WIND: Workload-Aware INtrusion Detection

  • Sushant Sinha
  • Farnam Jahanian
  • Jignesh M. Patel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)


Intrusion detection and prevention systems have become essential to the protection of critical networks across the Internet. Widely deployed IDS and IPS systems are based around a database of known malicious signatures. This database is growing quickly while at the same time the signatures are getting more complex. These trends place additional performance requirements on the rule-matching engine inside IDSs and IPSs, which check each signature against an incoming packet. Existing approaches to signature evaluation apply statically-defined optimizations that do not take into account the network in which the IDS or IPS is deployed or the characteristics of the signature database. We argue that for higher performance, IDS and IPS systems should adapt according to the workload, which includes the set of input signatures and the network traffic characteristics. To demonstrate this idea, we have developed an adaptive algorithm that systematically profiles attack signatures and network traffic to generate a high performance and memory-efficient packet inspection strategy. We have implemented our idea by building two distinct components over Snort: a profiler that analyzes the input rules and the observed network traffic to produce a packet inspection strategy, and an evaluation engine that pre-processes rules according to the strategy and evaluates incoming packets to determine the set of applicable signatures. We have conducted an extensive evaluation of our workload-aware Snort implementation on a collection of publicly available datasets and on live traffic from a border router at a large university network. Our evaluation shows that the workload-aware implementation outperforms Snort in the number of packets processed per second by a factor of up to 1.6x for all Snort rules and 2.7x for web-based rules with reduction in memory requirements. Similar comparison with Bro shows that the workload-aware implementation outperforms Bro by more than six times in most cases.


Intrusion detection and prevention deep packet inspection workload aware adaptive algorithm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Symantec: Symantec Internet threat report: Trends for July 2005 - December 2005 (March 2006),
  2. 2.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of Usenix Lisa Conference (November 2001)Google Scholar
  3. 3.
    Microsoft: Vulnerability in graphics rendering engine could allow remote code execution (January 2006),
  4. 4.
    Knobbe, F.: WMF exploit (December 2005),
  5. 5.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational experiences with high-volume network intrusion detection. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 2–11 (2004)Google Scholar
  6. 6.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  7. 7.
    Lee, W., Cabrera, J.B.D., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y.: Performance adaptation in real-time intrusion detection systems. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 252–273. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 285–293. IEEE Computer Society, Los Alamitos (2002)CrossRefGoogle Scholar
  9. 9.
    Sekar, R., Guang, Y., Verma, S., Shanbhag, T.: A high-performance network intrusion detection system. In: ACM Conference on Computer and Communications Security, pp. 8–17 (1999)Google Scholar
  10. 10.
    Gusfield, D.: Algorithms on strings, trees, and sequences: Computer Science and Computational Biology. Cambridge University Press, Cambridge (1997)zbMATHCrossRefGoogle Scholar
  11. 11.
    Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Technical report, Department of Computer Science, University of Arizona (1993)Google Scholar
  12. 12.
    Kruegel, C., Toth, T.: Automatic rule clustering for improved signature-based intrusion detection. Technical report, Distributed systems group: Technical Univ. Vienna, Austria (2002)Google Scholar
  13. 13.
    Egorov, S., Savchuk, G.: SNORTRAN: An optimizing compiler for snort rules. Technical report, Fidelis Security Systems (2002)Google Scholar
  14. 14.
    Norton, M., Roelker, D.: SNORT 2.0: Hi-performance multi-rule inspection engine. Technical report, Sourcefire Inc. (2002)Google Scholar
  15. 15.
    Schuehler, D.V., Lockwood, J.W.: A modular system for FPGA-based TCP flow processing in high-speed networks. In: Becker, J., Platzner, M., Vernalde, S. (eds.) FPL 2004. LNCS, vol. 3203, pp. 301–310. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Cho, Y.H., Mangione, W.H.: Programmable hardware for deep packet filtering on a large signature set (2004),
  17. 17.
    Finkelstein, S.: Common expression analysis in database applications. In: Proceedings of the 1982 ACM SIGMOD international conference on Management of data, New York, NY, USA, pp. 235–245 (1982)Google Scholar
  18. 18.
    Sellis, T.K.: Multiple-query optimization. ACM Trans. Database Syst. 13(1), 23–52 (1988)CrossRefGoogle Scholar
  19. 19.
    Sellis, T., Ghosh, S.: On the multiple-query optimization problem. IEEE Transactions on Knowledge and Data Engineering 2(2), 262–266 (1990)CrossRefGoogle Scholar
  20. 20.
    Park, J., Segev, A.: Using common subexpressions to optimize multiple queries. In: Proceedings of the Fourth International Conference on Data Engineering, Washington, DC, USA, pp. 311–319. IEEE Computer Society, Los Alamitos (1988)CrossRefGoogle Scholar
  21. 21.
    Graham, S., Kessler, P., McKusick, M.: gprof: A call graph execution profiler. In: Proceedings of the SIGPLAN 1982 Symposium on Compiler Construction, pp. 120–126 (June 1982)Google Scholar
  22. 22.
    Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX), pp. 12–26 (2000)Google Scholar
  23. 23.
    Lippmann, R.P., Haines, J.W., Fried, D.J., Korba, J., Das, K.: Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 162–182. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS 2003), New York, pp. 262–271 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sushant Sinha
    • 1
  • Farnam Jahanian
    • 1
  • Jignesh M. Patel
    • 1
  1. 1.Electrical Engineering and Computer ScienceUniversity of MichiganAnn Arbor

Personalised recommendations