Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Wenbin Yao,Cong Wang,Jianyi Liu,Yan Fang Si,Yixian Yang

2009-01-01

Abstract:Parallel approach is an important way to improve the performance of networked based intrusion detection system. A parallel architecture of intrusion detection system based on the ideas of combining twice data-flow partition with real-time load balancing feedback is presented. The components of data-flow partition and its optimized algorithm are designed and implemented. The experiment shows that the architecture may have higher speed and lower packet loss in high-speed network circumstance. Thus, it may raise the speed of data transmission and improve the efficiency of parallel intrusion detection.

Chun Jason Xue,Zili Shao,Meilin Liu,Qingfeng Zhuge,Edwin H. -M. Sha

DOI: https://doi.org/10.1007/978-3-540-77092-3_8

2007-01-01

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stepping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matchings are completed in O(log M) time where M is the longest pattern length. Implementation is done on a standard off-the-shelf FPGA. Comparison with the other techniques shows promising results.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

杨武,方滨兴,云晓春,张宏莉,胡铭曾

DOI: https://doi.org/10.3969/j.issn.1007-5321.2004.04.017

2004-01-01

Abstract:The performance bottleneck of the traditional network intrusion detection system (NIDS) is investigated in order to design and implement a high-performance distributed intrusion detection system (HDIDS) to detect network intruders by passively monitoring a network link. Experiments indicate that the data processing of our HDIDS is increased by about 3 times more than that of the traditional NIDS.

Jia-chun LI,Ling ZHANG

DOI: https://doi.org/10.3321/j.issn:1000-436X.2006.z1.014

2006-01-01

Abstract:Nowadays it is hot and difficult to improve attack detection rate and processing capability of intrusion detection system on high-speed environment. Parallel IDS based on network processor (NPBPIDS) is researched and implemented in this paper. The following methods are incorporated to improve system performance: the first is the use of IXP2400 network processor, where the traffics are collected speedily and splitted so as to keep streams as evenly loaded as possible. Early filtering of no payload packets and session-oriented dynamic feedback load balancing algorithm are used in traffic splitter. The second is the use of host arrays where the content of traffics with payload are detected. The experimental results demonstrate that it is availability and feasibility.

王文奇,郑秋生,吴婷,李伟华

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.14.070

2008-01-01

Abstract:At present intrusion detection system(IDS) in high-speed network is a main point in security domain.The main problem and various restricted factors IDS faced in high-speed network is analyzed,and involved researches such as zero-copy technique and fast pattern matching model is introduced too.Finally,the distributed intrusion detection system based data-distribution is figured out as a good measure,and some remaining problems and emerging trends in this area is presented.

LU Yongjing,WANG Dong

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.33.023

2011-01-01

Computer Engineering and Applications Journal

Abstract:With the continuous increase in network bandwidth and the capacity constraints,the traditional Network Intrusion Detection Systems(NIDS) is facing challenges.How to improve the efficiency of NIDS in high-speed network environment is facing challenges.Specially designed acceleration hardware is used to improve the detection rate,which is not only of high costs and inflexibility,but also only applicable to special institutions and not suitable to a large-scale popularization and promo-tion.An NIDS is presented based on the Snort opensource that exploits the powerful high-performance of GPU parallel processing capability,combining with the optimized Linux networking stack and multiple threads of Snort,and a high-performance soft-ware intrusion detection structure is designed.The experimental results show that GPU is very suitable for high speed network.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

Ziqian Wan,Gang Liang,Tao Li

DOI: https://doi.org/10.4304/jnw.7.9.1327-1333

2012-01-01

Journal of Networks

Abstract:It is becoming increasingly hard to build an intrusion detection system (IDS), because of the higher traffic throughput and the rising sophistication of attacking. Scale will be an important issue to address in the intrusion detection area. For hardware, tomorrow’s performance gains will come from multi-core architectures in which a number of CPU executes concurrently. We take the advantage of multi-core processors’ full power for intrusion detection in this work. We present an intrusion detection system based on the Snort open-source IDS that exploits the computational power of MIPS multi-core architecture to offload the costly pattern matching operations from the CPU, and thus increase the system’s processing throughput. A preliminary experiment demonstrates the potential of this system. The experiment results indicate that this method can be used effectively to speed up intrusion detection systems.

