Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Characterizing the Performance of Network Intrusion Detection Sensors

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Included in the following conference series:

Abstract

Network intrusion detection systems (NIDS) are becoming an important tool for protecting critical information and infrastructure. The quality of a NIDS is described by the percentage of true attacks detected combined with the number of false alerts. However, even a high-quality NIDS algorithm is not effective if its processing cost is too high, since the resulting loss of packets increases the probability that an attack is not detected. This study measures and compares two major components of the NIDS processing cost on a number of diverse systems to pinpoint performance bottlenecks and to determine the impact of operating system and architecture differences. Results show that even on moderate-speed networks, many systems are inadequate as NIDS platforms. Performance depends not only on the processor performance, but to a large extent also on the memory system. Recent trends in processor microarchitecture towards deep pipelines have a negative impact on the systems NIDS capabilities, and multiprocessor architectures usually do not lead to significant performance improvements. Overall, these results provide valuable guidelines for NIDS developers and adopters for choosing a suitable platform, and highlight the need to consider processing cost when developing and evaluating NIDS techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Banks, D., Prudence, M.: A High-performance Network Architecture for a PA-RISC Workstation. IEEE Journal on Selected Areas in Communications 11(2), 191–202 (1993)

    Article  Google Scholar 

  2. Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Staniford-Chen, S., Yip, R., Zerkle, D.: The Design of GrIDS: A Graph-Based Intrusion Detection System, tech. report CSE-99-02, Computer Science Dept., Univ. of California Davis, Calif (1999)

    Google Scholar 

  3. Clark, D., Jacobson, V., Romkey, J., Salwen, M.: An Analysis of TCP Processing Overhead. IEEE Communications Magazine 27, 23–29 (1989)

    Article  Google Scholar 

  4. Coit, J., Staniford, S., McAlerney, J.: Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. In: Proc. DARPA Information Survivability Conference and Exposition (DISCEX II 2002), pp. 367–373. IEEE CS Press, Los Alamitos (2002)

    Google Scholar 

  5. Danyliw, R.: ACID: Analysis Console for Intrusion Databases (2001), http://acidlab.sourceforge.net

  6. Edwards, S.: Vulnerabilities of Network Intrusion Detection Systems: Realizing and Overcoming the Risks. The Case for Flow Mirroring, whitepaper, Top Layer Networks, Inc. (2002)

    Google Scholar 

  7. Egorov, S., Savchuk, G.: SNORTRAN: An Optimizing Compiler for Snort Rules. whitepaper, Fidelis Security Systems, Inc.

    Google Scholar 

  8. Gallatin, J.C., Yocum, K.: Trapeze/IP: TCP/IP at Near-Gigabit Speeds. In: Proc. 1999 Usenix Technical Conference, Usenix Assoc., Berkeley, Calif, pp. 109–120 (1999)

    Google Scholar 

  9. Haines, J., Lippmann, R., Fried, D., Korba, J., Das, K.: 1999 DARPA Intrusion Detection System Evaluation: Design and Procedures, tech. report 1062, MIT Lincoln Laboratory Technical Report, Boston, Mass (2001)

    Google Scholar 

  10. Hinton, G., et al.: The Microarchitecture of the Pentium 4 Processor. Intel Technology Journal, Q1 (2001)

    Google Scholar 

  11. Kruegel, C., Toth, T.: Automatic Rule Clustering for improved, signature-based Intrusion Detection, tech. report, Distributed Systems Group, Technical Univ. Vienna, Austria

    Google Scholar 

  12. Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful Intrusion Detection for High- Speed Networks. In: Proc. IEEE Symposium Security and Privacy, IEEE Computer Society Press, Calif (2002)

    Google Scholar 

  13. Marr, D., et al.: Hyper-Threading Technology Architecture and Microarchitecture. Intel Technology Journal 6(1), 4–15 (2002)

    MathSciNet  Google Scholar 

  14. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  15. Protocol Analysis vs. Pattern Matching. whitepaper, Network ICE (2000)

    Google Scholar 

  16. Puketza, N., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.: A Methodology for Testing Intrusion Detection Systems. IEEE Transactions Software Engineering 22(10), 719–729 (1996)

    Article  Google Scholar 

  17. Ranum, M.: Experiences Benchmarking Intrusion Detection Systems. whitepaper, Network Flight Recorder Security, Inc., http://www.snort.org/docs/Benchmarking-IDS-NFR.pdf

  18. Roesch, M.: Snort – Lightweight Intrusion Detection for Networks. In: Proc. Usenix LISA 1999 Conf. (November 1999), http://www.snort.org/docs/lisapaper.txt

  19. Rosenblum, M., Bugnion, E., Herrod, S., Witchel, E., Gupta, A.: The Impact of Architectural Trends on Operating System Performance. In: Proc. 15th ACM Symp. Operating System Principles, ACM Press, New York (1995)

    Google Scholar 

  20. Sekar, R., Guang, Y., Verma, S., Shanbhag, T.: A High-Performance Network Intrusion Detection System. In: Proc. 6th ACM Symp. Computer and Communication Security, ACM Press, New York (1999)

    Google Scholar 

  21. Snort 2.0 - Detection Revisited. whitepaper, Sourcefire Network Security Inc. (2002)

    Google Scholar 

  22. Snort Rules for Version 1.9.x as of (March 25, 2003), http://www.snort.org/dl/rules/snortrules-stable.tar.gz

  23. Steenkiste, P.: A Systematic Approach to Host Interface Design for High-Speed Networks. IEEE Computer 27(3), 47–57 (1994)

    Google Scholar 

  24. McVoy, L., Staelin, C.: lmbench: Portable Tools for Performance Analysis. In: Proc. USENIX Ann. Technical Conference, Usenix Assoc., Berkeley, Calif., pp. 279–294 (1998)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, University of Notre Dame, 384 Fitzpatrick Hall, Notre Dame, Indiana, 46556, USA

    Lambert Schaelicke, Thomas Slabach, Branden Moore & Curt Freeland

Authors
  1. Lambert Schaelicke
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Slabach
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Branden Moore
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Curt Freeland
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Schaelicke, L., Slabach, T., Moore, B., Freeland, C. (2003). Characterizing the Performance of Network Intrusion Detection Sensors. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation