Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Chen Guanlin,Feng Yan,Wang Zebing

DOI: https://doi.org/10.3969/j.issn.1000-0801.2010.10.014

2010-01-01

Abstract:Nowadays wireless intrusion prevention systems have become the research hotspot with the fast development of WLAN.In this paper,we first introduce the common attack methods for WLAN,and then present the framework of the wireless IPS with a distributed pre-decision engine,which can predict the future actions and direct active responses to these actions.We implement an improved model with extended detection rules for conducting intrusion plan and making pre-decision,by gathering wireless device information and importing supporting degree of intrusion plan in plan recognition.Experimental results showed that the distributed pre-decision engine can not only improve wireless intrusion detection and prevention performance,also reduce false negatives and false positives evidently.

CHEN Hong-tao,CHEN De-ren,GU Xue-fei

2005-01-01

Abstract:Content filtering is an indispensable important part in the network security field.It analyses the information transported in application layer content protocol and controls the forwarding of the information based on the filtering rules.Network Processor is a new generation programmable processor of high speed for carrying out data processing and transmitting.With its obvious advantages in network data processing,the network processor becomes the essential component in high-speed network equipment which supports network functions,such as operation management、security and network monitoring,etc.Based on the advantage of network processor,this paper presented an implementation of an Intel IXP2400 network processor-based content filtering system.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.

WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Xiao-ning KANG,Dong-xing JIANG,Cheng ZHANG,Qi-xin LIU,Lin ZHOU,Hai-yan WU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.11.014

2005-01-01

Abstract:Network security is getting more important as the Internet evolves.Attacks like DoS,DDoS have become major attack methods on gigabit networks,not to mention the worms have used up network bandwidth.Traditional IDSes could not handle massive network data efficiently or block detected attacks in time.Focusing on those problems,this paper designed a distributed intrusion detection and blocking system which can run on high-speed networks efficiently,which is also known as IPS(Intrusion Prevention System).

JM Yu,J Li

2005-01-01

Abstract:At the heart of almost every modern Network Intrusion Detection System (NIDS), there is a pattern matching engine (PME). As pattern matching is the most time consuming operation in NIDS, it is highly desired to reduce the pattern matching time of each packet or flow. This paper proposed a parallel pattern matching algorithm based on Aho-Corasick (AC) algorithm and an efficient load balance policy for it. The method is implemented on Intel's IXP2850 Network Processor (NP). Experimental results show that when using eight processors, the pattern matching time of each packet or flow can decrease to 60.44%similar to 14.42%. Based on the parallel algorithm, a PME utilizing parallel processing on three levels is proposed. Experimental results on IXP2850 show that the throughput speedup of pattern matching is 13.34 similar to 55.48 times.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

CHEN Jia,SI Tiange,DAI Yiqi

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.13.058

2006-01-01

Abstract:Intrusion detection technology is an indispensable way to keep the network safety. This paper proposes an intrusion detection system (IDS) framework based on network processor and detecting cluster. The possibility of functioning the distributor by IXP1200 and the key algorithms of the distributor are discussed. The result shows that the distributor can achieve a more than 1000Mbps data-capturing ability, and the load balance policy based on CAM is a satisfying trade-off on protecting the information integrity and reducing the computing complexity.

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

Donghua Ruan,Chuang Lin,Zhen Chen,Jia Ni,Peter D. Ungsunan

DOI: https://doi.org/10.1109/ICCT.2006.341843

2006-01-01

Abstract:Traffic measurement is important in network management, accounting, worm detection, etc. It becomes more and more difficult today and cannot keep pace with the increasing speed of today's internet. Many new algorithms and hardware have been proposed to solve this problem. Network Processors, known for its nice tradeoff between performance and programming flexibility, are chosen as the platform. The goal of this paper is to find a suitable algorithm based on NPs to handle high speed network traffic measurement. Four algorithms, Raw measurement, Sampling, Multi-stage Filter and Multi-Resolution Space Code Bloom Filter (MRSCBF) are implemented and evaluated on Intel's IXP 2400 network processor. The results reveal that Sampling and Multi-stage Filters can fully exploit the parallel and heterogeneous architecture of network processor, so are suitable for high speed network traffic measurement on the network processor platform. MRSCBF, on the other hand, is not so efficient on network processors because of its complex process and frequent memory access.

Hai-Guang LAI,Hao HUANG,Jun-Yuan XIE

DOI: https://doi.org/10.3321/j.issn:0254-4164.2007.04.007

2007-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:As the band of networks increases, the process speed of network-based intrusion detection systems (NIDSes) hardly keep up with the speed of networks. By arranging several sensors to deal with the traffic in parallel, the intrusion detection system's speed can be significantly increased. How to split the traffic to the sensors is the key problem of a parallel intrusion detection system. To resolve the problems, load balance, attack evidence keeping, and efficiency have to be concerned. Existing traffic partition algorithms cannot satisfy these requirements well, especially load balance, which directly affect the performance of a parallel intrusion detection system. A traffic partition algorithm called PABCS is proposed in the paper, which splits the traffic according to connections' states. PABCS provides better load balance than the usually used hash-based algorithm and guarantees that no attacks evidence for intrusion detection is lost after partition. Moreover, in the experiment, the algorithm's process speed reaches 1 Gbps.

Xinming Chen,Yiyao Wu,Lianghong Xu,Y. Xue

2009-01-01

Abstract:As security threats and network bandwidth increase in a very fast pace, there is a growing interest in designing highperformance network intrusion detection system (NIDS). This paper presents a parallelization strategy for the popular open-source Snort to build a high performance NIDS on multi-core IA platform. A modular design of parallel NIDS based on Snort is proposed in this paper. Named Para-Snort, it enables flexible and easy module design. This paper also analyzed the performance impact of load balancing and multi-pattern matching. Modified-JSQ and AC-WM algorithms are implemented in order to resolve the bottlenecks and improve the performance of the system. Experimental results show that Para-Snort achieves significant speedup of 4 to 6 times for various traces with a 7-thread parallelizing test setup.

JIANG Wenbao,HAO Shuang,DAI Yiqi,LIU Tinghua

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.01.028

2006-01-01

Abstract:The performance of high-speed network intrusion detection systems(nIDSs) is improved by load balancing algorithms developed for high-speed nIDSs.Three load balancing policies were analyzed to develop a flow-based dynamic load balancing algorithm based on nIDSs using multiple detection engines.The algorithm divides the data stream according to the current value of each detection engine's load using a dynamic feed and prediction mechanism.The incoming data packets for a new session are forwarded to the engine that currently has the lightest load.Test results show that the algorithm performs better than the Round Robin algorithm,especially when a large number of concurrent detection engines are used in heavy network traffic environments.