Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

LU Yongjing,WANG Dong

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.33.023

2011-01-01

Computer Engineering and Applications Journal

Abstract:With the continuous increase in network bandwidth and the capacity constraints,the traditional Network Intrusion Detection Systems(NIDS) is facing challenges.How to improve the efficiency of NIDS in high-speed network environment is facing challenges.Specially designed acceleration hardware is used to improve the detection rate,which is not only of high costs and inflexibility,but also only applicable to special institutions and not suitable to a large-scale popularization and promo-tion.An NIDS is presented based on the Snort opensource that exploits the powerful high-performance of GPU parallel processing capability,combining with the optimized Linux networking stack and multiple threads of Snort,and a high-performance soft-ware intrusion detection structure is designed.The experimental results show that GPU is very suitable for high speed network.

SHAO Zong-you,LIU Xing-kui,LIU Xin-chun,SUN Ning-hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.03.014

2013-01-01

Computer Science

Abstract:As the network bandwidth continuously increases,the network security has been seriously threatened by malicious behaviors and risks.Network intrusion detection system(NIDS) is one of the efficient measures to cope with intrusion threats and protect information security,which employs pattern matching techniques to analyze incoming packe-ts and detect potential threats.However,pattern matching is such a compute-intensive task that most current techniques can't meet the demand of NIDS for backbone networks over 10Gbps speed.We proposed a novel Bloom filter based approach for pattern matching,called PBPM(Parallel-Bloom-filter-based multi-Pattern Matching).PBPM employs multiple copies of the same Bloom filter to carry out parallel matching on different positions of the input text at the same time.The fine-grained parallel approach is able to skip multiple characters per clock when implemented on FPGAs,dramatically improving pattern matching performance.Experimental results on the rule set from Snort 2.9 show that the throughput of PBPM exceeds more than 20Gbps.

Ziqian Wan,Gang Liang,Tao Li

DOI: https://doi.org/10.4304/jnw.7.9.1327-1333

2012-01-01

Journal of Networks

Abstract:It is becoming increasingly hard to build an intrusion detection system (IDS), because of the higher traffic throughput and the rising sophistication of attacking. Scale will be an important issue to address in the intrusion detection area. For hardware, tomorrow’s performance gains will come from multi-core architectures in which a number of CPU executes concurrently. We take the advantage of multi-core processors’ full power for intrusion detection in this work. We present an intrusion detection system based on the Snort open-source IDS that exploits the computational power of MIPS multi-core architecture to offload the costly pattern matching operations from the CPU, and thus increase the system’s processing throughput. A preliminary experiment demonstrates the potential of this system. The experiment results indicate that this method can be used effectively to speed up intrusion detection systems.

蔡志平,刘书昊,王晗,曹介南,徐明

DOI: https://doi.org/10.3778/j.issn.1673-9418.1212017

2013-01-01

Abstract:The performance of single setup based network intrusion detection system (NIDS) is used to be improved by using custom hardware or modifying detection algorithms, but it wouldn’t meet the requirement for link speed up to 10 Gb/s. Parallel detection using multi detection sensors is the import way to implement the high performance intrusion detection. The parallel detection system can coordinately use multiple detection sensors to detect intrusions in parallel, which characterizes it with high performance and scalability. This paper summarizes the challenges of keeping the proof used for detecting attacks and balancing the load among sensors, and discusses various solutions to the challenges. This paper also considers the advantages of existing parallel detection technologies, proposes a uniformed parallel detection architecture (UPDA) that supports parallel detection with multi detection sensors. Based on NetMagic platform and UPDA, this paper designs and implements a parallel intrusion detection prototype system, and evaluates its performance in the network environment.