W Yang,BX Fang,B Liu,HL Zhang

DOI: https://doi.org/10.1016/j.comcom.2004.03.001

IF: 5.047

2004-01-01

Computer Communications

Abstract:The increasing network throughput challenges the current Network Intrusion Detection Systems (NIDS) to have compatible high-performance data processing. In this paper, we describe an in-depth research on the related techniques of high-performance network intrusion detection and an implementation of a Rule-based High-performance Network Intrusion Detection System (RHPNIDS) for high-speed networks. By integrating several performance optimizing methods, the performance of RHPNIDS is very impressive compared with the popular open source NIDS Snort.

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

Xie Da-bin,Liang Gang

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.03.003

2013-01-01

Abstract:With the popularization of high-speed network,the traditional intrusion prevention system in high speed packet capture and real-time processing,has already can't meet the requirements of the performance.The paper proposed a kind of high performance intrusion prevention system,PF_RING DNA Intrusion Prevention System: PDIPS.PDIPS run on general multi-core platform,it used the PF_RING DNA technology to realize the packet capture in wire speed,at the same time,multithreading and CPU binding technology is used for parallel packets processing,to improve the overall performance.The test results show that under the same test environ-ment,PDIPS compared to traditional intrusion prevention scheme in performance has preferably improved,can adapt to the needs of the gigabit environment.

YANG Xiao-Bin,LIANG Gang,HU Xiao-Qin

DOI: https://doi.org/10.3969/j.issn.0490-6756.2011.01.015

2011-01-01

Abstract:NIDS(network intrusion detection system) often has high loss rate because of the high speed of data flow.Besides load balancing scheme that purely based on connection is hard to take good measures once data flow on one or several connections rise rapidly.This performance is proved by load balancing scheme developed for parallel NIDS based on packets prediction.This scheme observe packets in and out and predicts load by packets prediction load balancing algorithm on each sensor.On the basis of the algorithm,an ef-fective measure is taken to deal with the rapid rising flow on connections and avoid adding a new connection to a sensor that will have high load.Results of the simulation verified that the scheme proposed can balance load effectively and reduce the packet loss rate.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

LI Lang,LI Ren-fa,LI Ken-li,XU Qiong-fang

DOI: https://doi.org/10.3969/j.issn.1673-0313.2006.03.023

2006-01-01

Abstract:With the rapid development of high-speed networks and large-scale networks,intrusion detection has a new demand for model,architecture and technology of implemention.This paper catalogues systematically and researches analytically all existing intrusion detection model and technology,and discusses the advantages and disadvantages of all detection analysis technology.A tree-type architecture of variable levels of DIDS is proposed for high-speed networks.At the same time,the tree-type system can configure freely according to the scale of networks,it adopts registration and cancellation as a way to add or delete a node with any dependent node recognized as an integral IDS.It is implemented by technology of load balance and multi-pattern match based on protocol analyze.

Yizhen Liu,Daxiong Xu,Dong Liu,Lingge Sun

DOI: https://doi.org/10.1109/WKDD.2009.111

2009-01-01

Abstract:The current hardware architectures of intrusion detection system have several limitations on performance and configurability. In this paper we describe the architecture design and hardware implementation of gigabits NIDS using a programmable network processor and a FPGA co-processor. We discuss the requirements of NIDS, system hardware architecture and report measurements. In particular, we demonstrate performance improved by optimized parallel pattern match processing and efficient memory access in field programmable gate array (FPGA). We show an NIDS which can exploit our approach hardware platform, and make suggestions about implementation features that can significantly improve the performance and configurability of intrusion detection systems.