Performance Improvement by Means of Collaboration between Network Intrusion Detection Systems

Because of today's increased traffic volume and sophisticated attacks, implementing a network intrusion detection/prevention system (NIDS/NIPS) with a single workstation has been challenging. In this paper, we propose Brownie, a system for improving performance by means of collaboration between already-existing NIDSs, instead of installing one expensive hardware or parallel NIDS at a network entry point. Our Brownie achieves performance improvement by 1) offloading overloaded NIDS, and 2) eliminating redundant rules. First, a Brownie exchanges NIDSs' load status and transfers some rules from overloaded to light-loaded NIDSs, which prevents the overloaded NIDSs from bottlenecking the network. Second, if some NIDSs in a network path enable the same rules, a Brownie eliminates the redundant rules, which reduces the aggregate overhead of the NIDSs. The experimental results with a university full-packet trace suggest that Brownies successfully offloads overloaded NIDS and eliminates redundant rules.

[1]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[2]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[3]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[6]  Beate Commentz-Walter,et al.  A String Matching Algorithm Fast on the Average , 1979, ICALP.

[7]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[8]  Evangelos P. Markatos,et al.  An active splitter architecture for intrusion detection and prevention , 2006, IEEE Transactions on Dependable and Secure Computing.

[9]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[10]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[11]  John W. Lockwood,et al.  Rethinking Hardware Support for Network Analysis and Intrusion Prevention , 2006, HotSec.

[12]  George Varghese,et al.  Applying Fast String Matching to Intrusion Detection , 2001 .

[13]  John W. Lockwood,et al.  A framework for rule processing in reconfigurable network systems , 2005, 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'05).

[14]  Herbert Bos,et al.  SafeCard: A Gigabit IPS on the Network Card , 2006, RAID.

[15]  Herbert Bos,et al.  Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card , 2005, RAID.

[16]  Anja Feldmann,et al.  Predicting the resource consumption of network intrusion detection systems , 2008, SIGMETRICS '08.

[17]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[18]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[19]  Haoyu Song,et al.  Snort offloader: a reconfigurable hardware NIDS filter , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[20]  Jun Xu,et al.  Packet vaccine: black-box exploit detection and signature generation , 2006, CCS '06.

[21]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[22]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[23]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2007, 2007 IEEE Sarnoff Symposium.

[24]  Vern Paxson,et al.  Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention , 2007, CCS '07.

[25]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[26]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[27]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[28]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[29]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2009, NSS 2009.