International Workshop on Recent Advances in Intrusion Detection

RAID 2008: Recent Advances in Intrusion Detection pp 135-154

Predicting the Resource Consumption of Network Intrusion Detection Systems

  • Holger Dreger
  • Anja Feldmann
  • Vern Paxson
  • Robin Sommer
Conference paper

DOI: 10.1007/978-3-540-87403-4_8

Volume 5230 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Dreger H., Feldmann A., Paxson V., Sommer R. (2008) Predicting the Resource Consumption of Network Intrusion Detection Systems. In: Lippmann R., Kirda E., Trachtenberg A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg

Abstract

When installing network intrusion detection systems (NIDSs), operators are faced with a large number of parameters and analysis options for tuning trade-offs between detection accuracy versus resource requirements. In this work we set out to assist this process by understanding and predicting the CPU and memory consumption of such systems. We begin towards this goal by devising a general NIDS resource model to capture the ways in which CPU and memory usage scale with changes in network traffic. We then use this model to predict the resource demands of different configurations in specific environments. Finally, we present an approach to derive site-specific NIDS configurations that maximize the depth of analysis given predefined resource constraints. We validate our approach by applying it to the open-source Bro NIDS, testing the methodology using real network data, and developing a corresponding tool, nidsconf, that automatically derives a set of configurations suitable for a given environment based on a sample of the site’s traffic. While no automatically generated configuration can ever be optimal, these configurations provide sound starting points, with promise to significantly reduce the traditional trial-and-error NIDS installation cycle.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Holger Dreger
    • 1
  • Anja Feldmann
    • 2
  • Vern Paxson
    • 3
    • 4
  • Robin Sommer
    • 4
    • 5
  1. 1.Siemens AG, Corporate Technology 
  2. 2.Deutsche Telekom Labs / TU Berlin 
  3. 3.UC Berkeley 
  4. 4.International Computer Science Institute 
  5. 5.Lawrence Berkeley National Laboratory