Embedded Network Intrusion Detection Systems with a Multi-core Aware Packet Capture Module

Network security has been a main concern in the Internet. To address this issue, network intrusion detection or prevention tools have become indispensable for system security. In this paper we first propose a multi-core aware packet capture module and integrated it with a network intrusion detection system (NIDS). We then analyze the performance of the NIDS under different packet capture libraries in high speed networks. The proposed multi-core aware packet capture module, called Flow Ring, can enhance the performance of NIDS to meet the speed requirements without packet loss. Together with the techniques for the configuration of an NIDS with respect to multi-core and IRQ affinity, the proposed approach can get the most effective performance.

[1]  Rajeswari G.,et al.  Implementing Intrusion Detection System for Multicore Processor , 2009, 2009 International Conference on Advances in Recent Technologies in Communication and Computing.

[2]  Luca Deri nCap: wire-speed packet capture and transmission , 2005, Workshop on End-to-End Monitoring Techniques and Services, 2005..

[3]  Burkhard Stiller,et al.  DiCAP: Distributed Packet Capturing architecture for high-speed network links , 2008, 2008 33rd IEEE Conference on Local Computer Networks (LCN).

[4]  Marnix Goossens,et al.  Improving the Performance of Signature-Based Network Intrusion Detection Sensors by Multi-threading , 2004, WISA.

[5]  KatashitaToshihiro,et al.  FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet , 2007 .

[6]  Amitava Biswas,et al.  A High Performance Packet Capturing Support for Alarm Management Systems , 2005, IASTED PDCS.

[7]  Minglu Li,et al.  An Abstract Model for Intrusion Detection on Multi-Core Platform , 2008, The Third ChinaGrid Annual Conference (chinagrid 2008).

[8]  Mohammad Abdollahi Azgomi,et al.  A high-performance software solution for packet capture and transmission , 2009, 2009 2nd IEEE International Conference on Computer Science and Information Technology.

[9]  Amitava Biswas,et al.  On improving performance of Network Intrusion Detection Systems by efficient packet capturing , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[10]  Mohamed Hefeeda,et al.  Scaling network services using programmable network devices , 2005, Computer.

[11]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2007, 2007 IEEE Sarnoff Symposium.

[12]  Jian-Ping Li,et al.  An efficient tcp flow reassembling algorithm based on PF_RING , 2009, 2009 International Conference on Apperceiving Computing and Intelligence Analysis.

[13]  John W. Lockwood,et al.  Architecture for a hardware-based, TCP/IP content-processing system , 2004, IEEE Micro.

[14]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2009, NSS 2009.

[15]  John W. Lockwood,et al.  Architecture for a hardware based, TCP/IP content scanning system [intrusion detection system applications] , 2003, 11th Symposium on High Performance Interconnects, 2003. Proceedings..

[16]  L. Deri Improving Passive Packet Capture : Beyond Device Polling , 2003 .