Sciweavers

ISPASS
2008
IEEE

Conservative vs. Optimistic Parallelization of Stateful Network Intrusion Detection

14 years 5 months ago
Conservative vs. Optimistic Parallelization of Stateful Network Intrusion Detection
This paper presents and experimentally evaluates two parallelization strategies for the popular open-source Snort network intrusion detection system (NIDS). Snort identifies intrusion attempts by processing a ruleset, a file which specifies various protocolbased, string-based, and regular-expression-based signatures associated with known attacks. As attacks proliferate, NIDS becomes increasingly important. However, the computational requirements of intrusion detection are great enough to limit average achievable throughput to 557 Mbps on a commodity server-class PC — just over half the link-level bandwidth. The strategies studied in this paper accelerate the performance of Snort by parallelizing rule processing while still maintaining the shared state information required for correct operation. The conservative version proposed here parallelizes ruleset processing at the level of TCP/IP flows, as any potential inter-packet dependences are confined to a single flow. Any single ...
Derek L. Schuff, Yung Ryn Choe, Vijay S. Pai
Added 31 May 2010
Updated 31 May 2010
Type Conference
Year 2008
Where ISPASS
Authors Derek L. Schuff, Yung Ryn Choe, Vijay S. Pai
Comments (0)