>The recognition rates of offline and real-time instruction disassemblers are compared for single- and multi-modal cases.
arXiv Detail & Related papers (2024-12-10T17:00:23Z) - Mitigating Data Injection Attacks on Federated Learning [20.24380409762923]
Federated learning is a technique that allows multiple entities to collaboratively train models using their data.
Despite its advantages, federated learning can be susceptible to false data injection attacks.
We propose a novel technique to detect and mitigate data injection attacks on federated learning systems.
arXiv Detail & Related papers (2023-12-04T18:26:31Z) - CleanCLIP: Mitigating Data Poisoning Attacks in Multimodal Contrastive
Learning [63.72975421109622]
CleanCLIP is a finetuning framework that weakens the learned spurious associations introduced by backdoor attacks.
CleanCLIP maintains model performance on benign examples while erasing a range of backdoor attacks on multimodal contrastive learning.
arXiv Detail & Related papers (2023-03-06T17:48:32Z) - Spacing Loss for Discovering Novel Categories [72.52222295216062]
Novel Class Discovery (NCD) is a learning paradigm, where a machine learning model is tasked to semantically group instances from unlabeled data.
We first characterize existing NCD approaches into single-stage and two-stage methods based on whether they require access to labeled and unlabeled data together.
We devise a simple yet powerful loss function that enforces separability in the latent space using cues from multi-dimensional scaling.
arXiv Detail & Related papers (2022-04-22T09:37:11Z) - Decoupled Multi-task Learning with Cyclical Self-Regulation for Face
Parsing [71.19528222206088]
We propose a novel Decoupled Multi-task Learning with Cyclical Self-Regulation for face parsing.
Specifically, DML-CSR designs a multi-task model which comprises face parsing, binary edge, and category edge detection.
Our method achieves the new state-of-the-art performance on the Helen, CelebA-HQ, and LapaMask datasets.
arXiv Detail & Related papers (2022-03-28T02:12:30Z) - Semi-supervised New Event Type Induction and Description via Contrastive
Loss-Enforced Batch Attention [56.46649994444616]
We present a novel approach to semi-supervised new event type induction using a masked contrastive loss.
We extend our approach to two new tasks: predicting the type name of the discovered clusters and linking them to FrameNet frames.
arXiv Detail & Related papers (2022-02-12T00:32:22Z) - ADC: Adversarial attacks against object Detection that evade Context
consistency checks [55.8459119462263]
We show that even context consistency checks can be brittle to properly crafted adversarial examples.
We propose an adaptive framework to generate examples that subvert such defenses.
Our results suggest that how to robustly model context and check its consistency, is still an open problem.
arXiv Detail & Related papers (2021-10-24T00:25:09Z) - SOME/IP Intrusion Detection using Deep Learning-based Sequential Models
in Automotive Ethernet Networks [2.3204135551124407]
Intrusion Detection Systems are widely used to detect cyberattacks.
We present a deep learning-based sequential model for offline intrusion detection on SOME/IP protocol.
arXiv Detail & Related papers (2021-08-04T09:58:06Z) - Generalized Insider Attack Detection Implementation using NetFlow Data [0.6236743421605786]
We study an approach centered on using network data to identify attacks.
Our work builds on unsupervised machine learning techniques such as One-Class SVM and bi-clustering.
We show that our approach is a promising tool for insider attack detection in realistic settings.
arXiv Detail & Related papers (2020-10-27T14:00:31Z) - Understanding Self-supervised Learning with Dual Deep Networks [74.92916579635336]
We propose a novel framework to understand contrastive self-supervised learning (SSL) methods that employ dual pairs of deep ReLU networks.
We prove that in each SGD update of SimCLR with various loss functions, the weights at each layer are updated by a emphcovariance operator.
To further study what role the covariance operator plays and which features are learned in such a process, we model data generation and augmentation processes through a emphhierarchical latent tree model (HLTM)
arXiv Detail & Related papers (2020-10-01T17:51:49Z) - Learning One Class Representations for Face Presentation Attack
Detection using Multi-channel Convolutional Neural Networks [7.665392786787577]
presentation attack detection (PAD) methods often fail in generalizing to unseen attacks.
We propose a new framework for PAD using a one-class classifier, where the representation used is learned with a Multi-Channel Convolutional Neural Network (MCCNN)
A novel loss function is introduced, which forces the network to learn a compact embedding for bonafide class while being far from the representation of attacks.
The proposed framework introduces a novel approach to learn a robust PAD system from bonafide and available (known) attack classes.
arXiv Detail & Related papers (2020-07-22T14:19:33Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.