No way to evade: Detecting multi-path routing attacks for NIDS

In order to protect intranet security, the enterprises or organizations usually deploy one or multiple NIDS at ingress points. Each works independently and monitors the complete TCP flow. That said, a malicious signature to be detected can only be obtained from a TCP flow. Drawing on the feature, an attacker can split malicious signature into multiple substrings and transfer them in different flows to evade detection, which is named multi-path routing attack. In particular, the emerging new technology Multi-Path TCP (MPTCP) offers a hotbed for such attacks. To monitor multi-path routing attacks, this literature proposed a distributed asynchronous NIDS detection model (DANDM) which consists of three algorithms. In this model, each NIDS scans its own received data packets independently and the adjacent contents between two data packets with consecutive sequence numbers. For the latter, all NIDS scans cooperatively through broadcast state information. To demonstrate the validity of our model, we take attack density and number of segmented signatures as parameters to compare with Ma's algorithm.The results show that the performance of our DANDM is significantly better than that of Ma's, especially in the case of large number of segmented signatures.