| Summary: | 碩士 === 國立中正大學 === 資訊工程研究所 === 99 === Designing a high-speed NIDS (network intrusion detection system) has
attracted much attention over recent years due to ever-increasing amount
of network trac and ever-complicated attacks. Deeply studying the NIDS
performance is an important step toward a high-speed design. This work
studies how the NIDS performance can vary with input network traffic, in-
cluding malicious trac, and system configuration, based on detailed pro-
filing with two popular NIDSs, Snort and Bro. According to the profiling,
we find analyzing the payloads (primarily pattern matching in Snort and
executing the policy scripts in Bro) can dominate the execution time for
most of packet traces. Moreover, connection tracking and packet reassembly
can be also time-consuming if they are frequently invoked. Therefore, a ro-
bust high-speed NIDS design can focus on improving payload analysis and
preprocessing, particularly packet reassembly. We also demonstrated that
aggregating the profiling results can be used to predict the results for bulk
network traffic in a real environment. In other words, it is feasible to watch
the composing traffic types in the bulk traffic and individually analyzing the
sample of each type to extrapolate the performance for the total traffic.
|
|---|
