A Criterion for Speed Evaluation of Content Inspection Engines

The growing needs of network security and contentaware networking increasingly introduce content processing into the network devices as opposed to the network endpoints. The component of a network device responsible for content inspection is called Content Inspection Engine (CIE). As other components of a network device, the CIE needs to operate at wire-speed, posing a need to look for an appropriate speed-evaluation criterion for CIEs. For processes with constant or at most well-bounded per-packet analyzes (e.g., routing, multi-field packet classification), and processes with flat per-byte processing time (e.g., checksum calculation, encryption/decryption), operation speed is traditionally evaluated in terms of the number of packets or bits processed per second. Such metrics cannot be used for processes in which the processing time of a packet varies widely, depending on its content. We propose to define worst-case throughput as a criterion for evaluating the wire-speed processing capabilities of CIEs. We argue that one may build simple model of a CIE, whether hardware or software based, in the form of a directed graph with edges annotated by the length and processing time of the segments of input data. It is then possible to transform the problem of finding the worst-case throughput of a CIE to the minimum cost to time ratio problem, for which many efficient algorithms exist.

[1]  James B. Orlin,et al.  Finding minimum cost to time ratio cycles with small integral transit times , 1993, Networks.

[2]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[3]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[4]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[5]  Marc Dacier,et al.  Intrusion detection , 1999, Comput. Networks.

[6]  Jürgen Teich,et al.  Performance analysis and optimization of mixed asynchronous synchronous systems , 1997, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[7]  George F. Riley,et al.  Intrusion detection testing and benchmarking methodologies , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[8]  Keshab K. Parhi,et al.  Determining the minimum iteration period of an algorithm , 1995, J. VLSI Signal Process..

[9]  J. Quadrat,et al.  Numerical Computation of Spectral Elements in Max-Plus Algebra☆ , 1998 .

[10]  Mike Hall,et al.  Capacity Verification for High Speed Network Intrusion Detection Systems , 2002, RAID.

[11]  Ali Dasdan,et al.  An Experimental Study of Minimum Mean Cycle Algorithms , 1998 .

[12]  C. Leake Synchronization and Linearity: An Algebra for Discrete Event Systems , 1994 .

[13]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[14]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[15]  Evangelos P. Markatos,et al.  : A DOMAIN-SPECIFIC STRING MATCHING ALGORITHM FOR INTRUSION DETECTION , 2003 .

[16]  G. S. Y. Koelemeijer The Power and Howard Algorithm in the (Max,+) Semiring , 2000 .