Article

Exploiting Independent State For Network Intrusion Detection

Authors:

Robin Sommer,

Vern PaxsonAuthors Info & Claims

ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference

Pages 59 - 71

https://doi.org/10.1109/CSAC.2005.24

Published: 05 December 2005 Publication History

Publisher Site

Abstract

Network intrusion detection systems (NIDSs) critically rely on processing a great deal of state. Often much of this state resides solely in the volatile processor memory accessible to a single user-level process on a single machine. In this work we highlight the power of independent state, i.e., internal fine-grained state that can be propagated from one instance of a NIDS to others running either concurrently or subsequently. Independent state provides us with a wealth of possible applications that hold promise for enhancing the capabilities of NIDSs. We discuss an implementation of independent state for the Bro NIDS and examine how we can then leverage independent state for distributed processing, load parallelization, selective preservation of state across restarts and crashes, dynamic reconfiguration, high-level policy maintenance, and support for profiling and debugging. We have experimented with each of these applications in several large environments and are now working to integrate them into the sites' operational monitoring. A performance evaluation shows that our implementation is suitable for use even in large-scale environments.

Cited By

View all

Amann JSommer RSharma AHall S(2012)A lone wolf no moreProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_16(314-333)Online publication date: 12-Sep-2012
https://dl.acm.org/doi/10.1007/978-3-642-33338-5_16
Sekar VKrishnaswamy RGupta AReiter Mde Oliveira JOtt MGriffin TMedard M(2010)Network-wide deployment of intrusion detection and prevention systemsProceedings of the 6th International COnference10.1145/1921168.1921192(1-12)Online publication date: 30-Nov-2010
https://dl.acm.org/doi/10.1145/1921168.1921192
Maier GSommer RDreger HFeldmann APaxson VSchneider FBahl VWetherall DSavage SStoica I(2008)Enriching network security analysis with time travelProceedings of the ACM SIGCOMM 2008 conference on Data communication10.1145/1402958.1402980(183-194)Online publication date: 17-Aug-2008
https://dl.acm.org/doi/10.1145/1402958.1402980
Show More Cited By

Index Terms

Exploiting Independent State For Network Intrusion Detection

Recommendations

Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Network intrusion detection: stepping-stone and masquerader detections

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference

December 2005

544 pages

ISBN:0769524613

Publisher

IEEE Computer Society

United States

Publication History

Published: 05 December 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Amann JSommer RSharma AHall S(2012)A lone wolf no moreProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_16(314-333)Online publication date: 12-Sep-2012
https://dl.acm.org/doi/10.1007/978-3-642-33338-5_16
Sekar VKrishnaswamy RGupta AReiter Mde Oliveira JOtt MGriffin TMedard M(2010)Network-wide deployment of intrusion detection and prevention systemsProceedings of the 6th International COnference10.1145/1921168.1921192(1-12)Online publication date: 30-Nov-2010
https://dl.acm.org/doi/10.1145/1921168.1921192
Maier GSommer RDreger HFeldmann APaxson VSchneider FBahl VWetherall DSavage SStoica I(2008)Enriching network security analysis with time travelProceedings of the ACM SIGCOMM 2008 conference on Data communication10.1145/1402958.1402980(183-194)Online publication date: 17-Aug-2008
https://dl.acm.org/doi/10.1145/1402958.1402980
Maier GSommer RDreger HFeldmann APaxson VSchneider F(2008)Enriching network security analysis with time travelACM SIGCOMM Computer Communication Review10.1145/1402946.140298038:4(183-194)Online publication date: 17-Aug-2008
https://dl.acm.org/doi/10.1145/1402946.1402980
Foschini LThapliyal ACavallaro LKruegel CVigna G(2008)A Parallel Architecture for Stateful, High-Speed Intrusion DetectionProceedings of the 4th International Conference on Information Systems Security10.1007/978-3-540-89862-7_18(203-220)Online publication date: 16-Dec-2008
https://dl.acm.org/doi/10.1007/978-3-540-89862-7_18
Vallentin MSommer RLee JLeres CPaxson VTierney B(2007)The NIDS clusterProceedings of the 10th international conference on Recent advances in intrusion detection10.5555/1776434.1776443(107-126)Online publication date: 5-Sep-2007
https://dl.acm.org/doi/10.5555/1776434.1776443
Colajanni MGozzi DMarchetti MYavatkar RGrunwald DRamakrishnan K(2007)Enhancing interoperability and stateful analysis of cooperative network intrusion detection systemsProceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems10.1145/1323548.1323576(165-174)Online publication date: 3-Dec-2007
https://dl.acm.org/doi/10.1145/1323548.1323576
Ondi AFord RJohn DKerr S(2007)Modeling malcode with HephaestusProceedings of the 45th annual ACM Southeast Conference10.1145/1233341.1233410(379-384)Online publication date: 23-Mar-2007
https://dl.acm.org/doi/10.1145/1233341.1233410
Rubin SJha SMiller BJuels AWright RDe Capitani di Vimercati S(2006)Protomatching network traffic for high throughputnetwork intrusion detectionProceedings of the 13th ACM conference on Computer and communications security10.1145/1180405.1180413(47-58)Online publication date: 30-Oct-2006
https://dl.acm.org/doi/10.1145/1180405.1180413

Abstract

Cited By

Index Terms

Recommendations

Network intrusion detection

Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

Network intrusion detection: stepping-stone and masquerader detections

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations