Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Yang Wu,Xiao-Chun Yun

DOI: https://doi.org/10.1007/978-3-540-30582-8_6

2005-01-01

Abstract:This paper presents and implements a high-performance network monitoring platform (HPNMP) for high bandwidth network intrusion detection system (NIDS). The traffic load on a single machine is heavily reduced in an operation mode of parallel cluster. An efficient user-level messaging mechanism is implemented and a multi-rule packet filter is built at user layer. The results of experiments indicate that HPNMP is capable of reducing the using rate of CPU while improving the efficiency of data collection in NIDS so as to save much more system resources for complex data analysis in NIDS. ...

王文奇,郑秋生,吴婷,李伟华

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.14.070

2008-01-01

Abstract:At present intrusion detection system(IDS) in high-speed network is a main point in security domain.The main problem and various restricted factors IDS faced in high-speed network is analyzed,and involved researches such as zero-copy technique and fast pattern matching model is introduced too.Finally,the distributed intrusion detection system based data-distribution is figured out as a good measure,and some remaining problems and emerging trends in this area is presented.

杨武,方滨兴,云晓春,张宏莉,胡铭曾

DOI: https://doi.org/10.3969/j.issn.1007-5321.2004.04.017

2004-01-01

Abstract:The performance bottleneck of the traditional network intrusion detection system (NIDS) is investigated in order to design and implement a high-performance distributed intrusion detection system (HDIDS) to detect network intruders by passively monitoring a network link. Experiments indicate that the data processing of our HDIDS is increased by about 3 times more than that of the traditional NIDS.

W Yang,BX Fang,B Liu,HL Zhang

DOI: https://doi.org/10.1016/j.comcom.2004.03.001

IF: 5.047

2004-01-01

Computer Communications

Abstract:The increasing network throughput challenges the current Network Intrusion Detection Systems (NIDS) to have compatible high-performance data processing. In this paper, we describe an in-depth research on the related techniques of high-performance network intrusion detection and an implementation of a Rule-based High-performance Network Intrusion Detection System (RHPNIDS) for high-speed networks. By integrating several performance optimizing methods, the performance of RHPNIDS is very impressive compared with the popular open source NIDS Snort.

Jia-chun LI,Ling ZHANG

DOI: https://doi.org/10.3321/j.issn:1000-436X.2006.z1.014

2006-01-01

Abstract:Nowadays it is hot and difficult to improve attack detection rate and processing capability of intrusion detection system on high-speed environment. Parallel IDS based on network processor (NPBPIDS) is researched and implemented in this paper. The following methods are incorporated to improve system performance: the first is the use of IXP2400 network processor, where the traffics are collected speedily and splitted so as to keep streams as evenly loaded as possible. Early filtering of no payload packets and session-oriented dynamic feedback load balancing algorithm are used in traffic splitter. The second is the use of host arrays where the content of traffics with payload are detected. The experimental results demonstrate that it is availability and feasibility.

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

YAO Jun-Xi,LIANG Gang,GONG Xun,HAN Zhong-Qiu

DOI: https://doi.org/10.3969/j.issn.0490-6756.2010.02.010

2010-01-01

Abstract:Requirements for a high-quality Intrusion Prevention System(IPS)are becoming more and more demanding with the wide use of high speed Ethernet and increasing complexity of network intrusion. By the analysis of the working principles in the traditional IPS,a improved IPS based on the multicore processor is designed and implemented.In this system,multicore processing units are divided into groups among which the data can be transmitted by building shared cache queues.In this way,IPS can work parallelized with a multicore processor.The results of our experiments demonstrate that the efficiency is greatly enhanced and that the packet loss ratio decreases.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

WENG Wen-xiang,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.04.035

2009-01-01

Abstract:Network Intrusion Detection and Prevention Systems are full of vitality in the fight against network intrusions.Network Intrusion Prevention System(NIPS)search for certain malicious content based on signatures and filter network traffic.Matching all traffic with these signatures is a challenge to high-speed networks.In this paper,the concept of network intrusion prevention system and its features are described.Then it introduces in detail the composition and structure of Intel High-Speed Network Processor is discussed,and analyzes the basic theory of IPS analyzed.Finally,the NIPS design and an implementation based on Intel High-Speed Network Processor is given.

Yindong Xiao,Houjun Wang,Shulin Tian

2012-01-01

Abstract:The requirement for deploying network based intrusion detection system (NIDS) in high speed network is analyzed. A packet header parsing method is proposed, which features high transmission throughput and flexible protocol support. Four-bus architecture based on finite state machine (FSM) is applied to support flexible protocols. The FSM module status transition is optimized with pipeline technique in a single clock time, so that the packet header can be parsed in the same pace of input data. This method was implemented and tested in an FPGA, and the result proves that the proposed method not only provides high speed parsing capability, but also supports all kinds of flexible protocols, including shim protocol. Especially, the resource usage of the method is considerably low.

