W Yang,BX Fang,B Liu,HL Zhang

DOI: https://doi.org/10.1016/j.comcom.2004.03.001

IF: 5.047

2004-01-01

Computer Communications

Abstract:The increasing network throughput challenges the current Network Intrusion Detection Systems (NIDS) to have compatible high-performance data processing. In this paper, we describe an in-depth research on the related techniques of high-performance network intrusion detection and an implementation of a Rule-based High-performance Network Intrusion Detection System (RHPNIDS) for high-speed networks. By integrating several performance optimizing methods, the performance of RHPNIDS is very impressive compared with the popular open source NIDS Snort.

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

杨武,方滨兴,云晓春,张宏莉

DOI: https://doi.org/10.3321/j.issn:1000-436x.2004.01.013

2004-01-01

Abstract:The paper presents and implements a high-performance communication protocol architecture supporting SMP for the high bandwidth network intrusion detectionULNP(User Level Network Protocol). In ULNP, a user-level virtual network interface is designed by adopting a zero-copy method that bypasses the traditional kernel protocol stack from OS. In addition, the user-level TCP/IP protocol is optimized according to the characteristic of NIDS. So the communication overhead of NIDS is efficiently reduced. Experimental evaluation illustrates that compared with traditional NIDS, peak throughput of processing packets is increased by about 2-7 times and CPU idle ratio is increased by 1-2 times for the NIDS with ULNP in the high-speed network.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Da-Wen Huang,Fengji Luo,Jichao Bi,Mingyang Sun

DOI: https://doi.org/10.1109/tifs.2022.3191491

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

杨武,方滨兴,云晓春,张宏莉,胡铭曾

DOI: https://doi.org/10.3969/j.issn.1007-5321.2004.04.017

2004-01-01

Abstract:The performance bottleneck of the traditional network intrusion detection system (NIDS) is investigated in order to design and implement a high-performance distributed intrusion detection system (HDIDS) to detect network intruders by passively monitoring a network link. Experiments indicate that the data processing of our HDIDS is increased by about 3 times more than that of the traditional NIDS.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

YANG Wu,FANG Bin-Xing,YUN Xiao-Chun

DOI: https://doi.org/10.1360/jos182271

2007-01-01

Abstract:To perform effective intrusion analysis in higher bandwidth network, this paper studies the data collecting techniques and proposes a scalable efficient intrusion monitoring architecture (SEIMA) for network intrusion detection system (NIDS). In the architecture of SEIMA, scaling network intrusion detection to high network speeds can be achieved using multiple sensors operating in parallel coupled with a suitable load balancing traffic splitter. High-performance data transfer is achieved through asynchronous DMA without OS's intervention by using efficient address translation technique and buffer management mechanism. Multi-rule packet filter based on finite state machine technique is implemented at user layer to eliminate overhead for processing redundant packets. The simulative and actual experiment results indicate that SEIMA is capable of reducing the using rate of CPU while improving the efficiency of data collection in NIDS, so as to save much more system resources for complex data analysis in NIDS. The method of SEIMA is very practical for network security.

WU Zhong,LIU Yan-heng,TIAN Da-xin,ZHANG Yuan-yuan

2007-01-01

Journal of Computer Applications

Abstract:The processing speed of Network Intrusion Detection systems (NIDS) is still low compared with the speed of networks. As a result, few NIDS are applicable in a high-speed network. A distributed NIDS for high-speed networks was presented in this paper. The overall traffic was divided into small slices based on Netfilter, and the algorithm of load balancing was given to ensure that a single slice contained all the necessary evidence to detect a specific attack. The results of experiments show that the packets are almost equally scattered to all NIDS, and the percentage of missed rate declined to 1/4 of single NIDS.

Yaying Chen,Siamak Layeghy,Liam Daly Manocchio,Marius Portmann

2024-12-23

Abstract:This paper presents a high-performance, scalable network monitoring and intrusion detection system (IDS) implemented in P4. The proposed solution is designed for high-performance environments such as cloud data centers, where ultra-low latency, high bandwidth, and resilient infrastructure are essential. Existing state-of-the-art (SoA) solutions, which rely on traditional out-of-band monitoring and intrusion detection techniques, often struggle to achieve the necessary latency and scalability in large-scale, high-speed networks. Unlike these approaches, our in-band solution provides a more efficient, scalable alternative that meets the performance needs of Terabit networks. Our monitoring component captures extended NetFlow v9 features at wire speed, while the in-band IDS achieves high-accuracy detection without compromising on performance. In evaluations on real-world P4 hardware, both the NetFlow monitoring and IDS components maintain negligible impact on throughput, even at traffic rates up to 8 million packets per second (mpps). This performance surpasses SoA in terms of accuracy and throughput efficiency, ensuring that our solution meets the requirements of large-scale, high-performance environments.

