Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2008: Recent Advances in Intrusion Detection pp 135–154Cite as

Predicting the Resource Consumption of Network Intrusion Detection Systems

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Abstract

When installing network intrusion detection systems (NIDSs), operators are faced with a large number of parameters and analysis options for tuning trade-offs between detection accuracy versus resource requirements. In this work we set out to assist this process by understanding and predicting the CPU and memory consumption of such systems. We begin towards this goal by devising a general NIDS resource model to capture the ways in which CPU and memory usage scale with changes in network traffic. We then use this model to predict the resource demands of different configurations in specific environments. Finally, we present an approach to derive site-specific NIDS configurations that maximize the depth of analysis given predefined resource constraints. We validate our approach by applying it to the open-source Bro NIDS, testing the methodology using real network data, and developing a corresponding tool, nidsconf, that automatically derives a set of configurations suitable for a given environment based on a sample of the site’s traffic. While no automatically generated configuration can ever be optimal, these configurations provide sound starting points, with promise to significantly reduce the traditional trial-and-error NIDS installation cycle.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Dharmapurikar, S., Paxson, V.: Robust TCP Stream Reassembly In the Presence of Adversaries. In: Proc. USENIX Security Symposium (2005)

    Google Scholar 

  2. Dreger, H.: Operational Network Intrusion Detection: Resource-Analysis Tradeoffs. PhD thesis, TU München (2007), http://www.net.in.tum.de/~hdreger/papers/thesis_dreger.pdf

  3. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proc. ACM Conference on Computer and Communications Security (2004)

    Google Scholar 

  4. Gaffney Jr., J.E., Ulvila, J.W.: Evaluation of Intrusion Detectors: A Decision Theory Approach. In: Proc. IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  5. Lee, W., Cabrera, J.B., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y.: Performance Adaptation in Real-Time Intrusion Detection Systems. In: Proc. Symposium on Recent Advances in Intrusion Detection (2002)

    Google Scholar 

  6. Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward Cost-sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security 10(1-2), 5–22 (2002)

    Google Scholar 

  7. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  8. Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. Systems Administration Conference (1999)

    Google Scholar 

  9. Schneider, F., Wallerich, J., Feldmann, A.: Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware. In: Proc. Passive and Active Measurement Conference (2007)

    Google Scholar 

  10. tcp-reduce, http://ita.ee.lbl.gov/html/contrib/tcp-reduce.html

  11. Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In: Proc. Symposium on Recent Advances in Intrusion Detection (2007)

    Google Scholar 

  12. Willinger, W., Taqqu, M.S., Sherman, R., Wilson, D.V.: Self-Similarity Through High-Variability: Statistical Analysis of Ethernet LAN Traffic at the Source Level. IEEE/ACM Transactions on Networking 5(1) (1997)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Siemens AG, Corporate Technology,  

    Holger Dreger

  2. Deutsche Telekom Labs / TU Berlin,  

    Anja Feldmann

  3. UC Berkeley,  

    Vern Paxson

  4. International Computer Science Institute,  

    Vern Paxson & Robin Sommer

  5. Lawrence Berkeley National Laboratory,  

    Robin Sommer

Authors
  1. Holger Dreger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anja Feldmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vern Paxson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robin Sommer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dreger, H., Feldmann, A., Paxson, V., Sommer, R. (2008). Predicting the Resource Consumption of Network Intrusion Detection Systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation