On the statistical distribution of processing times in network intrusion detection

Intrusion detection systems (IDSs) are relatively complex devices that monitor information systems in search for security violations. Characterizing the service times of network IDSs is a crucial step in improving their real time performance. We analyzed about 41 million packets organized in five data sets of 10 minutes each collected at the entry point of a large production network and processed by Snort, a commonly used IDS. The processing times of the three main stages in Snort were measured. The main conclusions of our study were: (1) rule checking accounts for about 75% of the total processing time in IDSs, with mean pay load checking time being 4.5 times larger than mean header checking time. (2) The distribution of rule checking limes is markedly bimodal, a direct consequence of the bimodality in packet composition in current high speed Internet traffic. (3) Header processing times have a small variance and small correlation coefficients. (4) In contrast, the distribution of payload processing times displays high variance, in a form that can be generally characterized as "slightly heavy-tailed". Explicitly, payload processing times have a lognormal upper tail, clipped at the top 1%. This extreme 1% upper tail is better fit by an exponential distribution. (5) Additionally, payload processing times were shown to be highly correlated, with correlation coefficients several orders of magnitude higher than the confidence bands for the standard whiteness test. The impact of these findings in the design of IDSs for real time operation in networks is discussed, and compared with existing results for processing times for Unix processes, which were shown to display pronounced heavy-tailed characteristics.

[1]  M. Crovella,et al.  Estimating the Heavy Tail Index from Scaling Properties , 1999 .

[2]  William S. Cleveland,et al.  Internet Traffic Data , 2000 .

[3]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[4]  R. K. Mehra,et al.  Control and estimation methods in information assurance - a tutorial on intrusion detection systems , 2002, Proceedings of the 41st IEEE Conference on Decision and Control, 2002..

[5]  Jeffrey Posluns,et al.  Snort 2.0 Intrusion Detection , 2003 .

[6]  Thomas P. Hettmansperger,et al.  Tailweight, Statistical Inference and Families of Distributions — A Brief Survey , 1975 .

[7]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[8]  M. Bartlett On the Theoretical Specification and Sampling Properties of Autocorrelated Time‐Series , 1946 .

[9]  D. S. Moore,et al.  Measures of lack of fit from tests of chi-squared type , 1984 .

[10]  Vern Paxson,et al.  Empirically derived analytic models of wide-area TCP connections , 1994, TNET.

[11]  Isij Monitor,et al.  Network Intrusion Detection: An Analyst’s Handbook , 2000 .

[12]  Allen B. Downey,et al.  Lognormal and Pareto distributions in the Internet , 2005, Comput. Commun..

[13]  Mike Hall,et al.  Capacity Verification for High Speed Network Intrusion Detection Systems , 2002, RAID.

[14]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[15]  Allen B. Downey,et al.  Evidence for long-tailed distributions in the internet , 2001, IMW '01.

[16]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[17]  M. Evans,et al.  Statistical Distributions, Third Edition , 2001 .

[18]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[19]  Wenke Lee,et al.  Optimization and control problems in Real-time Intrusion Detection , 2002, Proceedings of the 41st IEEE Conference on Decision and Control, 2002..

[20]  Yi Zhang,et al.  Performance Adaptation in Real-Time Intrusion Detection Systems , 2002, RAID.

[21]  Michael A. Lapré,et al.  Inequalities for Queues with a Learning Server , 2001, Queueing Syst. Theory Appl..

[22]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[23]  Teunis J. Ott,et al.  Load-balancing heuristics and process behavior , 1986, SIGMETRICS '86/PERFORMANCE '86.