Operational experiences with high-volume network intrusion detection

Authors:
Holger Dreger;Anja Feldmann;Vern Paxson;Robin Sommer
Affiliations:
TU München;TU München;ICSI / LBNL;TU München
Venue:
Proceedings of the 11th ACM conference on Computer and communications security
Year:
2004

Citing 14
Cited 40

Empirically derived analytic models of wide-area TCP connections

IEEE/ACM Transactions on Networking (TON)
Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level

IEEE/ACM Transactions on Networking (TON)
Data networks as cascades: investigating the multifractal nature of Internet WAN traffic

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Difficulties in simulating the internet

IEEE/ACM Transactions on Networking (TON)
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Stateful Intrusion Detection for High-Speed Networks

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Inside the Slammer Worm

IEEE Security and Privacy
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Capacity verification for high speed network intrusion detection systems

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Performance adaptation in real-time intrusion detection systems

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Packet trace manipulation rramework for test labs

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Protomatching network traffic for high throughputnetwork intrusion detection

Proceedings of the 13th ACM conference on Computer and communications security
Enhancing interoperability and stateful analysis of cooperative network intrusion detection systems

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Hyperion: high volume stream archival for retrospective querying

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Predicting the resource consumption of network intrusion detection systems

SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Swift: a fast dynamic packet filter

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Enriching network security analysis with time travel

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
A Survey of the High-Speed Self-learning Intrusion Detection Research Area

AIMS '07 Proceedings of the 1st international conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management
Distributed Evasive Scan Techniques and Countermeasures

DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Conceptual Integration of Flow-Based and Packet-Based Network Intrusion Detection

AIMS '08 Proceedings of the 2nd international conference on Autonomous Infrastructure, Management and Security: Resilient Networks and Services
Predicting the Resource Consumption of Network Intrusion Detection Systems

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Traffic Data Preparation for a Hybrid Network IDS

HAIS '08 Proceedings of the 3rd international workshop on Hybrid Artificial Intelligence Systems
Correlation-based load balancing for network intrusion detection and prevention systems

Proceedings of the 4th international conference on Security and privacy in communication netowrks
Robust network monitoring in the presence of non-cooperative traffic queries

Computer Networks: The International Journal of Computer and Telecommunications Networking
Revealing the Unknown ADSL Traffic Using Statistical Methods

TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis
OpenLIDS: a lightweight intrusion detection system for wireless mesh networks

Proceedings of the 15th annual international conference on Mobile computing and networking
Improving the accuracy of network intrusion detection systems under load using selective packet discarding

Proceedings of the Third European Workshop on System Security
On-line predictive load shedding for network monitoring

NETWORKING'07 Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and sensor networks, wireless networks, next generation internet
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Network-wide deployment of intrusion detection and prevention systems

Proceedings of the 6th International COnference
Design and implementation of a fast dynamic packet filter

IEEE/ACM Transactions on Networking (TON)
Detection of unknown dos attacks by kolmogorov-complexity fluctuation

CISC'05 Proceedings of the First SKLOIS conference on Information Security and Cryptology
Streams, security and scalability

DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
Enhancing the accuracy of network-based intrusion detection with host-based context

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Enhancing network intrusion detection with integrated sampling and filtering

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
WIND: workload-aware INtrusion detection

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
MOVICAB-IDS: visual analysis of network traffic data streams for intrusion detection

IDEAL'06 Proceedings of the 7th international conference on Intelligent Data Engineering and Automated Learning
Intrusion Detection: Towards scalable intrusion detection

Network Security
Multi-resource fair queueing for packet processing

Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
Tolerating overload attacks against packet capturing systems

USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Multi-resource fair queueing for packet processing

ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
RT-MOVICAB-IDS: Addressing real-time intrusion detection

Future Generation Computer Systems
A lone wolf no more: supporting network intrusion detection with real-time intelligence

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
GPP-Grep: high-speed regular expression processing engine on general purpose processors

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Enhancing list-based packet filter using IP verification mechanism against IP spoofing attack in network intrusion detection

NSS'12 Proceedings of the 6th international conference on Network and System Security
Re-examining the performance bottleneck in a NIDS with detailed profiling

Journal of Network and Computer Applications
Scap: stream-oriented network traffic capture and analysis for high-speed networks

Proceedings of the 2013 conference on Internet measurement conference
Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection

Computer Communications
Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In large-scale environments, network intrusion detection systems (NIDSs) face extreme challenges with respect to traffic volume, traffic diversity, and resource management. While crucial for acceptance and operational deployment, the research literature mainly omits such practical difficulties. In this paper, we offer an evaluation based on extensive operational experience. More specifically, we identify and explore key factors with respect to resource management and efficient packet processing and highlight their impact using a set of real-world traces. On the one hand, these insights help us gauge the trade-offs of tuning a NIDS. On the other hand, they motivate us to explore several novel ways of reducing resource requirements. These enable us to improve the state management considerably as well as balance the processing load dynamically. Overall this enables us to operate a NIDS successfully in our high-volume network environments.