WU Guo-wei,BI Ling,WANG Shi-yi

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.044

2005-01-01

Abstract:The main problem which needs to be sloved in high speed network is how to improve the detecting speed and efficiency.In this paper,the interrupt mitigation and zero copy method are adopted to improve the packet capturing performance of Snort system based on Linux,to achieve high speed rules matching,and an improved pattern matching algorithm based on BM is given.Experiment platform is set up to test the performance.Experiments show that the authors' proposal can obviously enhance the system's performance to Snort.

蔡志平,刘书昊,王晗,曹介南,徐明

DOI: https://doi.org/10.3778/j.issn.1673-9418.1212017

2013-01-01

Abstract:The performance of single setup based network intrusion detection system (NIDS) is used to be improved by using custom hardware or modifying detection algorithms, but it wouldn’t meet the requirement for link speed up to 10 Gb/s. Parallel detection using multi detection sensors is the import way to implement the high performance intrusion detection. The parallel detection system can coordinately use multiple detection sensors to detect intrusions in parallel, which characterizes it with high performance and scalability. This paper summarizes the challenges of keeping the proof used for detecting attacks and balancing the load among sensors, and discusses various solutions to the challenges. This paper also considers the advantages of existing parallel detection technologies, proposes a uniformed parallel detection architecture (UPDA) that supports parallel detection with multi detection sensors. Based on NetMagic platform and UPDA, this paper designs and implements a parallel intrusion detection prototype system, and evaluates its performance in the network environment.

Ziqian Wan,Gang Liang,Tao Li

DOI: https://doi.org/10.4304/jnw.7.9.1327-1333

2012-01-01

Journal of Networks

Abstract:It is becoming increasingly hard to build an intrusion detection system (IDS), because of the higher traffic throughput and the rising sophistication of attacking. Scale will be an important issue to address in the intrusion detection area. For hardware, tomorrow’s performance gains will come from multi-core architectures in which a number of CPU executes concurrently. We take the advantage of multi-core processors’ full power for intrusion detection in this work. We present an intrusion detection system based on the Snort open-source IDS that exploits the computational power of MIPS multi-core architecture to offload the costly pattern matching operations from the CPU, and thus increase the system’s processing throughput. A preliminary experiment demonstrates the potential of this system. The experiment results indicate that this method can be used effectively to speed up intrusion detection systems.

Gang Liu,Wei Quan,Nan Cheng,Ning Lu,Hongke Zhang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162975

2020-01-01

Abstract:Due to improving computational capacity of super-computers, transmitting encrypted packets via one single network path is vulnerable to brute-force attacks. The versatile attackers secretly eavesdrop all the packets, classify packets into different streams, performs an exhaustive search for the decryption key, and extract sensitive personal information from the streams. However, new Internet Protocol (IP) brings great opportunities and challenges for preventing eavesdropping attacks. In this paper, we propose a Programming Protocol-independent Packet Processors (P4) based Network Immune Scheme (P4NIS) against the eavesdropping attacks. Specifically, P4NIS is equipped with three lines of defense to improve the network immunity. The first line is promiscuous forwarding by splitting all the traffic packets in different network paths disorderly. Complementally, the second line encrypts transmission port fields of the packets using diverse encryption algorithms. The encryption could distribute traffic packets from one stream into different streams, and disturb eavesdroppers to classify them correctly. Besides, P4NIS inherits the advantages from the existing encryption-based countermeasures which is the third line of defense. Using a paradigm of programmable data planes-P4, we implement P4NIS and evaluate its performances. Experimental results show that P4NIS can increase difficulties of eavesdropping significantly, and increase transmission throughput by 31.7% compared with state-of-the-art mechanisms.

Xie Da-bin,Liang Gang

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.03.003

2013-01-01

Abstract:With the popularization of high-speed network,the traditional intrusion prevention system in high speed packet capture and real-time processing,has already can't meet the requirements of the performance.The paper proposed a kind of high performance intrusion prevention system,PF_RING DNA Intrusion Prevention System: PDIPS.PDIPS run on general multi-core platform,it used the PF_RING DNA technology to realize the packet capture in wire speed,at the same time,multithreading and CPU binding technology is used for parallel packets processing,to improve the overall performance.The test results show that under the same test environ-ment,PDIPS compared to traditional intrusion prevention scheme in performance has preferably improved,can adapt to the needs of the gigabit environment.

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.