Abstract
Intrusion Detection Systems (IDS) have proven as valuable measure to cope reactively with attacks in the Internet. The growing complexity of IT-systems, however, increases rapidly the audit data volumes and the size of the signature bases. This forces IDS to drop audit data in high load situations thus offering attackers chances to act undetected. To tackle this issue we propose an efficient and adaptive analysis approach for multi-step signatures that is based on a dynamic distribution of analyses. We propose different optimization strategies for an efficient analysis distribution. The strengths and weaknesses of each strategy are evaluated based on a prototype implementation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cisco Systems Inc.: NetFlow Services and Applications. White Paper (2002), http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
McHugh, J.: Set, Bags and Rock and Roll – Analyzing Large Datasets of Network Data. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 407–422. Springer, Heidelberg (2004)
Sommer, R., Feldmann, A.: NetFlow: Information Loss or Win? In: 2nd ACM SIGCOMM and USENIX Internet Measurement Workshop (IMW 2002), Marseille, France (2002)
Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)
Anagnostakis, K.G., Markatos, E.P., Antonatos, S., Polychronakis, M.: E2xB: A Domain Specific String Matching Algorithm for Intrusion Detection. In: 18th IFIP International Information Security Conference (SEC 2003), pp. 217–228. Kluwer Academic Publishing, Dordrecht (2003)
Yang, L., Karim, R., Ganapathy, V., Smith, R.: Improving NFA-based Signature Matching Using Ordered Binary Decision Diagrams. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 58–78. Springer, Heidelberg (2010)
Shemitz, J.: Using RDTSC for Pentium Benchmarking. Visual Developer Magazine, Coriolis Group, Scottsdale, AZ, USA (June/July 1996), http://www.midnightbeach.com/jon/pubs/rdtsc.htm
Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008)
Krügel, C., Tóth, T., Kerer, C.: Decentralized Event Correlation for Intrusion Detection. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 114–131. Springer, Heidelberg (2002)
Colajanni, M., Marchetti, M.: A Parallel Architecture for Stateful Intrusion Detection in High Trac Networks. In: IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation. IEEE Press, Los Alamitos (2006)
Schaelicke, L., Wheeler, K., Freeland, C.: SPANIDS: A Scalable Network Intrusion Detection Loadbalancer. In: 2nd Conference on Computing Frontiers (CCF 2005), pp. 315–322. ACM, New York (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Vogel, M., Schmerl, S., König, H. (2011). Efficient Distributed Signature Analysis. In: Chrisment, I., Couch, A., Badonnel, R., Waldburger, M. (eds) Managing the Dynamics of Networks and Services. AIMS 2011. Lecture Notes in Computer Science, vol 6734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21484-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-21484-4_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21483-7
Online ISBN: 978-3-642-21484-4
eBook Packages: Computer ScienceComputer Science (R0)