Cheng-Hung Lin,Sheng-Yu Tsai,Chen-Hsiung Liu,Shih-Chieh Chang,Jyuo-Min Shyu

DOI: https://doi.org/10.1109/GLOCOM.2010.5683320

2010-01-01

Abstract:Network Intrusion Detection System has been widely used to protect computer systems from network attacks. Due to the ever-increasing number of attacks and network complexity, traditional software approaches on uni-processors have become inadequate for the current high-speed network. In this paper, we propose a novel parallel algorithm to speedup string matching performed on GPUs. We also innovate new state machine for string matching, the state machine of which is more suitable to be performed on GPU. We have also described several speedup techniques considering special architecture properties of GPU. The experimental results demonstrate the new algorithm on GPUs achieves up to 4,000 times speedup compared to the AC algorithm on CPU. Compared to other GPU approaches, the new algorithm achieves 3 times faster with significant improvement on memory efficiency. Furthermore, because the new Algorithm reduces the complexity of the Aho-Corasick algorithm, the new algorithm also improves on memory requirements.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Dongliang Xu,Hongli Zhang,Yujian Fan

DOI: https://doi.org/10.12733/jcis5781

2013-01-01

Journal of Computational Information Systems

Abstract:Graphics Processing Unit (GPU) has been converted to general purpose parallel processor devices from a single rendering. It performed far better than the CPU in many fields of science. String matching is widely used, especially in information retrieval, intrusion detection, Computational Biology etc. In this paper, we designed and implemented a GPU-based multi-string matching algorithm by improving traditional serial WM algorithm, called G-WM, which respectively is 12 and 11.2 times performance to serial WM algorithm using equal and Unequal length pattern sets. © 2013 by Binary Information Press.

Zhuojun Zhuang,Yuan Luo,Minglu Li,Chuliang Weng

DOI: https://doi.org/10.1109/chinagrid.2008.27

2008-01-01

Abstract:The processing speed of conventional network-based intrusion detection systems (NIDSs) is incompetent as to the rapid increase in network link speed. This problem imposes an emerging need for new detection technologies. In this paper, we introduce a multi-core technique which opens up another way for fast intrusion detection by proper workload partitioning and parallel detection on high-speed link. We present an abstract model of NIDS on multi-core platform and discuss the optimal solution when minimum memory occupation achieves. A preliminary example shows the model configuration and presents a first experimental evaluation.

GE Lina,ZHONG Cheng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.050

2005-01-01

Abstract:The intrusion detection technique based on artificial immune theory is a new research area. Based on artificial immune theory, thispaper designs the negative selection algorithms on the parallel computer systems by dividing the task into multiple sub-tasks, parallel solving themultiple sub-tasks and combining the sub-solutions into the final result. The analysis result shows that the parallel algorithms obtain linear speedup.

Chun Jason Xue,Zili Shao,Meilin Liu,Qingfeng Zhuge,Edwin H. -M. Sha

DOI: https://doi.org/10.1007/978-3-540-77092-3_8

2007-01-01

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stepping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matchings are completed in O(log M) time where M is the longest pattern length. Implementation is done on a standard off-the-shelf FPGA. Comparison with the other techniques shows promising results.

Yanru Chen,Shijia Liu,Zilin Wang,Dizhi Wu,Yang Li,Bin Xing,Bing Guo,Liangyin Chen

DOI: https://doi.org/10.1109/jiot.2023.3286433

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Unlike conventional IT systems, industrial control systems (ICS) requires tailored attack detection methods due to its unique communication protocols. Existing attack detection methods lack the ability to consider both detection accuracy and time performance, particularly for highly stealthy fake data injection attacks (FDIA). To address these challenges, this work proposes an online parallel attack detection method for ICS based on multi-bandpass filter. By building multiple adaptive filters based on energy equilibrium and time-frequency domain data transformation, we implement multi-frequency band data segmentation. Hierarchical temporal memory (HTM) models are employed to parallelly fit the segmented data and detect anomalies. Simulation experiments demonstrate that our method outperforms the state-of-the-art Numenta method, achieving a 9% higher detection accuracy while reducing detection time to just 1/14 of Numenta’s. These results highlight the significant advantages of our method in striking a balance between detection accuracy and time performance. Our proposed method fills the gap in ICS attack detection and offers substantial improvements over existing techniques.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xinming Chen,Yiyao Wu,Lianghong Xu,Y. Xue