Networking and Internet Architecture

YX Jiang,C Lin,ZG Shan,Z Chen

2004-01-01

Abstract:The main problem existed in the Network-based Intrusion Detection System (NIDS) is that the data-processing ability of classical centralized intrusion detection architecture does dissatisfy the increasing requirement of high-speed network. To resolve this problem, especially in real-time online intrusion detection, a NIDS cluster scheme is firstly introduced in this paper. Secondly, given the high resource demands and the special load-balancing characteristics in NIDS cluster, three optimized polices to improve the performance of NIDS cluster are proposed, i.e. Early Simple Packet Filter (ESPF), Adaptive Hash Load-Balancing (AHLB) algorithm, Priority Scheduling with Buffer Limited (PSBL). All the optimized measures are in collaboration with one another and provide the NIDS cluster scalability, adaptability, and high performance. Moreover, with the goal of analyzing the performance of NIDS cluster a Stochastic Petri Net (SPN) model is proposed. To cope with the well-known state space explosion problem, we propose an approximate analysis technique, which can significantly reduce the computing complexity of the model. In the end, the numerical results of the performance analysis for those schemes are presented, and some valuable conclusions are recommended which are suitable for NIDS cluster to achieve high performance.

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

王文奇,郑秋生,吴婷,李伟华

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.14.070

2008-01-01

Abstract:At present intrusion detection system(IDS) in high-speed network is a main point in security domain.The main problem and various restricted factors IDS faced in high-speed network is analyzed,and involved researches such as zero-copy technique and fast pattern matching model is introduced too.Finally,the distributed intrusion detection system based data-distribution is figured out as a good measure,and some remaining problems and emerging trends in this area is presented.

蔡志平,刘书昊,王晗,曹介南,徐明

DOI: https://doi.org/10.3778/j.issn.1673-9418.1212017

2013-01-01

Abstract:The performance of single setup based network intrusion detection system (NIDS) is used to be improved by using custom hardware or modifying detection algorithms, but it wouldn’t meet the requirement for link speed up to 10 Gb/s. Parallel detection using multi detection sensors is the import way to implement the high performance intrusion detection. The parallel detection system can coordinately use multiple detection sensors to detect intrusions in parallel, which characterizes it with high performance and scalability. This paper summarizes the challenges of keeping the proof used for detecting attacks and balancing the load among sensors, and discusses various solutions to the challenges. This paper also considers the advantages of existing parallel detection technologies, proposes a uniformed parallel detection architecture (UPDA) that supports parallel detection with multi detection sensors. Based on NetMagic platform and UPDA, this paper designs and implements a parallel intrusion detection prototype system, and evaluates its performance in the network environment.

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

Yindong Xiao,Houjun Wang,Shulin Tian

2012-01-01

Abstract:The requirement for deploying network based intrusion detection system (NIDS) in high speed network is analyzed. A packet header parsing method is proposed, which features high transmission throughput and flexible protocol support. Four-bus architecture based on finite state machine (FSM) is applied to support flexible protocols. The FSM module status transition is optimized with pipeline technique in a single clock time, so that the packet header can be parsed in the same pace of input data. This method was implemented and tested in an FPGA, and the result proves that the proposed method not only provides high speed parsing capability, but also supports all kinds of flexible protocols, including shim protocol. Especially, the resource usage of the method is considerably low.

刘璐,王谷尹,王俊峰

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.10.072

2008-01-01

Abstract:Traditional application layer based network interface card(NIC) method became inefficient in real-time and accurate high-speed NIC monitoring.With the analysis of network driver interface specification(NDIS) and packet filtering under Windows platform,the paper proposed an NIC independent high-speed network and monitoring method based on NDIS.The NIC monitor was implemented with application layer module and the driver layer ones.The monitor is capable of monitor multiple NICS simultaneously and accurately.Its main characteristic is analyzing and processing all the packets in the kernel layer.