Dissecting NIDS Performance with Detailed Profiling

• Main Authors: Lee,Jiahau, 李家豪
• Other Authors: Lin,Poching
• Format: Others
• Language: en_US
• Published: 2011
• Online Access: http://ndltd.ncl.edu.tw/handle/62379745612344715808

碩士 === 國立中正大學 === 資訊工程研究所 === 99 === Designing a high-speed NIDS (network intrusion detection system) has attracted much attention over recent years due to ever-increasing amount of network trac and ever-complicated attacks. Deeply studying the NIDS performance is an important step toward a high-speed design. This work studies how the NIDS performance can vary with input network traffic, in- cluding malicious trac, and system configuration, based on detailed pro- filing with two popular NIDSs, Snort and Bro. According to the profiling, we find analyzing the payloads (primarily pattern matching in Snort and executing the policy scripts in Bro) can dominate the execution time for most of packet traces. Moreover, connection tracking and packet reassembly can be also time-consuming if they are frequently invoked. Therefore, a ro- bust high-speed NIDS design can focus on improving payload analysis and preprocessing, particularly packet reassembly. We also demonstrated that aggregating the profiling results can be used to predict the results for bulk network traffic in a real environment. In other words, it is feasible to watch the composing traffic types in the bulk traffic and individually analyzing the sample of each type to extrapolate the performance for the total traffic.