Building a time machine for efficient recording and retrieval of high-volume network traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Predicting the resource consumption of network intrusion detection systems
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Regular Expression Matching on Graphics Hardware for Intrusion Detection
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Dynamic learning model update of hybrid-classifiers for intrusion detection
The Journal of Supercomputing
| Hi-index | 0.00 |
Network-based Intrusion Detection Systems (IDSs) such as Snort or Bro that have to analyze the packet payload for all the received data show severe performance problems if used in high-speed networks. Recent research results improve pattern matchers based on efficient algorithms or using specialized hardware. We approach the problem in a completely different way by considerably reducing the amount of data to be analyzed with only marginal impact on the detection quality. Dialog-based Payload Aggregation (DPA) uses TCP sequence numbers to decide which parts of the payload need to be analyzed by the IDS. Whenever a connection starts, or if the direction of the data transmission between peers changes, we forward the next N bytes of traffic to an attached IDS. All data transferred after the window is discarded. Our analysis using live network traffic and multiple Snort rulesets shows that most of the pattern matches occur at the beginning of connections or directly after direction changes in the data streams. According to our experimental results, our method reduces the data rate to be processed to around 1% in a typical network while retaining more than 98% of all detected events. Assuming a linear relationship between the data rate and processing time of an IDS, this results in a speedup of two magnitudes in the best case.