Abstract
Signature-based Network Intrusion Detection System (NIDS) sensors match network packets against a pre-configured set of intrusion signatures. Current implementations of NIDS sensors employ only a single thread of execution and as a consequence benefit very little from multi-processor hardware platforms. A multi-threaded sensor would allow more efficient and scalable exploitation of these multi-processor machines. We present in detail a number of novel designs for a multi-threaded NIDS sensor and provide performance evaluation figures for a number of multi-threaded implementations of the popular open-source Snort system.
The authors would like to thank IWT – Vlaanderen for its support in the PANEL framework.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Roesch, M., Caswell, B.: Snort, the open source network intrusion detection system (2004), http://www.snort.org/
Roesch, M.: Snort – lightweight intrusion detection for networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, WA (1999)
Schaelicke, L., Slabach, T., Moore, B., Freeland, C.: Characterizing the performance of network intrusion detection sensors. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 155–172. Springer, Heidelberg (2003)
Geschke, D.: Fast logging project for snort (2004), http://www.geschke-online.de/FLoP/
Abbas, S.Y.: Introducing multi threaded solution to enhance the efficiency of snort. Master’s thesis, Florida State University (2002)
Charitakis, I., Anagnostakis, K., Markatos, E.: An active traffic splitter architecture for intrusion detection. In: Proceedings of the 11th International Symposium on Modelling, Analysis and Simulation of Computer and Telecommunication Systems, IEEE/ACM (2003)
Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings of the IEEE Symposium on Research on Security and Privacy. IEEE, Los Alamitos (2002)
Top Layer Networks: Top Layer IDS load balancing system (2004), http://www.toplayer.com/
Antonatos, S., Anagnostakis, K.G., Markatos, E.P., Polychronakis, M.: Performance analysis of content matching intrusion detection systems. In: Proceedings of the International Symposium on Applications and the Internet (2004)
Jacobson, V., Leres, C., McCanne, S.: Libpcap (2), http://www.tcpdump.org/
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc. (1998)
Fisk, M., Varghese, G.: Fast content-based packet handling for intrusion detection. Technical Report CS2001-0670, UCSD (2001)
Intel Corporation: Hyper-threading technology (2004), http://www.intel.com/technology/hyperthread/
Drepper, U., Molnar, I.: The native Posix thread library for Linux. Technical report, Redhat, Inc. (2003)
Zissman, M.: 1999 DARPA intrusion detection evaluation data set (2004), http://www.ll.mit.edu/IST/ideval/data/1999/1999_data_index.html
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA offline intrusion detection evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34, 579–595 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Haagdorens, B., Vermeiren, T., Goossens, M. (2005). Improving the Performance of Signature-Based Network Intrusion Detection Sensors by Multi-threading. In: Lim, C.H., Yung, M. (eds) Information Security Applications. WISA 2004. Lecture Notes in Computer Science, vol 3325. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31815-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-31815-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24015-0
Online ISBN: 978-3-540-31815-6
eBook Packages: Computer ScienceComputer Science (R0)