Performance Adaptation in Real-Time Intrusion Detection Systems

Lee, Wenke; Cabrera, J.B.D.; Thomas, Ashley; Balwalli, Niranjan; Saluja, Sunmeet; Zhang, Yi

doi:10.1007/3-540-36084-0_14

Cited by 51 publications

(35 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even worse, attackers may intentionally overload the monitoring system while an attack is in progress so as to evade detection. Previous research has shown that being able to handle different flows [21], [27], [28], or different parts of each flow [18], [19], in different ways can enable the system to invest its resources more effectively and significantly improve detection accuracy. PPL enables user applications to define the priority of each stream so that under overload conditions packets from low-priority streams are the first to go.…”

Section: B Prioritized Packet Lossmentioning

confidence: 99%

Stream-Oriented Network Traffic Capture and Analysis for High-Speed Networks

Papadogiannakis

Polychronakis

Markatos

2014

IEEE J. Select. Areas Commun.

View full text Add to dashboard Cite

Abstract-Intrusion detection, traffic classification, and other network monitoring applications need to analyze the captured traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. Existing network traffic capture frameworks, however, provide applications with raw packets and leave complex operations like flow tracking and TCP stream reassembly to application developers. This gap, between what applications need and what systems provide, leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module.This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to user-level applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries. Finally, we present the implementation and performance evaluation of four popular network traffic monitoring applications built on top of Scap.

show abstract

Section: B Prioritized Packet Lossmentioning

confidence: 99%

Stream-Oriented Network Traffic Capture and Analysis for High-Speed Networks

Papadogiannakis

Polychronakis

Markatos

2014

IEEE J. Select. Areas Commun.

View full text Add to dashboard Cite

show abstract

“…The current trend lays an emphasis on fine-tuning the IDPS configuration to suit the environment and operating conditions where the IDPS will be deployed for better performance [259]. Some IDPSs are carefully designed to be very "lightweight" or are specially configured with high-end hardware (e.g., RealSecure with AppSwitch [180]) to cope with high-speed and high-volume traffic. Most IDPSs are statically configured without considering changes in the operational conditions.…”

Section: Dynamic Adaptationmentioning

confidence: 99%

Security configuration management in intrusion detection and prevention systems

Alsubhi

Alhazmi

Bouabdallah

et al. 2012

IJSN

View full text Add to dashboard Cite

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. IDPSs can be network or host-based and can collaborate in order to provide better detection of malicious traffic. Although several IDPS systems have been proposed, their appropriate configuration and control for effective detection/prevention of attacks and efficient resource consumption is still far from trivial.Another concern is related to the slowing down of system performance when maximum security is applied, hence the need to trade off between security enforcement levels and the performance and usability of an enterprise information system.In this dissertation, we present a security management framework for the configuration and control of the security enforcement mechanisms of an enterprise information system. The approach leverages the dynamic adaptation of security measures based on the assessment of system vulnerability and threat prediction, and provides several levels of attack containment. Furthermore, we study the impact of security enforcement levels on the performance and usability of an enterprise information system. In particular, we analyze the impact of an IDPS configuration on the resulting security of the network, and on the network performance. We also analyze the performance of the IDPS for different configurations and under different traffic characteristics. The analysis can then be used to predict the impact of a given security configuration on the prediction of the impact on network performance.iii Acknowledgements All praise is due to Allah who guided me through out this research and beyond.My deepest gratitude is to my advisor, Prof. Raouf Boutaba, for his guidance, support, patience, and encouragement. I have been amazingly fortunate to have an advisor who gave me the freedom to explore on my own, and at the same time the guidance to recover when my steps faltered. He was always available, professional, and friendly. I have learned from him to think differently, be optimistic, and be self motivated. This work would have not been done without his advice and valuable comments.

show abstract

“…More recent work has also explored precompiling a set of filters that a NIDS can then switch among depending on its workload [15,5] or upon detecting floods. To our knowledge, however, supplementing a NIDS's primary filter with an additional, quite different filter, has not been previously explored in the literature.…”

Section: Related Workmentioning

confidence: 99%

Enhancing Network Intrusion Detection with Integrated Sampling and Filtering

González

Paxson

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This "Secondary Path" supplements the "Main Path" by integrating sampling and richer forms of filtering into a NIDS's analysis. We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding "heavy hitter" traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease.

show abstract

Performance Adaptation in Real-Time Intrusion Detection Systems

Cited by 51 publications

References 12 publications

Stream-Oriented Network Traffic Capture and Analysis for High-Speed Networks

Stream-Oriented Network Traffic Capture and Analysis for High-Speed Networks

Security configuration management in intrusion detection and prevention systems

Enhancing Network Intrusion Detection with Integrated Sampling and Filtering

Contact Info

Product

Resources

About