Using partial signatures in intrusion detection for multipath TCP

Abstract

Traditional security mechanisms such as signature based intrusion detection systems (IDSs) attempt to find a perfect match of a set of signatures in network traffic. Such IDSs depend on the availability of a complete application data stream. With emerging protocols such as Multipath TCP (MPTCP), this precondition cannot be ensured, resulting in false negatives and IDS evasion. On the other hand, if approximate signature matching is used instead in an IDS, a potentially high number of false positives make the detection impractical. In this paper, we show that, by using a specially tailored partial signature matcher and knowledge about MPTCP semantics, the Snort3 IDS can be empowered with partial signature detection. Additionally, we uncover the type of Snort3 rules suitable for the task of partial matching. Experimental results with these rules show a low false positive rate for benign traffic and high detection coverage for attack traffic.