Research Article
Virtualization Efficacy for Network Intrusion Detection Systems in High Speed Environment
@INPROCEEDINGS{10.1007/978-3-642-11530-1_4, author={Monis Akhlaq and Faeiz Alserhani and Irfan Awan and John Mellor and Andrea Cullen and Pravin Mirchandani}, title={Virtualization Efficacy for Network Intrusion Detection Systems in High Speed Environment}, proceedings={Information Security and Digital Forensics. First International Conference, ISDF 2009, London, United Kingdom, September 7-9, 2009, Revised Selected Papers}, proceedings_a={ISDF}, year={2012}, month={5}, keywords={Network intrusion detection systems operating systems performance evaluation Snort virtualization}, doi={10.1007/978-3-642-11530-1_4} }
- Monis Akhlaq
Faeiz Alserhani
Irfan Awan
John Mellor
Andrea Cullen
Pravin Mirchandani
Year: 2012
Virtualization Efficacy for Network Intrusion Detection Systems in High Speed Environment
ISDF
Springer
DOI: 10.1007/978-3-642-11530-1_4
Abstract
The virtualization concept was developed a few decades back to facilitate the sharing of expensive and robust main-frame hardware among different applications. In the current scenario, virtualization has gone through a conceptual transformation from cost effectiveness to resource sharing. The research community has found virtualization to be reliable, multipurpose and adaptable. This has enabled a single system to dynamically map its resources among multiple instances of operating systems running numerous applications. The concept has been adopted on platforms dealing with network performance, application analysis, system design, network security and storage issues. This research work has focussed on analysing the efficacy of the virtualization concept for Network Intrusion Detection Systems (NIDS) in the high-speed environment. We have selected an open source NIDS, Snort for evaluation. Snort has been evaluated on virtual systems built on Windows XP SP2, Linux 2.6 and Free BSD 7.1 platforms. The test-bench is considered to be extremely sophisticated, ensuring current day network requirements. The evaluation has been targeted at the packet-handling capacity of operating systems/ applications (Snort) under different traffic conditions and on similar hardware platforms. Our results have identified a strong performance limitation of NIDS running on virtual platforms. It can be easily ascertained that virtual platforms are not ideal for NIDS in high-speed environments. Finally, the analysis has also identified the factors responsible for the unsatisfactory performance of IDS (Snort) on a virtual platform.