Taking over malicious connection in half way by migrating protocol state to a user-level TCP stack

Abstract

Network intrusion detection system (NIDS) takes necessary measures when detecting threats. Since most of the malicious contents like phishing sites and advanced persistent threats are transmitted on transmission control protocol (TCP), existing measures are usually injection-based, such as injecting a reset (RST) packet to terminate the connection or a HTTP 302 response to redirect users' requests. Injection is a feasible measure but is unable to scrub traffic like removing malicious contents. Therefore, taking over malicious TCP connections instead of injection is a more effective solution for NIDS. In this paper, we propose an efficient and flexible solution to take over malicious connections selectively at any period of the connections combining with two typical deployments of NIDS. The NIDS usually works as a passive protocol analyzer to gain high performance, when malicious contents are detected, it will migrate TCP states to a user-level TCP stack and work as a transparent proxy. The migration to user-level TCP stack is flexible and graceful due to bypassing the complexity and overhead of OS TCP stack. To evaluate our approach, we elaborate an experiment to compare with the migration to OS TCP stack. The result shows that the response speed of our approach is 8x faster than the OS stack, and more stable.