2009-01-01

Abstract:As security threats and network bandwidth increase in a very fast pace, there is a growing interest in designing highperformance network intrusion detection system (NIDS). This paper presents a parallelization strategy for the popular open-source Snort to build a high performance NIDS on multi-core IA platform. A modular design of parallel NIDS based on Snort is proposed in this paper. Named Para-Snort, it enables flexible and easy module design. This paper also analyzed the performance impact of load balancing and multi-pattern matching. Modified-JSQ and AC-WM algorithms are implemented in order to resolve the bottlenecks and improve the performance of the system. Experimental results show that Para-Snort achieves significant speedup of 4 to 6 times for various traces with a 7-thread parallelizing test setup.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Dongliang XU,Hongli ZHANG,Chongchong YAO

DOI: https://doi.org/10.3969/j.issn.2095-2163.2015.02.001

2015-01-01

Abstract:With the development of the network,the contradiction between the growth rate of network traffic and the filte-ring capability of the network security system have become increasingly prominent. As the core modules of network security systems,pattern matching module processing capacity faces serious challenge. The traditional serial algorithm for pattern matching has been difficult to meet the current needs of the network. This paper improves the traditional AC algorithm,u-sing high performance special parallel processing chip GPU to improve the processing speed of AC algorithm,and proposes a new G-AC algorithm. Experiments show that its performance is 10 times more than the performance of traditional AC al-gorithm on different data sets.

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

Yixuan Zhang,Meiting Xue,Huan Zhang,Shubiao Liu,Bei Zhao

DOI: https://doi.org/10.1587/transfun.2022eap1062

2023-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Network traffic control and classification have become increasingly dependent on deep packet inspection (DPI) approaches, which are the most precise techniques for intrusion detection and prevention. However, the increasing traffic volumes and link speed exert considerable pressure on DPI techniques to process packets with high performance in restricted available memory. To overcome this problem, we proposed dual cuckoo filter (DCF) as a data structure based on cuckoo filter (CF). The CF can be extended to the parallel mode called parallel Cuckoo Filter (PCF). The proposed data structure employs an extra hash function to obtain two potential indices of entries. The DCF magnifies the superiority of the CF with no additional memory. Moreover, it can be extended to the parallel mode, resulting in a data structure referred to as parallel Dual Cuckoo filter (PDCF). The implementation results show that using the DCF and PDCF as identification tools in a DPI system results in time improvements of up to 2% and 30% over the CF and PCF, respectively.

Xueqin Zhang,Yifeng Zhang,Chunhua Gu

DOI: https://doi.org/10.4304/jcp.9.5.1117-1124

2014-01-01

Journal of Computers

Abstract:The network anomaly detection technology based on support vector machine (SVM) can efficiently detect unknown attacks or variants of known attacks, however, it cannot be used for detection of large-scale intrusion scenarios due to the demand of computational time. The graphics processing unit (GPU) has the characteristics of multi-threads and powerful parallel processing capability. Based on the system structure and parallel computation framework of GPU, a parallel algorithm of SVM, named GSVM, is proposed. Extensive experiments were carried out onKDD99 and other large-scale datasets, the results showed that GSVM significantly improves the efficiency of intrusion detection, while retaining detection performance.

Chengcheng Xu,Shuhui Chen,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1007/978-3-319-27161-3_10

2015-01-01

Abstract:Regular expression matching is widely used in content-aware applications, such as NIDS and protocol identification. However, wire-speed processing for large scale patterns still remains a great challenge in practice. Considering low hit rates in NIDS, a compact and efficient pre-filter is firstly proposed to filter most normal traffics and leave few suspicious traffics for further pattern matching. Experiment results show that, the pre-filter achieves a big improvement in both space and time consumption with its compact and efficient structure.

Zhuojun Zhuang,Yuan Luo,Minglu Li,Chuliang Weng

DOI: https://doi.org/10.1109/NPC.2008.66

2008-01-01

Abstract:As network becomes faster, there is an emergence need for parallel intrusion detection techniques to keep up with the rapid increase in link speed. Resource scheduling plays a key role in parallel detection schemes. Its primary function is to assist a parallel network-based intrusion detection system (NIDS) to achieve high performance in network environment. In this paper, we introduce an abstract NIDS model and a related new resource scheduling strategy on multi-core platform. This strategy provides a resource configuration scheme by comprehensively considering many performance metrics. Preliminary examples demonstrate the effectiveness of our approach and present a first experimental evaluation.