Abstract
A critical problem faced by a Network Intrusion Detection System (NIDS) is that of ambiguity.TheNIDS cannot always determine what traffic reaches a given host nor how that host will interpret the traffic, and attackers may exploit this ambiguity to avoid detection or cause misleading alarms. We present a lightweight solution, Active Mapping, which eliminates TCP/IP-based ambiguity in a NIDS? analysis with minimal runtime cost. Active Mapping efficiently builds profiles of the network topology and the TCP/IP policies of hosts on the network; a NIDS may then use the host profiles to disambiguate the interpretation of the network traffic on a per-host basis. Active Mapping avoids the semantic and performance problems of traffic normalization,in which traffic streams are modified to remove ambiguities. We have developed a prototype implementation of Active Mapping and modified a NIDS to use the Active Mapping-generated profile database in our tests. We found wide variation across operating systems? TCP/IP stack policies in real-world tests (about 6,700 hosts), underscoring the need for this sort of disambiguation.