A Lightweight Estimation Algorithm To Auto Configure Snort Fast Pattern Matcher

With the emergence of Network Function Virtualization (NFV) technology, researchers start to implement typical software Intrusion detection Systems (IDS) as Virtual Network Function (VNF) to improve the scalability of IDS deployment. Determining the setups and configurations of every instance to optimize VNF performance is one of the core challenges in NFV scenario. Previous researches mainly focus on how IDS performs under different Virtual Machine (VM) setups and just load its default configuration. However, when loading different rulesets and running IDS under different VM setups, the default configuration may not always lead to optimal performance. In this paper, we focus on the configuration problem of Snort. We propose a lightweight estimation algorithm to auto configure the most performance-related part of Snort – Fast Pattern Matcher (FPM). We firstly explore how those options make influence on Snort’s packet detection by several measurement experiments. Then we summarize some basic principles to design our auto configuration algorithm. At last, we implement the algorithm to evaluate its accuracy and efficiency. The result shows our algorithm can seek a better configuration than the default one in various situations; in the meanwhile, it just takes a few seconds to run the algorithm, which is important if we want to import an auto configuration modular into NFV dynamic and elastic scheduling strategy.

[1]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[2]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[3]  Sonia Fahmy,et al.  NFV-VITAL: A framework for characterizing the performance of virtual network functions , 2015, 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN).

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  Jeanna Neefe Matthews,et al.  Quantitative analysis of intrusion detection systems: Snort and Suricata , 2013, Defense, Security, and Sensing.

[6]  Eric Torng,et al.  Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems , 2010, USENIX Security Symposium.

[7]  Sungryoul Lee,et al.  Kargus: a highly-scalable software-based intrusion detection system , 2012, CCS.

[8]  Hong Xu,et al.  Demystifying the energy efficiency of Network Function Virtualization , 2016, 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS).

[9]  Mona Vij,et al.  Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX) , 2018, ArXiv.

[10]  Gabi Dreo Rodosek,et al.  Towards an SDN-enabled IDS environment , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).