Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Efficient string matching: an aid to bibliographic search
Communications of the ACM
mmdump: a tool for monitoring internet multimedia traffic
ACM SIGCOMM Computer Communication Review
TCP congestion control with a misbehaving receiver
ACM SIGCOMM Computer Communication Review
Active Mapping: Resisting NIDS Evasion without Altering Traffic
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Transport layer identification of P2P traffic
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Operational experiences with high-volume network intrusion detection
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Detecting evasion attacks at high speeds without reassembly
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Backtracking Algorithmic Complexity Attacks against a NIDS
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
FFPF: fairly fast packet filters
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Robust TCP stream reassembly in the presence of adversaries
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The BSD packet filter: a new architecture for user-level packet capture
USENIX'93 Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings
High-Speed Dynamic Packet Filtering
Journal of Network and Systems Management
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Load shedding in network monitoring applications
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Swift: a fast dynamic packet filter
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Efficient and Robust TCP Stream Normalization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Enriching network security analysis with time travel
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
An architecture for exploiting multi-core processors to parallelize network intrusion prevention
Concurrency and Computation: Practice & Experience - Multi-core Supported Network and System Security
RouteBricks: exploiting parallelism to scale software routers
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Per flow packet sampling for high-speed network monitoring
COMSNETS'09 Proceedings of the First international conference on COMmunication Systems And NETworks
Proceedings of the Third European Workshop on System Security
Performance adaptation in real-time intrusion detection systems
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
High speed network traffic analysis with commodity multi-core systems
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Improving network connection locality on multicore systems
Proceedings of the 7th ACM european conference on Computer Systems
Netmap: a novel framework for fast packet I/O
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Tolerating overload attacks against packet capturing systems
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Hi-index | 0.00 |
Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide applications with just raw packets, and leave complex operations like flow tracking and TCP stream reassembly to application developers. This gap leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module. This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to user-level applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries, and can process more than five times higher traffic loads when eight cores are used for parallel stream processing in a pattern matching application.