1 / 17

An Active Traffic Splitter Architecture for Intrusion Detection

An Active Traffic Splitter Architecture for Intrusion Detection. Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN. Overview. Introduction

jacques
Download Presentation

An Active Traffic Splitter Architecture for Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN

  2. Overview • Introduction • Snort and Network Intrusion Detection Systems • NIDS: highly intensive operation • Simple Splitter • An Active Traffic Splitter • Light-weight functionality • Early Filtering and Locality Buffers • Improves NIDS performance up to 19% • Summary and Future Work

  3. Introduction • Snort (www.snort.org) • Passive Network Monitoring • 1500-1700 rules (grouped by application) • Highly Intensive Operation • Current Snort Performance • One high end PC: 300-400 Mbit/s • Multi gigabit links ? • Multiple Sensors

  4. Simple Splitter SnortV2 Find target Sensor Lower rate multiple links High rate single link SnortV2 SPLITTER SENSORS

  5. Motivation Use an Active Splitter • Move simple IDS functionality from sensor to splitter • Use of Early Filtering (EF) • Enhance performance of each sensor transparently. • No need to modify sensors • Use of Locality Buffering (LB)

  6. Simple Splitter (repeated) SnortV2 Find target Sensor Lower rate multiple links High rate single link SnortV2 SPLITTER SENSORS

  7. Active Splitter Architecture SnortV2 LB: Traffic Shaping EF Reduce #pkts to process Find target Sensor SnortV2 LB: Traffic Shaping SENSORS ACTIVE SPLITTER

  8. Active Splitter Feature: EF • Early Filtering • Discard packets before reaching any sensor • Fewer packets to process, Fewer interrupts Early Filtering • Header-only rules • 10% of all rules • Small packets • No payload Further processing No match

  9. Active Splitter Feature: LB • Locality Buffers • Group similar packets together • Enhance performance of cache memory SnortV2 web p2p ftp web p2p

  10. Active Splitter Feature: LB • Locality Buffers • Group similar packets together • Enhance performance of cache memory SnortV2 ftp web web p2p p2p

  11. LB: Implementation Locality Buffer 1 Locality Buffer 2 Hash on dst port SnortV2 Locality Buffer N

  12. Performance Measurements • Simple Splitter versus : • Splitter/LB • Splitter/EF • Splitter/LB+EF • Simulations • All measurements on same machine • Trace (NLANR) split and shaped to several files • Snort v2 build 20 • Measured processing time (user + system time)

  13. PM: Per number of Sensors

  14. PM: Burst size

  15. Early Filtering Performance • Number of packets with no content • 40% with no payload • Reduction in system time • 16.8% (10.1  8.7sec) • Reduction in user time • 6.6% (45.67  42.66sec) • Combined reduction • 8%

  16. LB + EF Performance • 4 Sensors • 16 LBs • 256 KB / LB • Aggregate User Time • 19.8% (47.27  37.88sec) • Slowest Sensor • 14.4% (12.38  10.93sec)

  17. Summary and Future Work • Active Splitter • Early Filtering • Locality Buffers • Enhances performance Transparently • No need to change Sensors • Simulations are promising • Future Work • Implementation

More Related