ISDF 2009: Information Security and Digital Forensics pp 57-65 | Cite as
Smart Logic - Preventing Packet Loss in High Speed Network Intrusion Detection Systems
Abstract
Network Intrusion Detection Systems (NIDS) have gained substantial importance in today’s network security infrastructure. The performance of these devices in modern day traffic conditions is however found limited. It has been observed that the systems could hardly stand effective for the bandwidth of few hundred mega bits per second. Packet drop has been considered as the major bottleneck in the performance. We have identified a strong performance limitation of an open source Intrusion Detection System (IDS), Snort in [1, 2]. Snort was found dependent on host machine configuration. The response of Snort under heavy traffic conditions has opened a debate on its implementation and usage. We have developed the Smart Logic component to reduce the impact of packet drop in NIDS when subjected to heavy traffic volume. The proposed architecture utilizes packet capturing techniques applied at various processing stages shared between NIDS and packet handling applications. The designed architecture regains the lost traffic by a comparison between the analysed packets and the input stream using Smart Logic. The recaptured packets are then re-evaluated by a serialized IDS mechanism thus reducing impact of packet loss incurred in the routine implementation. The designed architecture has been implemented and tested on a scalable and sophisticated test bench replicating modern day network traffic. Our effort has shown noticeable improvement in the performance of Snort and has significantly improved its detection capacity.
Keywords
Network intrusion detection systems network performance packet drop Snort serializationPreview
Unable to display preview. Download preview PDF.
References
- 1.Alserhani, F., Akhlaq, M., Awan, I., Cullen, A., Mellor, J., Mirchandani, P.: Evaluating Intrusion Detection Systems in High Speed Networks. In: Fifth International Conference of Information Assurance and Security (IAS 2009), August 18-20. IEEE Computer Society, Xian (in press, 2009)Google Scholar
- 2.Alserhani, F., Akhlaq, M., et al.: Snort Performance Evaluation. In: Proceedings of Twenty Fifth UK Performance Engineering Workshop (UKPEW 2009), Leeds, UK, July 6-7 (2009)Google Scholar
- 3.Kazienko, P., Dorosz, P.: Intrusion detection systems (IDS) Part 2 - Classification; methods; techniques (2004)Google Scholar
- 4.Tessel, J.D., Young, S., Linder, F.: The Hackers Handbook. Auerbach Publications, New York (2004)Google Scholar
- 5.Krugel, C., Valeur, F., vigna, G., Kemmerer, R.: Stateful Intrusion Detection for High Speed Networks. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, pp. 285–293 (2002)Google Scholar
- 6.Fischini, L., Thapial, A.V., Cavallaro, L., Kruegel, C., Vigna, G.: A Parallel Architecture for Stateful, High-Speed Intrusion Detection. In: Proceedings of fourth International Conference on Information system security, Hyderabad, India, pp. 203–220 (2008)Google Scholar
- 7.Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K.G., Markatos, E.P.: An Active Splitter Architecture for Intrusion Detection and Prevention. IEEE Trans. Dependable Sec. Computer 3(1), 31–44 (2006)CrossRefGoogle Scholar
- 8.
- 9.Snort, http://www.Snort.org
- 10.Baker, A.R., Esler, J.: Snort IDS and IPS Toolkit, Syngress, Canada (2007)Google Scholar
- 11.Sharp PCap, http://www.chrishowie.com/pcap-sharp
- 12.C Sharp, http://en.wikipedia.org/wiki/C_Sharp
- 13.VB.net, http://vb.net
- 14.
- 15.Microsoft.Net, http://www.microsoft.com/NET
- 16.
- 17.VMware Server, http://www.vmware.com/products/server
- 18.LAN Traffic V 2, http://www.topshareware.com/lan-traffic-v2/downloads/1.html
- 19.D-ITG V 2.6, http://www.grid.unina.it/Traffic/index.php