Tobias Limmer
Falko Dressler
ABSTRACT
Network-based Intrusion Detection Systems (IDSs) such as Snort or Bro that have to analyze the packet payload for all the received data show severe performance problems if used in high-speed networks. Recent research results improve pattern matchers based on efficient algorithms or using specialized hardware. We approach the problem in a completely different way by considerably reducing the amount of data to be analyzed with only marginal impact on the detection quality. Dialog-based Payload Aggregation (DPA) uses TCP sequence numbers to decide which parts of the payload need to be analyzed by the IDS. Whenever a connection starts, or if the direction of the data transmission between peers changes, we forward the next N bytes of traffic to an attached IDS. All data transferred after the window is discarded. Our analysis using live network traffic and multiple Snort rulesets shows that most of the pattern matches occur at the beginning of connections or directly after direction changes in the data streams. According to our experimental results, our method reduces the data rate to be processed to around 1% in a typical network while retaining more than 98% of all detected events. Assuming a linear relationship between the data rate and processing time of an IDS, this results in a speedup of two magnitudes in the best case.
- }}H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Predicting the resource consumption of network intrusion detection systems. ACM SIGMETRICS Performance Evaluation Review, 36(1):437--438, 2008. Google Scholar
Digital Library
- }}S. Kornexl, V. Paxson, H. Dreger, R. Sommer, and A. Feldmann. Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic. In ACM IMC 2005, pages 267--272, Berkeley, CA, October 2005. ACM. Google ScholarDigital Library
- }}T. Limmer and F. Dressler. Flow-based Front Payload Aggregation. In IEEE LCN 2009, WNM Workshop, pages 1102--1109, Zurich, Switzerland, October 2009. IEEE.Google Scholar
- }}G. Vasiliadis, M. Polychronakis, S. Antonatos, E. P. Markatos, and S. Ioannidis. Regular Expression Matching on Graphics Hardware for Intrusion Detection. In RAID 2009, pages 265--283, Saint-Malo, France, September 2009. Springer. Google ScholarDigital Library
Index Terms
- Dialog-based payload aggregation for intrusion detection
Recommendations
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Comments