Packet pre-filtering for network intrusion detection

Authors:
Ioannis Sourdis;Vasilis Dimopoulos;Dionisios Pnevmatikatos;Stamatis Vassiliadis
Affiliations:
TU Delft, The Netherlands;Technical University of Crete, Crete, Greece;Technical University of Crete, Crete, Greece and Institute of Computer Science (ICS), Crete, Greece;TU Delft, The Netherlands
Venue:
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Year:
2006

Citing 9
Cited 13

Assisting Network Intrusion Detection with Reconfigurable Hardware

FCCM '02 Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Fast Content-Based Packet Handling for Intrusion Detection

Fast Content-Based Packet Handling for Intrusion Detection
Implementation of a Content-Scanning Module for an Internet Firewall

FCCM '03 Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs

FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Scalable Pattern Matching for High Speed Networks

FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching

FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Efficient packet classification for network intrusion detection using FPGA

Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays
Fast Regular Expression Matching Using FPGAs

FCCM '01 Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
On the importance of header classification in HW/SW network intrusion detection systems

PCI'05 Proceedings of the 10th Panhellenic conference on Advances in Informatics

Regular Expression Matching in Reconfigurable Hardware

Journal of Signal Processing Systems
Performance evaluation comparison of Snort NIDS under Linux and Windows Server

Journal of Network and Computer Applications
Self-addressable memory-based FSM: a scalable intrusion detection engine

IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Robust and fast pattern matching for intrusion detection

INFOCOM'10 Proceedings of the 29th conference on Information communications
SANS: a scalable architecture for network intrusion prevention with stateful frontend

Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Selective regular expression matching

ISC'10 Proceedings of the 13th international conference on Information security
Deterministic finite automata characterization and optimization for scalable pattern matching

ACM Transactions on Architecture and Code Optimization (TACO)
Deep packet pre-filtering and finite state encoding for adaptive intrusion detection system

Computer Networks: The International Journal of Computer and Telecommunications Networking
Rule indexing for efficient intrusion detection systems

WISA'11 Proceedings of the 12th international conference on Information Security Applications
Balanced indexing method for efficient intrusion detection systems

ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Scalable high-performance parallel design for network intrusion detection systems on many-core processors

ANCS '13 Proceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systems
Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

As Intrusion Detection Systems (IDS)utilize more complex syntax to efficiently describe complex attacks, their processing requirements increase rapidly. Hardware and, even more, software platforms face difficulties in keeping up with the computationally intensive IDS tasks, and face overheads that can substantially diminish performance.In this paper we introduce a packet pre-filtering approach as a means to resolve, or at least alleviate, the increasing needs of current and future intrusion detection systems. We observe that it is very rare for a single incoming packet to fully or partially match more than a few tens of IDS rules. We capitalize on this observation selecting a small portion from each IDS rule to be matched in the pre-filtering step. The result of this partial match is a small subset of rules that are candidates for a full match. Given this pruned set of rules that can apply to a packet, a second-stage, full-match engine can sustain higher throughput.We use DefCon traces and recent Snort IDS rule-set,and show that matching the header and up to an 8-character prefix for each payload rule on each incoming packet can determine that on average 1.8 rules may apply on each packet, while the maximum number of rules to be checked across all packets is 32. Effectively, packet pre-filtering prevents matching at least 99%of the SNORT rules per packet and as a result minimizes processing and improves the scalability of the system. We also propose and evaluate the cost and performance of a reconfigurable architecture that uses multiple processing engines in order to exploit the benefits of pre-filtering.