Abstract
Intrusion detection systems are proven remedies to protect networks and end systems in practice. IT systems, however, are currently changing their characteristics. Highly variable communication relations and constantly increasing network bandwidths force single intrusion detection instances to handle high peak rates. Today’s intrusion detection systems are not prepared to this development. In particular, they do not scale efficiently enough during an attack. In this article, we investigate different strategies how intrusion detection systems can cope with dynamic communication relations and increasing data rates under attack conditions. Based on a detailed performance profiling of typical intrusion detection systems, we outline the drawbacks of current optimization approaches and present a new approach for parallelizing the intrusion detection analysis that copes with the increasing network dynamics.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Smith, R., Goyal, N., Ormont, J., Sankaralingam, K., Estan, C.: Evaluating GPUs for network packet signature matching. In: ISPASS, pp. 175–184. IEEE (2009)
Sommer, R., Paxson, V., Weaver, N.: An architecture for exploiting multi-core processors to parallelize network intrusion prevention. Concurrency and Computation: Practice and Experience 21(10), 1255–1279 (2009)
Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)
Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008)
Yu, J., Li, J.: A Parallel NIDS Pattern Matching Engine and Its Implementation on Network Processor. In: Arabnia, H.R. (ed.) Security and Management, pp. 375–384. CSREA Press (2005)
Fusco, F., Deri, L.: High speed network traffic analysis with commodity multi-core systems. In: Allman, M. (ed.) Internet Measurement Conference, pp. 218–224. ACM (2010)
Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K.G., Markatos, E.P.: An Active Splitter Architecture for Intrusion Detection and Prevention. IEEE Trans. Dependable Sec. Comput. 3(1), 31–44 (2006)
Jamshed, M.A., Lee, J., Moon, S., Yun, I., Kim, D., Lee, S., Yi, Y., Park, K.: Kargus: a highly-scalable software-based intrusion detection system. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM Conference on Computer and Communications Security, pp. 317–328. ACM (2012)
Rogers, B.M., Krishna, A., Bell, G.B., Vu, K.V., Jiang, X., Solihin, Y.: Scaling the bandwidth wall: challenges in and avenues for cmp scaling. In: Keckler, S.W., Barroso, L.A. (eds.) ISCA, pp. 371–382. ACM (2009)
Massicotte, F., Gagnon, F., Labiche, Y., Briand, L.C., Couture, M.: Automatic evaluation of intrusion detection systems. In: ACSAC, pp. 361–370. IEEE Computer Society (2006)
Amdahl, G.M.: Validity of the single processor approach to achieving large scale computing capabilities. In: Proceedings of the 1967, Spring Joint Computer Conference, AFIPS 1967, April 18-20, pp. 483–485. ACM, New York (1967), http://doi.acm.org/10.1145/1465482.1465560
Eyerman, S., Eeckhout, L.: Modeling critical sections in amdahl’s law and its implications for multicore design. In: Seznec, A., Weiser, U.C., Ronen, R. (eds.) ISCA, pp. 362–370. ACM (2010)
Vasiliadis, G., Polychronakis, M., Ioannidis, S.: MIDeA: a multi-parallel intrusion detection architecture. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 297–308. ACM (2011)
Yang, L., Karim, R., Ganapathy, V., Smith, R.: Improving NFA-Based Signature Matching Using Ordered Binary Decision Diagrams. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 58–78. Springer, Heidelberg (2010)
Smith, R., Estan, C., Jha, S.: XFA: Faster Signature Matching with Extended Automata. In: IEEE Symposium on Security and Privacy, pp. 187–201. IEEE Computer Society (2008)
Wu, S., Manber, U.: A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING, Technical Report (September 2013), available at http://webglimpse.net/pubs/TR94-17.pdf
Norton, M.: Optimizing pattern matching for intrusion detection, TR (May 2013), http://docs.idsresearch.org/OptimizingPatternMatchingForIDS.pdf
OISF: Suricata (September 2013), http://www.openinfosecfoundation.org/
Schmerl, S., König, H., Flegel, U., Meier, M., Rietz, R.: Systematic Signature Engineering by Re-use of Snort Signatures. In: ACSAC, pp. 23–32. IEEE Computer Society (2008)
Song, H., Sproull, T.S., Attig, M., Lockwood, J.W.: Snort Offloader: A Reconfigurable Hardware NIDS Filter. In: Rissa, T., Wilton, S.J.E., Leong, P.H.W. (eds.) FPL, pp. 493–498. IEEE (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Rietz, R., Vogel, M., Schuster, F., König, H. (2014). Parallelization of Network Intrusion Detection Systems under Attack Conditions. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-08509-8_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08508-1
Online ISBN: 978-3-319-08509-8
eBook Packages: Computer ScienceComputer Science (R0)