Performance analysis in Intrusion Detection and Prevention Systems

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. Although many IDPS systems have been proposed, their appropriate configuration and control for effective attacks detection/prevention and efficient resources consumption has always been challenging. The evaluation of the IDPS performance for any given security configuration is a crucial step for improving real-time capability. This paper aims to analyze the impact of security enforcement levels on the performance and usability of an enterprise information system. We develop a new analytical model to investigate the relationship between the IDPS performance and the rules mode selection. In particular, we analyze the IDPS rule-checking process along with its consequent action (i.e., alert or drop) on the resulting security of the network, and on the average service time per event. Simulation was conducted to validate our performance analysis study. Our results show that applying different sets of rules categories and configuration parameters impacts average service time and affects system security. The results demonstrate that it is desirable to strike a balance between system security and network performance.

[1]  Hans-Florian Geerdes,et al.  Intelligent Distribution of Intrusion Prevention Services on Programmable Routers , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[2]  Randy Bush,et al.  Configuration management and security , 2009, IEEE Journal on Selected Areas in Communications.

[3]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[4]  Yi Zhang,et al.  Performance Adaptation in Real-Time Intrusion Detection Systems , 2002, RAID.

[5]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[6]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[7]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8]  En Zhu,et al.  A Hybrid Parallel Signature Matching Model for Network Security Applications Using SIMD GPU , 2009, APPT.

[9]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[10]  Yanyan Yang,et al.  Policy management for network-based intrusion detection and prevention , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[11]  J.B.D. Cabrera,et al.  On the statistical distribution of processing times in network intrusion detection , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[12]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[13]  Derek L. Schuff,et al.  Design Alternatives for a High-Performance Self-Securing Ethernet Network Interface , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[14]  Raouf Boutaba,et al.  Policy-Based Security Configuration Management, Application to Intrusion Detection and Prevention , 2009, 2009 IEEE International Conference on Communications.

[15]  Anja Feldmann,et al.  Predicting the resource consumption of network intrusion detection systems , 2008, SIGMETRICS '08.

[16]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[17]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.