Generating realistic workloads for network intrusion detection systems

Antonatos, Spiros; Anagnostakis, Kostas G.; Markatos, Evangelos P.

doi:10.1145/974044.974078

Cited by 81 publications

(29 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recall that the value of variable h is 3. After executing the foreach loop in Lines 7-9, T = {(5, 1), (6, 1), (7,4), (8, 2)}. Set T is sorted by the second coordinate in descending order, resulting in T = {(7, 4), (8, 2), (5, 1), (6, 1)}.…”

Section: Flexible Head-body Matching Algorithmmentioning

confidence: 99%

“…Set T is sorted by the second coordinate in descending order, resulting in T = {(7, 4), (8, 2), (5, 1), (6, 1)}. The foreach loop in Lines 11-20 initially selects (7,4) and checks to see if all child states of state 7 can be added to the head part. Since HEAD.…”

Section: Flexible Head-body Matching Algorithmmentioning

confidence: 99%

“…Pattern matching, which can consume up to 70% of system execution time [7,8], is the most important factor in overall signature-based NIDS system performance. There are two types of pattern matching algorithms: software-based and hardware-based, with the second achieving high matching speed via special-purpose devices such as field programmable gate arrays (FPGAs) [9][10][11][12][13], content addressable memory (CAM) [14,15], and application-specific integrated circuits (ASICs) [16].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Flexible Pattern-Matching Algorithm for Network Intrusion Detection Systems Using Multi-Core Processors

Lee

Yang

2017

Algorithms

View full text Add to dashboard Cite

Abstract:As part of network security processes, network intrusion detection systems (NIDSs) determine whether incoming packets contain malicious patterns. Pattern matching, the key NIDS component, consumes large amounts of execution time. One of several trends involving general-purpose processors (GPPs) is their use in software-based NIDSs. In this paper, we describe our proposal for an efficient and flexible pattern-matching algorithm for inspecting packet payloads using a head-body finite automaton (HBFA). The proposed algorithm takes advantage of multi-core GPP parallelism and single-instruction multiple-data operations to achieve higher throughput compared to that resulting from traditional deterministic finite automata (DFA) using the Aho-Corasick algorithm. Whereas the head-body matching (HBM) algorithm is based on pre-defined DFA depth value, our HBFA algorithm is based on head size. Experimental results using Snort and ClamAV pattern sets indicate that the proposed algorithm achieves up to 58% higher throughput compared to its HBM counterpart.

show abstract

Section: Flexible Head-body Matching Algorithmmentioning

confidence: 99%

Section: Flexible Head-body Matching Algorithmmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Flexible Pattern-Matching Algorithm for Network Intrusion Detection Systems Using Multi-Core Processors

Lee

Yang

2017

Algorithms

View full text Add to dashboard Cite

show abstract

“…Signature matching is a highly computationally intensive process, accounting for about 75% of the total CPU processing time of modern NIDSes [2,7]. This overhead arises from the fact that most of the time, every byte of every packet needs to be processed as part of the string searching algorithm that searches for matches among a large set of strings from all signatures that apply for a particular packet.…”

Section: Introductionmentioning

confidence: 99%

Gnort: High Performance Network Intrusion Detection Using Graphics Processors

Vasiliadis

Antonatos

Polychronakis

et al.

Lecture Notes in Computer Science

Self Cite

252

158

View full text Add to dashboard Cite

Abstract. The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

show abstract

“…Pattern matching is a time-consuming task in an NIDS. Studies have indicated that it consumes up to 70% of the system's execution time (3)(4)(5)(6) . Therefore, the pattern matching performance is crucial to an NIDS.…”

Section: Introductionmentioning

confidence: 99%

A Fast and Scalable Multi-Pattern Matching Algorithm for Intrusion Detection Systems

Lee

Huang

Lu³

et al. 2015

The Proceedings of the 2nd International Conference on Industrial Application Engineering 2015

View full text Add to dashboard Cite

In order to protect networks from attacks, network intrusion detection systems (NIDS) have been widely deployed. These devices scan incoming packets to detect malicious content according to the predefined patterns. It is time consuming for NIDS to inspect each packet to check if it contains any patterns. In this paper, we propose a scalable and high-performance pattern matching algorithm. The key idea behind the proposed algorithm is to build a small and adjustable lookup table which can be completely stored in the on-chip memory of a network processor, and reduce the probability of accessing the external memory. Since the latency of one on-chip memory access is far smaller than that of one external memory access, the time required to inspect a packet can be greatly reduced. Simulation results show that the proposed algorithm is significantly better than the compared algorithm in terms of speed and scalability.

show abstract

Generating realistic workloads for network intrusion detection systems

Cited by 81 publications

References 14 publications

A Flexible Pattern-Matching Algorithm for Network Intrusion Detection Systems Using Multi-Core Processors

A Flexible Pattern-Matching Algorithm for Network Intrusion Detection Systems Using Multi-Core Processors

Gnort: High Performance Network Intrusion Detection Using Graphics Processors

A Fast and Scalable Multi-Pattern Matching Algorithm for Intrusion Detection Systems

Contact Info

Product

Resources

About