170 likes | 300 Views
An Active Traffic Splitter Architecture for Intrusion Detection. Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN. Overview. Introduction
E N D
An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN
Overview • Introduction • Snort and Network Intrusion Detection Systems • NIDS: highly intensive operation • Simple Splitter • An Active Traffic Splitter • Light-weight functionality • Early Filtering and Locality Buffers • Improves NIDS performance up to 19% • Summary and Future Work
Introduction • Snort (www.snort.org) • Passive Network Monitoring • 1500-1700 rules (grouped by application) • Highly Intensive Operation • Current Snort Performance • One high end PC: 300-400 Mbit/s • Multi gigabit links ? • Multiple Sensors
Simple Splitter SnortV2 Find target Sensor Lower rate multiple links High rate single link SnortV2 SPLITTER SENSORS
Motivation Use an Active Splitter • Move simple IDS functionality from sensor to splitter • Use of Early Filtering (EF) • Enhance performance of each sensor transparently. • No need to modify sensors • Use of Locality Buffering (LB)
Simple Splitter (repeated) SnortV2 Find target Sensor Lower rate multiple links High rate single link SnortV2 SPLITTER SENSORS
Active Splitter Architecture SnortV2 LB: Traffic Shaping EF Reduce #pkts to process Find target Sensor SnortV2 LB: Traffic Shaping SENSORS ACTIVE SPLITTER
Active Splitter Feature: EF • Early Filtering • Discard packets before reaching any sensor • Fewer packets to process, Fewer interrupts Early Filtering • Header-only rules • 10% of all rules • Small packets • No payload Further processing No match
Active Splitter Feature: LB • Locality Buffers • Group similar packets together • Enhance performance of cache memory SnortV2 web p2p ftp web p2p
Active Splitter Feature: LB • Locality Buffers • Group similar packets together • Enhance performance of cache memory SnortV2 ftp web web p2p p2p
LB: Implementation Locality Buffer 1 Locality Buffer 2 Hash on dst port SnortV2 Locality Buffer N
Performance Measurements • Simple Splitter versus : • Splitter/LB • Splitter/EF • Splitter/LB+EF • Simulations • All measurements on same machine • Trace (NLANR) split and shaped to several files • Snort v2 build 20 • Measured processing time (user + system time)
Early Filtering Performance • Number of packets with no content • 40% with no payload • Reduction in system time • 16.8% (10.1 8.7sec) • Reduction in user time • 6.6% (45.67 42.66sec) • Combined reduction • 8%
LB + EF Performance • 4 Sensors • 16 LBs • 256 KB / LB • Aggregate User Time • 19.8% (47.27 37.88sec) • Slowest Sensor • 14.4% (12.38 10.93sec)
Summary and Future Work • Active Splitter • Early Filtering • Locality Buffers • Enhances performance Transparently • No need to change Sensors • Simulations are promising • Future Work • Implementation