Presentation is loading. Please wait.

Presentation is loading. Please wait.

MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.

Published byBriana Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And."— Presentation transcript:

1 MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN

2 MASCOTS 2003 Overview Introduction –Snort and Network Intrusion Detection Systems NIDS: highly intensive operation –Simple Splitter An Active Traffic Splitter –Light-weight functionality Early Filtering and Locality Buffers –Improves NIDS performance up to 19% –Summary and Future Work

3 MASCOTS 2003 Introduction Snort (www.snort.org) –Passive Network Monitoring –1500-1700 rules (grouped by application) –Highly Intensive Operation Current Snort Performance –One high end PC: 300-400 Mbit/s –Multi gigabit links ? –Multiple Sensors

4 MASCOTS 2003 Simple Splitter High rate single link Lower rate multiple links SnortV2 SPLITTERSENSORS Find target Sensor

5 MASCOTS 2003 Motivation Use an Active Splitter Move simple IDS functionality from sensor to splitter –Use of Early Filtering (EF) Enhance performance of each sensor transparently. –No need to modify sensors –Use of Locality Buffering (LB)

6 MASCOTS 2003 Simple Splitter (repeated) High rate single link Lower rate multiple links SnortV2 SPLITTERSENSORS Find target Sensor

7 MASCOTS 2003 Active Splitter Architecture

8 MASCOTS 2003 Active Splitter Architecture SnortV2 ACTIVE SPLITTER SENSORS EF Reduce #pkts to process Find target Sensor LB: Traffic Shaping

9 MASCOTS 2003 Active Splitter Feature: EF Early Filtering –Discard packets before reaching any sensor –Fewer packets to process, Fewer interrupts Early Filtering Header-only rules 10% of all rules Small packets No payload Further processing No match

10 MASCOTS 2003 Active Splitter Feature: LB Locality Buffers –Group similar packets together –Enhance performance of cache memory SnortV2 webp2pftpwebp2p

11 MASCOTS 2003 ftp Active Splitter Feature: LB Locality Buffers –Group similar packets together –Enhance performance of cache memory SnortV2 webp2pwebp2p

12 MASCOTS 2003 LB: Implementation Locality Buffer 1 SnortV2 Locality Buffer 2 Locality Buffer N Hash on dst port

13 MASCOTS 2003 Rational Of Operation

14 MASCOTS 2003 Snort Operation 1.Packet classification Port Group 2.Multipattern search engine Eligible signatures 3.Packet header analysis Fully matched signatures 4.Alert, Log, Discard, …

15 MASCOTS 2003

16 Memory Organization Main memory –Slow –Large –Has everything Cache –Faster –Smaller –Has regularly accessed data (tries to…) Data and Instructions are fetched to cache before use

17 MASCOTS 2003 Memory Organization MAIN MEM I CACHE D CACHE CPU

18 MASCOTS 2003 Performance Measurements Simple Splitter versus : –Splitter/LB –Splitter/EF –Splitter/LB+EF Simulations –All measurements on same machine –Trace (NLANR) split and shaped to several files –Snort v2 build 20 Measured processing time (user + system time)

19 MASCOTS 2003 PM: Per number of Sensors

20 MASCOTS 2003 PM: Per number of LBs

21 MASCOTS 2003 PM: Per LB Size

22 MASCOTS 2003 PM: Burst size

23 MASCOTS 2003 Early Filtering Performance Number of packets with no content –40% with no payload Reduction in system time –16.8% (10.1  8.7sec) Reduction in user time –6.6% (45.67  42.66sec) Combined reduction –8%

24 MASCOTS 2003 LB + EF Performance 4 Sensors 16 LBs 256 KB / LB Aggregate User Time –19.8% (47.27  37.88sec) Slowest Sensor –14.4% (12.38  10.93sec)

25 MASCOTS 2003 Summary and Future Work Active Splitter –Early Filtering –Locality Buffers Enhances performance Transparently –No need to change Sensors –Simulations are promising Future Work –Implementation

Download ppt "MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And."

Similar presentations

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
Improving the Performance of Network Intrusion Detection Using Graphics Processors Giorgos Vasiliadis Master Thesis Presentation Computer Science Department.

Improving the Performance of Network Intrusion Detection Using Graphics Processors Giorgos Vasiliadis Master Thesis Presentation Computer Science Department.
An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.

An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google