Improving the Performance of Signature-Based Network Intrusion Detection Sensors by Multi-threading

Haagdorens, Bart; Vermeiren, Tim; Goossens, Marnix

doi:10.1007/978-3-540-31815-6_16

Bart Haagdorens¹⁸,
Tim Vermeiren¹⁹ &
Marnix Goossens¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3325))

Included in the following conference series:

International Workshop on Information Security Applications

1004 Accesses
14 Citations

Abstract

Signature-based Network Intrusion Detection System (NIDS) sensors match network packets against a pre-configured set of intrusion signatures. Current implementations of NIDS sensors employ only a single thread of execution and as a consequence benefit very little from multi-processor hardware platforms. A multi-threaded sensor would allow more efficient and scalable exploitation of these multi-processor machines. We present in detail a number of novel designs for a multi-threaded NIDS sensor and provide performance evaluation figures for a number of multi-threaded implementations of the popular open-source Snort system.

The authors would like to thank IWT – Vlaanderen for its support in the PANEL framework.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Roesch, M., Caswell, B.: Snort, the open source network intrusion detection system (2004), http://www.snort.org/
Roesch, M.: Snort – lightweight intrusion detection for networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, WA (1999)
Google Scholar
Schaelicke, L., Slabach, T., Moore, B., Freeland, C.: Characterizing the performance of network intrusion detection sensors. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 155–172. Springer, Heidelberg (2003)
Chapter Google Scholar
Geschke, D.: Fast logging project for snort (2004), http://www.geschke-online.de/FLoP/
Abbas, S.Y.: Introducing multi threaded solution to enhance the efficiency of snort. Master’s thesis, Florida State University (2002)
Google Scholar
Charitakis, I., Anagnostakis, K., Markatos, E.: An active traffic splitter architecture for intrusion detection. In: Proceedings of the 11th International Symposium on Modelling, Analysis and Simulation of Computer and Telecommunication Systems, IEEE/ACM (2003)
Google Scholar
Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings of the IEEE Symposium on Research on Security and Privacy. IEEE, Los Alamitos (2002)
Google Scholar
Top Layer Networks: Top Layer IDS load balancing system (2004), http://www.toplayer.com/
Antonatos, S., Anagnostakis, K.G., Markatos, E.P., Polychronakis, M.: Performance analysis of content matching intrusion detection systems. In: Proceedings of the International Symposium on Applications and the Internet (2004)
Google Scholar
Jacobson, V., Leres, C., McCanne, S.: Libpcap (2), http://www.tcpdump.org/
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc. (1998)
Google Scholar
Fisk, M., Varghese, G.: Fast content-based packet handling for intrusion detection. Technical Report CS2001-0670, UCSD (2001)
Google Scholar
Intel Corporation: Hyper-threading technology (2004), http://www.intel.com/technology/hyperthread/
Drepper, U., Molnar, I.: The native Posix thread library for Linux. Technical report, Redhat, Inc. (2003)
Google Scholar
Zissman, M.: 1999 DARPA intrusion detection evaluation data set (2004), http://www.ll.mit.edu/IST/ideval/data/1999/1999_data_index.html
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA offline intrusion detection evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34, 579–595 (2000)
Google Scholar

Download references

Author information

Authors and Affiliations

TELE Group, ETRO Department, Vrije Universiteit Brussel, Pleinlaan 2, B-1050, Brussels, Belgium
Bart Haagdorens & Marnix Goossens
R&I, Alcatel Bell, Francis Wellesplein 1, B-2018, Antwerp, Belgium
Tim Vermeiren

Authors

Bart Haagdorens
View author publications
You can also search for this author in PubMed Google Scholar
Tim Vermeiren
View author publications
You can also search for this author in PubMed Google Scholar
Marnix Goossens
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Dept. of Computer Engineering, Sejong University, 143-747, Seoul, Korea
Chae Hoon Lim
Computer Science Department, Google Inc. and Columbia University, 1214 Amsterdam Avenue, 10027, New York, NY, USA
Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Haagdorens, B., Vermeiren, T., Goossens, M. (2005). Improving the Performance of Signature-Based Network Intrusion Detection Sensors by Multi-threading. In: Lim, C.H., Yung, M. (eds) Information Security Applications. WISA 2004. Lecture Notes in Computer Science, vol 3325. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31815-6_16

Download citation

DOI: https://doi.org/10.1007/978-3-540-31815-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24015-0
Online ISBN: 978-3-540-31815-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics