On improving performance of Network Intrusion Detection Systems by efficient packet capturing

Author

Biswas, Amitava ; Sinha, Purnendu

Author_Institution

Dept. of Electr. & Comput. Eng., Concordia Univ., Montreal, Que.

fYear

2006

fDate

3-7 April 2006

Firstpage

1

Lastpage

4

Abstract

In a PC based network intrusion detection system (NIDS), the packet capturing component is a key bottleneck which reduces its effectiveness. NIDS deployment on multiprocessor or distributed systems that circumvents this bottleneck do not address operating system performance limitations which are the causal factors behind this bottleneck. Completion of intrusion detection task in bounded time at the sensors is also important to detect complex and co-ordinated attack patterns. Existing Linux based packet capturing solutions, NAPI and PFRING, are inefficient and have poor real-time performance. We have implemented a user space network interface (DMA ring) to capture packets under high network load on a modest commodity platform. DMA ring outperforms existing solutions in terms of higher load bearing, packet capturing capacity and superior real-time behavior. We proposed a scheme using DMA ring, which improves the performance of a user space NIDS

Keywords

computer networks; security of data; telecommunication security; DMA ring; Linux based packet capturing solutions; NAPI; PC based network intrusion detection systems; PFRING; complex coordinated attack pattern detection; distributed system; load bearing; modest commodity platform; multiprocessor system; packet capturing capacity; packet capturing component; user space network interface; Intrusion detection; High bandwidth packet capture; performance improvement of Network Intrusion Detection System;

fLanguage

English

Publisher

ieee

Conference_Titel

Network Operations and Management Symposium, 2006. NOMS 2006. 10th IEEE/IFIP

Conference_Location

Vancouver, BC

ISSN

1542-1201

Print_ISBN

1-4244-0142-9

Type

conf

DOI

10.1109/NOMS.2006.1687642

Filename

1687642