Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

JIANG Wenbao,HAO Shuang,DAI Yiqi,LIU Tinghua

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.01.028

2006-01-01

Abstract:The performance of high-speed network intrusion detection systems(nIDSs) is improved by load balancing algorithms developed for high-speed nIDSs.Three load balancing policies were analyzed to develop a flow-based dynamic load balancing algorithm based on nIDSs using multiple detection engines.The algorithm divides the data stream according to the current value of each detection engine's load using a dynamic feed and prediction mechanism.The incoming data packets for a new session are forwarded to the engine that currently has the lightest load.Test results show that the algorithm performs better than the Round Robin algorithm,especially when a large number of concurrent detection engines are used in heavy network traffic environments.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Yang Wu,Xiao-Chun Yun

DOI: https://doi.org/10.1007/978-3-540-30582-8_6

2005-01-01

Abstract:This paper presents and implements a high-performance network monitoring platform (HPNMP) for high bandwidth network intrusion detection system (NIDS). The traffic load on a single machine is heavily reduced in an operation mode of parallel cluster. An efficient user-level messaging mechanism is implemented and a multi-rule packet filter is built at user layer. The results of experiments indicate that HPNMP is capable of reducing the using rate of CPU while improving the efficiency of data collection in NIDS so as to save much more system resources for complex data analysis in NIDS. ...

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

W Yang,BX Fang,B Liu,HL Zhang

DOI: https://doi.org/10.1016/j.comcom.2004.03.001

IF: 5.047

2004-01-01

Computer Communications

Abstract:The increasing network throughput challenges the current Network Intrusion Detection Systems (NIDS) to have compatible high-performance data processing. In this paper, we describe an in-depth research on the related techniques of high-performance network intrusion detection and an implementation of a Rule-based High-performance Network Intrusion Detection System (RHPNIDS) for high-speed networks. By integrating several performance optimizing methods, the performance of RHPNIDS is very impressive compared with the popular open source NIDS Snort.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

J Gong,S Lu,Sy Rui

2004-01-01

Abstract:Using the concept of bit entropy and bit flow entropy, a novel load-balancing algorithm named Dimension-based Classification Algorithm (DCA) is introduced in this paper, aiming at implementing NIDS in high-speed network with traffic load up to Gbps. Based on the contents of fields in IP packet header and some simple operations, this algorithm can keep the semantic relativities among packets in a high bandwidth network environment while distributing workload to different processing node. It has a fairly good load-balancing feature in both macroscopical and microscopical senses for high-speed intrusion detection. The selection of operation and operand of DCA is discussed in detailed, and their efficiency is evaluated.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

王文奇,郑秋生,吴婷,李伟华

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.14.070

2008-01-01

Abstract:At present intrusion detection system(IDS) in high-speed network is a main point in security domain.The main problem and various restricted factors IDS faced in high-speed network is analyzed,and involved researches such as zero-copy technique and fast pattern matching model is introduced too.Finally,the distributed intrusion detection system based data-distribution is figured out as a good measure,and some remaining problems and emerging trends in this area is presented.

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.

YANG Wu,FANG Bin-Xing,YUN Xiao-Chun

DOI: https://doi.org/10.1360/jos182271

2007-01-01

Abstract:To perform effective intrusion analysis in higher bandwidth network, this paper studies the data collecting techniques and proposes a scalable efficient intrusion monitoring architecture (SEIMA) for network intrusion detection system (NIDS). In the architecture of SEIMA, scaling network intrusion detection to high network speeds can be achieved using multiple sensors operating in parallel coupled with a suitable load balancing traffic splitter. High-performance data transfer is achieved through asynchronous DMA without OS's intervention by using efficient address translation technique and buffer management mechanism. Multi-rule packet filter based on finite state machine technique is implemented at user layer to eliminate overhead for processing redundant packets. The simulative and actual experiment results indicate that SEIMA is capable of reducing the using rate of CPU while improving the efficiency of data collection in NIDS, so as to save much more system resources for complex data analysis in NIDS. The method of SEIMA is very practical for network security.

Yaying Chen,Siamak Layeghy,Liam Daly Manocchio,Marius Portmann

2024-12-23

Abstract:This paper presents a high-performance, scalable network monitoring and intrusion detection system (IDS) implemented in P4. The proposed solution is designed for high-performance environments such as cloud data centers, where ultra-low latency, high bandwidth, and resilient infrastructure are essential. Existing state-of-the-art (SoA) solutions, which rely on traditional out-of-band monitoring and intrusion detection techniques, often struggle to achieve the necessary latency and scalability in large-scale, high-speed networks. Unlike these approaches, our in-band solution provides a more efficient, scalable alternative that meets the performance needs of Terabit networks. Our monitoring component captures extended NetFlow v9 features at wire speed, while the in-band IDS achieves high-accuracy detection without compromising on performance. In evaluations on real-world P4 hardware, both the NetFlow monitoring and IDS components maintain negligible impact on throughput, even at traffic rates up to 8 million packets per second (mpps). This performance surpasses SoA in terms of accuracy and throughput efficiency, ensuring that our solution meets the requirements of large-scale, high-performance environments.

