next up previous
Next: Evaluation methodology Up: Network Intrusion Detection: Evasion, Previous: Incompleteness of Normalization


We have implemented norm, a fairly complete, user-level normalizer for IP, TCP, UDP and ICMP. The code comprises about 4,800 lines of C and uses libpcap [10] to capture packets and a raw socket to forward them. We have currently tested norm under FreeBSD and Linux, and will release it (and NetDuDE, see below) publicly in Summer 2001 via

Naturally, for high performance a production normalizer would need to run in the kernel rather than at user level, but our current implementation makes testing, debugging and evaluation much simpler.

Appendix A summarizes the complete list of normalizations norm performs, and these are discussed in detail in [4]. Here we describe our process for testing and evaluating norm, and find that the performance on commodity PC hardware is adequate for deployment at a site like ours with a bidirectional 100Mb/s access link to the Internet.


Vern Paxson