Research Article
Smart Logic - Preventing Packet Loss in High Speed Network Intrusion Detection Systems
@INPROCEEDINGS{10.1007/978-3-642-11530-1_7, author={Ahsan Subhan and Monis Akhlaq and Faeiz Alserhani and Irfan Awan and John Mellor and Andrea Cullen and Pravin Mirchandani}, title={Smart Logic - Preventing Packet Loss in High Speed Network Intrusion Detection Systems}, proceedings={Information Security and Digital Forensics. First International Conference, ISDF 2009, London, United Kingdom, September 7-9, 2009, Revised Selected Papers}, proceedings_a={ISDF}, year={2012}, month={5}, keywords={Network intrusion detection systems network performance packet drop Snort serialization}, doi={10.1007/978-3-642-11530-1_7} }
- Ahsan Subhan
Monis Akhlaq
Faeiz Alserhani
Irfan Awan
John Mellor
Andrea Cullen
Pravin Mirchandani
Year: 2012
Smart Logic - Preventing Packet Loss in High Speed Network Intrusion Detection Systems
ISDF
Springer
DOI: 10.1007/978-3-642-11530-1_7
Abstract
Network Intrusion Detection Systems (NIDS) have gained substantial importance in today’s network security infrastructure. The performance of these devices in modern day traffic conditions is however found limited. It has been observed that the systems could hardly stand effective for the bandwidth of few hundred mega bits per second. Packet drop has been considered as the major bottleneck in the performance. We have identified a strong performance limitation of an open source Intrusion Detection System (IDS), Snort in [1, 2]. Snort was found dependent on host machine configuration. The response of Snort under heavy traffic conditions has opened a debate on its implementation and usage. We have developed the Smart Logic component to reduce the impact of packet drop in NIDS when subjected to heavy traffic volume. The proposed architecture utilizes packet capturing techniques applied at various processing stages shared between NIDS and packet handling applications. The designed architecture regains the lost traffic by a comparison between the analysed packets and the input stream using Smart Logic. The recaptured packets are then re-evaluated by a serialized IDS mechanism thus reducing impact of packet loss incurred in the routine implementation. The designed architecture has been implemented and tested on a scalable and sophisticated test bench replicating modern day network traffic. Our effort has shown noticeable improvement in the performance of Snort and has significantly improved its detection capacity.