Networking and Internet Architecture

WU Zhong,LIU Yan-heng,TIAN Da-xin,ZHANG Yuan-yuan

2007-01-01

Journal of Computer Applications

Abstract:The processing speed of Network Intrusion Detection systems (NIDS) is still low compared with the speed of networks. As a result, few NIDS are applicable in a high-speed network. A distributed NIDS for high-speed networks was presented in this paper. The overall traffic was divided into small slices based on Netfilter, and the algorithm of load balancing was given to ensure that a single slice contained all the necessary evidence to detect a specific attack. The results of experiments show that the packets are almost equally scattered to all NIDS, and the percentage of missed rate declined to 1/4 of single NIDS.

杨武,方滨兴,云晓春,张宏莉,胡铭曾

DOI: https://doi.org/10.3969/j.issn.1007-5321.2004.04.017

2004-01-01

Abstract:The performance bottleneck of the traditional network intrusion detection system (NIDS) is investigated in order to design and implement a high-performance distributed intrusion detection system (HDIDS) to detect network intruders by passively monitoring a network link. Experiments indicate that the data processing of our HDIDS is increased by about 3 times more than that of the traditional NIDS.

蔡志平,刘书昊,王晗,曹介南,徐明

DOI: https://doi.org/10.3778/j.issn.1673-9418.1212017

2013-01-01

Abstract:The performance of single setup based network intrusion detection system (NIDS) is used to be improved by using custom hardware or modifying detection algorithms, but it wouldn’t meet the requirement for link speed up to 10 Gb/s. Parallel detection using multi detection sensors is the import way to implement the high performance intrusion detection. The parallel detection system can coordinately use multiple detection sensors to detect intrusions in parallel, which characterizes it with high performance and scalability. This paper summarizes the challenges of keeping the proof used for detecting attacks and balancing the load among sensors, and discusses various solutions to the challenges. This paper also considers the advantages of existing parallel detection technologies, proposes a uniformed parallel detection architecture (UPDA) that supports parallel detection with multi detection sensors. Based on NetMagic platform and UPDA, this paper designs and implements a parallel intrusion detection prototype system, and evaluates its performance in the network environment.

YANG Xiao-Bin,LIANG Gang,HU Xiao-Qin

DOI: https://doi.org/10.3969/j.issn.0490-6756.2011.01.015

2011-01-01

Abstract:NIDS(network intrusion detection system) often has high loss rate because of the high speed of data flow.Besides load balancing scheme that purely based on connection is hard to take good measures once data flow on one or several connections rise rapidly.This performance is proved by load balancing scheme developed for parallel NIDS based on packets prediction.This scheme observe packets in and out and predicts load by packets prediction load balancing algorithm on each sensor.On the basis of the algorithm,an ef-fective measure is taken to deal with the rapid rising flow on connections and avoid adding a new connection to a sensor that will have high load.Results of the simulation verified that the scheme proposed can balance load effectively and reduce the packet loss rate.

Likun Liu,Hongli Zhang,Xiangzhan Yu,Yi Xin,Muhammad Shafiq,Mengmeng Ge

DOI: https://doi.org/10.1155/2018/9809345

2018-01-01

Wireless Communications and Mobile Computing

Abstract:During the last decade, rapid development of mobile devices and applications has produced a large number of mobile data which hide numerous cyber-attacks. To monitor the mobile data and detect the attacks, NIDS/NIPS plays important role for ISP and enterprise, but now it still faces two challenges, high performance for super large patterns and detection of the latest attacks. High performance is dominated by Deep Packet Inspection (DPI) mechanism, which is the core of security devices. A new TTL attack is just put forward to escape detecting, such that the adversary inserts packet with short TTL to escape from NIDS/NIPS. To address the above-mentioned problems, in this paper, we design a security system to handle the two aspects. For efficient DPI, a new two-step partition of pattern set is demonstrated and discussed, which includes first set-partition and second set-partition. For resisting TTL attacks, we set reasonable TTL threshold and patch TCP protocol stack to detect the attack. Compared with recent produced algorithm, our experiments show better performance and the throughput increased 27% when the number of patterns is 106. Moreover, the success rate of detection is 100%, and while attack intensity increased, the throughput decreased.