A case for two-way skewed-associative caches
ISCA '93 Proceedings of the 20th annual international symposium on computer architecture
Empirically derived analytic models of wide-area TCP connections
IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Self-similarity in World Wide Web traffic: evidence and possible causes
Proceedings of the 1996 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
IEEE/ACM Transactions on Networking (TON)
Self-similarity and heavy tails: structural modeling of network traffic
A practical guide to heavy tails
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Monitoring very high speed links
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Performance Evaluation with Heavy Tailed Distributions
JSSPP '01 Revised Papers from the 7th International Workshop on Job Scheduling Strategies for Parallel Processing
Stateful Intrusion Detection for High-Speed Networks
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Fast hash table lookup using extended bloom filter: an aid to network processing
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The shunt: an FPGA-based accelerator for network intrusion prevention
Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays
Building a time machine for efficient recording and retrieval of high-volume network traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Dynamic application-layer protocol analysis for network intrusion detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Swift: a fast dynamic packet filter
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Enriching network security analysis with time travel
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Correlation-based load balancing for network intrusion detection and prevention systems
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Performance Improvement by Means of Collaboration between Network Intrusion Detection Systems
CNSR '09 Proceedings of the 2009 Seventh Annual Communication Networks and Services Research Conference
WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
Experience with high-speed automated application-identification for network-management
Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
A cost comparison of datacenter network architectures
Proceedings of the 6th International COnference
Network-wide deployment of intrusion detection and prevention systems
Proceedings of the 6th International COnference
OFRewind: enabling record and replay troubleshooting for networks
USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
MIDeA: a multi-parallel intrusion detection architecture
Proceedings of the 18th ACM conference on Computer and communications security
State of the Practice Reports
Design and implementation of a fast dynamic packet filter
IEEE/ACM Transactions on Networking (TON)
Intrusion Detection: Towards scalable intrusion detection
Network Security
Dismantling intrusion prevention systems
Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
Dismantling intrusion prevention systems
ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
Deep packet inspection tools and techniques in commodity platforms: Challenges and trends
Journal of Network and Computer Applications
Re-examining the performance bottleneck in a NIDS with detailed profiling
Journal of Network and Computer Applications
Overcoming performance collapse for 100Gbps cyber security
Proceedings of the first workshop on Changing landscapes in HPC security
Hi-index | 0.00 |
Stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise. Yet it remains the case that in many environments, much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as of "likely uninteresting." We present a combined hardware/software architecture, Shunting, that provides a lightweight mechanism for an intrusion prevention system (IPS) to take advantage of the "heavy-tailed" nature of network traffic to offload work from software to hardware. The primary innovation of Shunting is the introduction of a simple in-line hardware element that caches rules for IP addresses and connection 5-tuples, as well as fixed rules for IP/TCP flags. The caches, using a highest-priority match, yield a per-packet decision: forward the packet; drop it; or divert it through the IPS. By manipulating cache entries, the IPS can specify what traffic it no longer wishes to examine, including directly blocking malicious sources or cutting through portions of a single flow once the it has had an opportunity to "vet" them, all on a fine-grained basis. We have implemented a prototype Shunt hardware design using the NetFPGA 2 platform, capable of Gigabit Ethernet operation. In addition, we have adapted the Bro intrusion detection system to utilize the Shunt framework to offload less-interesting traffic. We evaluate the effectiveness of the resulting system using traces from three sites, finding that the IDS can use this mechanism to offload 55%-90% of the traffic, as well as gaining intrusion prevention functionality.