Deep packet pre-filtering and finite state encoding for adaptive intrusion detection system

An intrusion detection system (IDS) is a promising technique for detecting and thwarting attacks on computer systems and networks. In the context of ever-changing threats, new attacks are constantly created, and new rules for identifying them are dramatically increasing. To adapt to these new rules, IDSs must be easily reconfigurable, they must keep up with line rates of network traffic, and they must have high detection accuracy. In this paper, we propose a high-performance memory-based IDS that can be easily reconfigured for new rules. Our IDS achieves high performance and memory efficiency by utilizing deep packet pre-filtering and novel finite state encoding. We present simulation and experimental results that show the novelty and feasibility of our system.

[1]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[2]  Roger Larsen,et al.  BRO - an Intrusion Detection System , 2011 .

[3]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[4]  Haibo Wang,et al.  Self-addressable memory-based FSM: a scalable intrusion detection engine , 2009, IEEE Network.

[5]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[6]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[7]  Beate Commentz-Walter,et al.  A String Matching Algorithm Fast on the Average , 1979, ICALP.

[8]  Mohammad Bagher Ghaznavi-Ghoushchi,et al.  A Multi-Gb/s Parallel String Matching Engine for Intrusion Detection Systems , 2008 .

[9]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[10]  Tsern-Huei Lee,et al.  A parallel automaton string matching with pre-hashing and root-indexing techniques for content filtering coprocessor , 2005, 2005 IEEE International Conference on Application-Specific Systems, Architecture Processors (ASAP'05).

[11]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[12]  Calvin Ko,et al.  SEER: A Security Experimentation EnviRonment for DETER , 2007, DETER.

[13]  HérissonJoan,et al.  A 3D pattern matching algorithm for DNA sequences , 2007 .

[14]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[15]  Joan Hérisson,et al.  A 3D pattern matching algorithm for DNA sequences , 2007, Bioinform..

[16]  Zhenkai Liang,et al.  Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration , 2009, RAID.

[17]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[18]  Tilman Wolf,et al.  Accurate anomaly detection through parallelism , 2009, IEEE Network.

[19]  Benfano Soewito,et al.  Methodology for Evaluating DNA Pattern Searching Algorithms on Multiprocessor , 2007, 2007 IEEE 7th International Symposium on BioInformatics and BioEngineering.

[20]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[21]  Albert G. Greenberg,et al.  OPTWALL: A Hierarchical Traffic-Aware Firewall , 2007, NDSS.

[22]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[23]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[24]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[25]  Stamatis Vassiliadis,et al.  Packet pre-filtering for network intrusion detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[26]  Benfano Soewito,et al.  Optimized memory based accelerator for scalable pattern matching , 2009, Microprocess. Microsystems.

[27]  Timothy Sherwood,et al.  Bit-split string-matching engines for intrusion detection and prevention , 2006, TACO.

[28]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[29]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[30]  Laurent Mathy,et al.  Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference , 2009, IMC 2009.

[31]  Tzi-cker Chiueh,et al.  Automatic Generation of String Signatures for Malware Detection , 2009, RAID.

[32]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[33]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[34]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[35]  T. V. Lakshman,et al.  Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection , 2009, IEEE INFOCOM 2009.

[36]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[37]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.