Skip to main content
SpringerLink
Log in

A Parallel Architecture for Stateful, High-Speed Intrusion Detection

  • Conference paper
Information Systems Security (ICISS 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5352))

Included in the following conference series:

Abstract

The increase in bandwidth over processing power has made stateful intrusion detection for high-speed networks more difficult, and, in certain cases, impossible. The problem of real-time stateful intrusion detection in high-speed networks cannot easily be solved by optimizing the packet matching algorithm utilized by a centralized process or by using custom-developed hardware. Instead, there is a need for a parallel approach that is able to decompose the problem into subproblems of manageable size. We present a novel parallel matching algorithm for the signature-based detection of network attacks. The algorithm is able to perform stateful signature matching and has been implemented only using off-the-shelf components. Our initial experiments confirm that, by making the rule matching process parallel, it is possible to achieve a scalable implementation of a stateful, network-based intrusion detection system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Amdahl, G.: Validity of the Single Processor Approach to Achieving Large-Scale Computing Capabilities. In: Proceedings of the AFIPS Conference (1967)

    Google Scholar 

  2. Colajanni, M., Marchetti, M.: A parallel architecture for stateful intrusion detection in high traffic networks (September 2006)

    Google Scholar 

  3. Davoli, R.: Vde: Virtual distributed ethernet. Technical report (2004)

    Google Scholar 

  4. Davoli, R.: Vde: Virtual distributed ethernet. In: TRIDENTCOM 2005: Proceedings of the First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities, Washington, DC, USA, pp. 213–220. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  5. Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An Attack Language for State-based Intrusion Detection. In: Proceedings of the ACM Workshop on Intrusion Detection Systems, Athens, Greece (November 2000)

    Google Scholar 

  6. Foschini, L.: A formalization and analysis of high-speed stateful signature matching for intrusion detection (2007)

    Google Scholar 

  7. Foschini, L., Thapliyal, A.V., Cavallaro, L., Kruegel, C., Vigna, G.: A Parallel Architecture for Stateful, High-Speed Intrusion Detection. Technical report (2008)

    Google Scholar 

  8. Garcia-Molina, H.: Elections in a Distributed Computing System. IEEE Transactions on Computers (1982)

    Google Scholar 

  9. Gates, C.: Co-ordinated Port Scans: A Model, A Detector and An Evaluation Methodology. PhD thesis, Dalhousie University, Halifax, Nova Scotia (February 2006)

    Google Scholar 

  10. Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.A.: Stateful Intrusion Detection for High-Speed Networks. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, pp. 285–293. IEEE Press, Los Alamitos (2002)

    Google Scholar 

  11. Kumar, S., Spafford, E.H.: A Pattern Matching Model for Misuse Intrusion Detection. In: Proceedings of the 17th National Computer Security Conference, pp. 11–21 (1994)

    Google Scholar 

  12. Lu, H., Zheng, K., Liu, B., Zhang, X., Liu, Y.: A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection. IEEE Journal on Selected Areas in Communication 24(10) (October 2006)

    Google Scholar 

  13. Meier, M., Schmerl, S., Koenig, H.: Improving the Efficiency of Misuse Detection. In: Proceedings of RAID (2005)

    Google Scholar 

  14. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. In: 7th Usenix Security Symposium (1998)

    Google Scholar 

  15. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of the Large Installation System Administration Conference (LISA), Seattle, WA (November 1999)

    Google Scholar 

  16. Sekar, R., Guang, V., Verma, S., Shanbhag, T.: A High-performance Network Intrusion Detection System. In: Proceedings of the 6th ACM Conference on Computer and Communications Security (November 1999)

    Google Scholar 

  17. Snort - The Open Source Network Intrusion Detection System (2004), http://www.snort.org

  18. Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. In: Proceedings of ACSAC (2005)

    Google Scholar 

  19. The open source community. Snort Community ruleset

    Google Scholar 

  20. Turner, A.: tcprewrite trac page, http://tcpreplay.synfin.net/trac/wiki/tcprewrite

  21. Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  22. Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K., Markatos, E.: An active splitter architecture for intrusion detection and prevention. IEEE TDSC 3(1), 31 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of California, Santa Barbara, USA

    Luca Foschini, Ashish V. Thapliyal, Lorenzo Cavallaro, Christopher Kruegel & Giovanni Vigna

Authors
  1. Luca Foschini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ashish V. Thapliyal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lorenzo Cavallaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Stony Brook University, NY 11794-4400, Stony Brook, USA

    R. Sekar

  2. Department of Computer and Information Sciences, University of Hyderabad, 500 046, Hyderabad, India

    Arun K. Pujari

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Foschini, L., Thapliyal, A.V., Cavallaro, L., Kruegel, C., Vigna, G. (2008). A Parallel Architecture for Stateful, High-Speed Intrusion Detection. In: Sekar, R., Pujari, A.K. (eds) Information Systems Security. ICISS 2008. Lecture Notes in Computer Science, vol 5352. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89862-7_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-89862-7_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-89861-0

  • Online ISBN: 978-3-540-89862-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation