A Parallel Architecture for Stateful, High-Speed Intrusion Detection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5352)


The increase in bandwidth over processing power has made stateful intrusion detection for high-speed networks more difficult, and, in certain cases, impossible. The problem of real-time stateful intrusion detection in high-speed networks cannot easily be solved by optimizing the packet matching algorithm utilized by a centralized process or by using custom-developed hardware. Instead, there is a need for a parallel approach that is able to decompose the problem into subproblems of manageable size. We present a novel parallel matching algorithm for the signature-based detection of network attacks. The algorithm is able to perform stateful signature matching and has been implemented only using off-the-shelf components. Our initial experiments confirm that, by making the rule matching process parallel, it is possible to achieve a scalable implementation of a stateful, network-based intrusion detection system.


Sensor Node Intrusion Detection Parallel Machine Intrusion Detection System Parallel Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amdahl, G.: Validity of the Single Processor Approach to Achieving Large-Scale Computing Capabilities. In: Proceedings of the AFIPS Conference (1967)Google Scholar
  2. 2.
    Colajanni, M., Marchetti, M.: A parallel architecture for stateful intrusion detection in high traffic networks (September 2006)Google Scholar
  3. 3.
    Davoli, R.: Vde: Virtual distributed ethernet. Technical report (2004)Google Scholar
  4. 4.
    Davoli, R.: Vde: Virtual distributed ethernet. In: TRIDENTCOM 2005: Proceedings of the First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities, Washington, DC, USA, pp. 213–220. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  5. 5.
    Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An Attack Language for State-based Intrusion Detection. In: Proceedings of the ACM Workshop on Intrusion Detection Systems, Athens, Greece (November 2000)Google Scholar
  6. 6.
    Foschini, L.: A formalization and analysis of high-speed stateful signature matching for intrusion detection (2007)Google Scholar
  7. 7.
    Foschini, L., Thapliyal, A.V., Cavallaro, L., Kruegel, C., Vigna, G.: A Parallel Architecture for Stateful, High-Speed Intrusion Detection. Technical report (2008)Google Scholar
  8. 8.
    Garcia-Molina, H.: Elections in a Distributed Computing System. IEEE Transactions on Computers (1982)Google Scholar
  9. 9.
    Gates, C.: Co-ordinated Port Scans: A Model, A Detector and An Evaluation Methodology. PhD thesis, Dalhousie University, Halifax, Nova Scotia (February 2006)Google Scholar
  10. 10.
    Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.A.: Stateful Intrusion Detection for High-Speed Networks. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, pp. 285–293. IEEE Press, Los Alamitos (2002)Google Scholar
  11. 11.
    Kumar, S., Spafford, E.H.: A Pattern Matching Model for Misuse Intrusion Detection. In: Proceedings of the 17th National Computer Security Conference, pp. 11–21 (1994)Google Scholar
  12. 12.
    Lu, H., Zheng, K., Liu, B., Zhang, X., Liu, Y.: A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection. IEEE Journal on Selected Areas in Communication 24(10) (October 2006)Google Scholar
  13. 13.
    Meier, M., Schmerl, S., Koenig, H.: Improving the Efficiency of Misuse Detection. In: Proceedings of RAID (2005)Google Scholar
  14. 14.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. In: 7th Usenix Security Symposium (1998)Google Scholar
  15. 15.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of the Large Installation System Administration Conference (LISA), Seattle, WA (November 1999)Google Scholar
  16. 16.
    Sekar, R., Guang, V., Verma, S., Shanbhag, T.: A High-performance Network Intrusion Detection System. In: Proceedings of the 6th ACM Conference on Computer and Communications Security (November 1999)Google Scholar
  17. 17.
    Snort - The Open Source Network Intrusion Detection System (2004),
  18. 18.
    Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. In: Proceedings of ACSAC (2005)Google Scholar
  19. 19.
    The open source community. Snort Community rulesetGoogle Scholar
  20. 20.
    Turner, A.: tcprewrite trac page,
  21. 21.
    Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K., Markatos, E.: An active splitter architecture for intrusion detection and prevention. IEEE TDSC 3(1), 31 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of CaliforniaSanta BarbaraUSA

Personalised recommendations