Fragment packet partial re-assembly method for intrusion detection

Abstract

This paper proposes the fragment packet partial re-assembly method for intrusion detection. In the proposed method, intrusion detection is performed not with all the fragment packets but with partial fragment packets. If the fragment packet comes, the packet-matching-buffer containing the partial part of the previous fragment packet and this packet is merged into a packet-matching-buffer. After this work, pattern matching for this buffer is done. Finally, for the purpose of the next packet, the partial region of the current packet is stored into the packet-matching-buffer. With the help of these steps, there are two advantages. The one is that it doesn't need to re-assemble all fragment packets for intrusion detection. The other is that the size of buffer can be smaller than all fragment packet re-assembly and can be predictable as a constant size. The proposed method can be used efficiently to prevent malicious code of attackers for avoiding intrusion detection system