1 / 11

O pen BIDS a NIDS

Sujayyendhiren, Kaiqi Xiong, Minseok Kwon. O pen BIDS a NIDS. Experimental Setup OpenBIDS. High Level Architecture. Detailed Architecture. Metadata – Kernel to Userspace. Bloom Filter Configuration. Signature Format.

airlia
Download Presentation

O pen BIDS a NIDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sujayyendhiren, Kaiqi Xiong, Minseok Kwon OpenBIDS a NIDS

  2. Experimental Setup OpenBIDS

  3. High Level Architecture

  4. Detailed Architecture

  5. Metadata – Kernel to Userspace

  6. Bloom Filter Configuration

  7. Signature Format • <transport:"tcp"> <sport:"20"> <dport:"40"> <content:"Virus"> <action:"DROP"> <message:"Dropping the packet"> • <transport:"udp"> <sport:"30"> <dport:"40"> <content:"Danger|fffe|"> <action:"FORWARD"> <offset:"10"> <message:"Fwd the packet"> • <transport:"udp"> <sport:"*"> <dport:"*"> <content:"Not malicious"> <action:"LOG"> <message:"Not malicious packet">

  8. Current Features • OpenBIDS offers the feature of adding bloom filter rules at run time. • If a signature match is identified by bloom filter, it is followed by a hashtable lookup in the user space. On successful lookup , a relevant rule is added dynamically into flow table using OpenFlow framework. • Multiple pattern matching for each data plane packet. • Bloom filter parameters like ‘k’ , ‘m’ are configured statically at compile time.

  9. Sample Statistics

  10. Targets • Parallelizing multiple pattern matching. • Optimizing memory operations like memory copying and memory initializations. • Instead of exhaustive matching of data packet for signatures, feedback based increase in checking for multiple patterns i.e. if a lookup match is identified as false positive by user space then gradually increase the number of pattern matches for a flow.

  11. Demo

More Related