Design Consideration and Implementation of Portscan Detection Module on NP-Based IDS

In this paper we describe the design consideration and implementation of portscan detection module regarding to TCP analyzing of SCUT NIDS. The aim of the portscan module is to take immediate action in response to alerts generated by SCUT NIDS to protect the system from portscan attacks. Portscan module is required to maintain TCP connection records, the design of such a connection table is not trivial for a high speed IDS with large number of active connections and high packet arrival rate,especially in a resource constrains Intel IXP2400 network processor. After comparing various design options, we adapted from hash table data structure, employing the special hardware unit assist to calculate a hash over our unique ascending order quadruple which worked in a quite simple but efficient way that is totally different from the Snort scheme, our design not only differentiates both directions of a TCP connection and thus eliminates unwanted additional search operation, but also avoids data corruption and greatly reduces the probability of hash collisions. In order to improve the allocation/deallocation procedure for TCP connection nodes in our IDS systems, we further devised a large management stack caching with a local memory buffer, which is fully exploiting the specialized network processor architectures and optimizing the use of various types of memories with different speeds and size. The theoretical analysis and experiments confirmed that the combination of a large conventional hash table-based search and an array-based stack with caching improves the performance significantly.