MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.

Slides:



Advertisements
Similar presentations
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
Advertisements

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Application of Bayesian Network in Computer Networks Raza H. Abedi.
IDPS (Intrusion Detection & Prevention System )
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
Improving the Performance of Network Intrusion Detection Using Graphics Processors Giorgos Vasiliadis Master Thesis Presentation Computer Science Department.
An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Department of Computer Science and Engineering Applied Research Laboratory 1 A Hardware Based TCP/IP Processing Engine David V. Schuehler
Penetration Testing Security Analysis and Advanced Tools: Snort.
Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.
ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.
Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Chapter 2 Summary Classification of architectures Features that are relatively independent of instruction sets “Different” Processors –DSP and media processors.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Increasing Web Server Throughput with Network Interface Data Caching October 9, 2002 Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Rice Computer Architecture.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Module 7: Advanced Application and Web Filtering.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
A Resource Efficient Content Inspection System for Next Generation Smart NICs Karthikeyan Sabhanatarajan, Ann Gordon-Ross* The Energy Efficient Internet.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date:
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.
Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]
1 Monitoring: from research to operations Christophe Diot and the IP Sprintlabs ipmon.sprintlabs.com.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Gnort: High Performance Network Intrusion Detection Using Graphics Processors Date:101/2/15 Publisher:ICS Author:Giorgos Vasiliadis, Spiros Antonatos,
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
Outline Securing your system before the IDS and some tools to help you
IDS Intrusion Detection Systems
Snort – IDS / IPS.
James Logan CS526 Dr. Chow April 29, 2009
NETWORK SECURITY LAB Lab 9. IDS and IPS.
Intrusion Detection Systems (IDS)
Yan Chen Department of Electrical Engineering and Computer Science
2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.
Hash Functions for Network Applications (II)
Intrusion Detection Systems
Presentation transcript:

MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN

MASCOTS 2003 Overview Introduction –Snort and Network Intrusion Detection Systems NIDS: highly intensive operation –Simple Splitter An Active Traffic Splitter –Light-weight functionality Early Filtering and Locality Buffers –Improves NIDS performance up to 19% –Summary and Future Work

MASCOTS 2003 Introduction Snort ( –Passive Network Monitoring – rules (grouped by application) –Highly Intensive Operation Current Snort Performance –One high end PC: Mbit/s –Multi gigabit links ? –Multiple Sensors

MASCOTS 2003 Simple Splitter High rate single link Lower rate multiple links SnortV2 SPLITTERSENSORS Find target Sensor

MASCOTS 2003 Motivation Use an Active Splitter Move simple IDS functionality from sensor to splitter –Use of Early Filtering (EF) Enhance performance of each sensor transparently. –No need to modify sensors –Use of Locality Buffering (LB)

MASCOTS 2003 Simple Splitter (repeated) High rate single link Lower rate multiple links SnortV2 SPLITTERSENSORS Find target Sensor

MASCOTS 2003 Active Splitter Architecture

MASCOTS 2003 Active Splitter Architecture SnortV2 ACTIVE SPLITTER SENSORS EF Reduce #pkts to process Find target Sensor LB: Traffic Shaping

MASCOTS 2003 Active Splitter Feature: EF Early Filtering –Discard packets before reaching any sensor –Fewer packets to process, Fewer interrupts Early Filtering Header-only rules 10% of all rules Small packets No payload Further processing No match

MASCOTS 2003 Active Splitter Feature: LB Locality Buffers –Group similar packets together –Enhance performance of cache memory SnortV2 webp2pftpwebp2p

MASCOTS 2003 ftp Active Splitter Feature: LB Locality Buffers –Group similar packets together –Enhance performance of cache memory SnortV2 webp2pwebp2p

MASCOTS 2003 LB: Implementation Locality Buffer 1 SnortV2 Locality Buffer 2 Locality Buffer N Hash on dst port

MASCOTS 2003 Rational Of Operation

MASCOTS 2003 Snort Operation 1.Packet classification Port Group 2.Multipattern search engine Eligible signatures 3.Packet header analysis Fully matched signatures 4.Alert, Log, Discard, …

MASCOTS 2003

Memory Organization Main memory –Slow –Large –Has everything Cache –Faster –Smaller –Has regularly accessed data (tries to…) Data and Instructions are fetched to cache before use

MASCOTS 2003 Memory Organization MAIN MEM I CACHE D CACHE CPU

MASCOTS 2003 Performance Measurements Simple Splitter versus : –Splitter/LB –Splitter/EF –Splitter/LB+EF Simulations –All measurements on same machine –Trace (NLANR) split and shaped to several files –Snort v2 build 20 Measured processing time (user + system time)

MASCOTS 2003 PM: Per number of Sensors

MASCOTS 2003 PM: Per number of LBs

MASCOTS 2003 PM: Per LB Size

MASCOTS 2003 PM: Burst size

MASCOTS 2003 Early Filtering Performance Number of packets with no content –40% with no payload Reduction in system time –16.8% (10.1  8.7sec) Reduction in user time –6.6% (45.67  42.66sec) Combined reduction –8%

MASCOTS 2003 LB + EF Performance 4 Sensors 16 LBs 256 KB / LB Aggregate User Time –19.8% (47.27  37.88sec) Slowest Sensor –14.4% (12.38  10.93sec)

MASCOTS 2003 Summary and Future Work Active Splitter –Early Filtering –Locality Buffers Enhances performance Transparently –No need to change Sensors –Simulations are promising Future Work –Implementation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.