The Design Principles of High-Speed NIDS Considering Performance

1
The Design Principles of High-Speed NIDS
Considering Performance

• PARA04 Workshop on the State-of-the-Art in
  Scientific Computing
• June 23, 2004
• Jongwoon Park?, Keewan Hong, Kiyoong Hong
  Secuve Co., Ltd.
• Bongnam No Chonnam University
• Dongkyu Kim Ajou University
• Contact hizcool_at_secuve.com

2
Contents

• Overviews
• Reference Models
• Performance-Decision Factors
• Design Principles
• Evaluations
• References

3
Overviews

• Why NIDS speed-up is needed ?
• The increasing of network utilization
• The weekly increase in the number of critical
  application and OS layer exploits
• What is NIDS bottle-neck points ?
• Getting the packet off the wire
• Clearing out buffer to store packets
• Pattern matching
• Traffic types
• How should NIDS be designed in the development
  process?
• NIDS designers must find ways to speed up their
  attack analysis techniques when a fully-saturated
  network and maintaining a good false alarm ratios

4
Reference Models Performance-Decision Factors

• IETF Model

• ISO/IEC Model

Data Source
Sensor
activity
Response
security policy
Sensor
administrator
Analysis
Data Storage
event
event
Data Source
event
Analyzer
alert
security policy
Manager
Raw data source
notification
Operator
response
Event collecting parts
Event transmitting parts
Event analyzing parts
Network bandwidths Protocol distributions Packet
size distributions
Communication methods Transferred data sizes
Increased attack patterns Pattern matching
algorithms
5
Design Principles

• Need-to-Know TP (Target Profile)
• Idea. NIDS must collect only necessary packet to
  judge abnormal activities
• ex. TP can be constructed by using OVAL (MITRE)

6
Design Principles cont.

• High-Speed Internal Transmission
• Idea. NIDS must transmit reduction data of
  collected packet to analyzer at high speed

(a) Pool Memory Queue Model
(b) Individual Memory Queue Model
7
Design Principles cont.

• Clone-Based Model
• Idea. NIDS must not rely on specific features in
  transmitting reduction data to analyzer

(a) Role-based Model
(b) Clone-based Model
8
Design Principles cont.

• MPM (Multi-Pattern Matching) Algorithm
• Idea. NIDS must adapt efficient pattern matching
  algorithm according to the characteristics of
  signatures
• If a signature is such like aaabbbccc, KMP
  algorithm is the winner of the competition with
  BM algorithm, but generally BM algorithm is good
  for performance
• Extension of Patterns

9
Evaluations

• Test Models
• 180 Mbps background traffic (SmartBit-6000), 968
  patterns (Snort), 590 attack events (IDS
  Informer)
• Test Results

10
References

• 1 Rebecca Base and Peter Mell, Intrusion
  Detection Systems, NIST Special Publication
  800-31, November 2001.
• 2 Intrusion Detection Message Exchange
  Requirements, IETF/IDWG Internet-Drafts, October
  22, 2002.
• 3 IT Intrusion Detection Framework, ISO/IEC
  TR-15947, 1998.
• 4 Neil Desai, Increasing Performance in
  High-Speed NIDS, A look at Snorts Internals.
• 5 LU Sheng, GONG Jian, RUI Suying, A Load
  Balancing Algorithm for High-Speed Intrusion
  Detection.
• 6 C.J.Coit, S.Staniford, and J.McAlerney,
  Towards Faster Pattern Matching for Intrusion
  Detection or Exceeding the Speed of Snort, In
  Proc. 2nd DARPA Information Survivability
  Conference and Exposition, June 2001.
• 7 Christian Charras and Thierry Lecroq,
  Handbook of Exact String Matching Algorithms,
  Kings College LONDON Publication.
• 8 Snort, The Open Source Network Intrusion
  Detection Systems, http//www.snort.org
• 9 Bro, A System for Detecting Network Intruders
  in Real-time, http//www.icir.org/vern/bro-info.ht
  ml
• 10 Patric Wang, Internet Warm and Vulnerability
  Trends, In Proc. 7th CONCERT Workshop, pp213-228,
  Seoul, Korea, November 2003.