Abstract
Network intrusion detection systems (NIDS) are becoming an important tool for protecting critical information and infrastructure. The quality of a NIDS is described by the percentage of true attacks detected combined with the number of false alerts. However, even a high-quality NIDS algorithm is not effective if its processing cost is too high, since the resulting loss of packets increases the probability that an attack is not detected. This study measures and compares two major components of the NIDS processing cost on a number of diverse systems to pinpoint performance bottlenecks and to determine the impact of operating system and architecture differences. Results show that even on moderate-speed networks, many systems are inadequate as NIDS platforms. Performance depends not only on the processor performance, but to a large extent also on the memory system. Recent trends in processor microarchitecture towards deep pipelines have a negative impact on the systems NIDS capabilities, and multiprocessor architectures usually do not lead to significant performance improvements. Overall, these results provide valuable guidelines for NIDS developers and adopters for choosing a suitable platform, and highlight the need to consider processing cost when developing and evaluating NIDS techniques.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Banks, D., Prudence, M.: A High-performance Network Architecture for a PA-RISC Workstation. IEEE Journal on Selected Areas in Communications 11(2), 191–202 (1993)
Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Staniford-Chen, S., Yip, R., Zerkle, D.: The Design of GrIDS: A Graph-Based Intrusion Detection System, tech. report CSE-99-02, Computer Science Dept., Univ. of California Davis, Calif (1999)
Clark, D., Jacobson, V., Romkey, J., Salwen, M.: An Analysis of TCP Processing Overhead. IEEE Communications Magazine 27, 23–29 (1989)
Coit, J., Staniford, S., McAlerney, J.: Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. In: Proc. DARPA Information Survivability Conference and Exposition (DISCEX II 2002), pp. 367–373. IEEE CS Press, Los Alamitos (2002)
Danyliw, R.: ACID: Analysis Console for Intrusion Databases (2001), http://acidlab.sourceforge.net
Edwards, S.: Vulnerabilities of Network Intrusion Detection Systems: Realizing and Overcoming the Risks. The Case for Flow Mirroring, whitepaper, Top Layer Networks, Inc. (2002)
Egorov, S., Savchuk, G.: SNORTRAN: An Optimizing Compiler for Snort Rules. whitepaper, Fidelis Security Systems, Inc.
Gallatin, J.C., Yocum, K.: Trapeze/IP: TCP/IP at Near-Gigabit Speeds. In: Proc. 1999 Usenix Technical Conference, Usenix Assoc., Berkeley, Calif, pp. 109–120 (1999)
Haines, J., Lippmann, R., Fried, D., Korba, J., Das, K.: 1999 DARPA Intrusion Detection System Evaluation: Design and Procedures, tech. report 1062, MIT Lincoln Laboratory Technical Report, Boston, Mass (2001)
Hinton, G., et al.: The Microarchitecture of the Pentium 4 Processor. Intel Technology Journal, Q1 (2001)
Kruegel, C., Toth, T.: Automatic Rule Clustering for improved, signature-based Intrusion Detection, tech. report, Distributed Systems Group, Technical Univ. Vienna, Austria
Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful Intrusion Detection for High- Speed Networks. In: Proc. IEEE Symposium Security and Privacy, IEEE Computer Society Press, Calif (2002)
Marr, D., et al.: Hyper-Threading Technology Architecture and Microarchitecture. Intel Technology Journal 6(1), 4–15 (2002)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)
Protocol Analysis vs. Pattern Matching. whitepaper, Network ICE (2000)
Puketza, N., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.: A Methodology for Testing Intrusion Detection Systems. IEEE Transactions Software Engineering 22(10), 719–729 (1996)
Ranum, M.: Experiences Benchmarking Intrusion Detection Systems. whitepaper, Network Flight Recorder Security, Inc., http://www.snort.org/docs/Benchmarking-IDS-NFR.pdf
Roesch, M.: Snort – Lightweight Intrusion Detection for Networks. In: Proc. Usenix LISA 1999 Conf. (November 1999), http://www.snort.org/docs/lisapaper.txt
Rosenblum, M., Bugnion, E., Herrod, S., Witchel, E., Gupta, A.: The Impact of Architectural Trends on Operating System Performance. In: Proc. 15th ACM Symp. Operating System Principles, ACM Press, New York (1995)
Sekar, R., Guang, Y., Verma, S., Shanbhag, T.: A High-Performance Network Intrusion Detection System. In: Proc. 6th ACM Symp. Computer and Communication Security, ACM Press, New York (1999)
Snort 2.0 - Detection Revisited. whitepaper, Sourcefire Network Security Inc. (2002)
Snort Rules for Version 1.9.x as of (March 25, 2003), http://www.snort.org/dl/rules/snortrules-stable.tar.gz
Steenkiste, P.: A Systematic Approach to Host Interface Design for High-Speed Networks. IEEE Computer 27(3), 47–57 (1994)
McVoy, L., Staelin, C.: lmbench: Portable Tools for Performance Analysis. In: Proc. USENIX Ann. Technical Conference, Usenix Assoc., Berkeley, Calif., pp. 279–294 (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schaelicke, L., Slabach, T., Moore, B., Freeland, C. (2003). Characterizing the Performance of Network Intrusion Detection Sensors. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive