Enhancing Network Intrusion Detection with Integrated Sampling and Filtering

González, José María Faci; Paxson, Vern

doi:10.1007/11856214_14

Cited by 16 publications

(14 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…RELATED WORK Snort [9] and Bro [8], [3], [5], [10], [2] are two of the more popular public domain Network Intrusion Detection Systems (NIDSs). The current implementation of Snort uses the optimized version of the AC automaton [1].…”

Section: Resultsmentioning

confidence: 99%

Highly compressed multi-pattern string matching on the cell broadband engine

Zha

Scarpazza

Sahni

2011

2011 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

Abstract-With its 9 cores per chip, the IBM Cell/Broadband Engine (Cell) can deliver an impressive amount of compute power and benefit the string-matching kernels of network security, business analytics and natural language processing applications. However, the available amount of main memory on the system limits the maximum size of the dictionary supported by the string matching solution.To counter that, we propose a technique that employs compressed Aho-Corasick automata to perform fast, exact multipattern string matching with very large dictionaries. Our technique achieves the remarkable compression factors of 1:34 and 1:58, respectively, on the memory representation of Englishlanguage dictionaries and random binary string dictionaries. We demonstrate a parallel implementation for the Cell processor that delivers a sustained throughput between 0.90 and 2.35 Gbps per Cell blade, while supporting dictionary sizes up to 9.2 Million average patterns per Gbyte of main memory, and exhibiting resilience to content-based attacks.This high dictionary density enables natural language applications of an unprecedented scale to run on a single server blade.

show abstract

Section: Resultsmentioning

confidence: 99%

Highly compressed multi-pattern string matching on the cell broadband engine

Zha

Scarpazza

Sahni

2011

2011 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

show abstract

“…However, decryption times are typically small and only a small portion of the packet will be decrypted using Two-Key IPsec. Further, there is ongoing research [6,7,15,16] to improve the performance of NIDSs and deal with growing traffic rates.…”

Section: Discussionmentioning

confidence: 99%

Making Network Intrusion Detection Work With IPsec

McLain¹,

Studer²,

Lippmann³

2007

View full text Add to dashboard Cite

Network-based intrusion detection systems (NIDSs) are one component of a comprehensive network security solution. The use of IPsec, which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. One alternative to NIDSs, host-based intrusion detection systems (HIDSs), provides some of the functionality of NIDSs but with limitations. HIDSs cannot perform a network-wide analysis and can be subverted if a host is compromised. We propose an approach to intrusion detection that coinbines HIDS, NIDS, and a version of IPsec that encrypts the header and the body of IP packets separately. We refer to the latter generically as Two-Key IPsec. We show that all of the network events currently detectable by the Snort NIDS on unencrypted network traffic are also detectable on encrypted network traffic using this approach. The NIDS detects network-level events that HIDSs have trouble detecting and HIDSs detect application-level events that can't be detected by the NIDS. 111 ACKNOWLEDGMENTSThis work was sponsored by David Kenyon of the Air Force Electronic Systems Command, GIG Network Architecture Office.

show abstract

“…The authors then use this technique to create a behavioral pattern, which can be used to block potential ''exploit traffic'' (Xu et al, 2005a, b) by constructing appropriate Access Control Lists for routers. Gonzalez and Paxson (2006), also inspired by AutoFocus, proposed packet level random sampling to detect heavy-hitters in network traffic. It has been observed (Duffield et al, 2001;Feldmann et al, 2001) that a small number of heavy flows account for a large amount of traffic.…”

Section: Desired Characteristics Of Our Sampling Algorithmmentioning

confidence: 99%