Title :
Exploiting independent state for network intrusion detection
Author :
Sommer, Robin ; Paxson, Vern
Author_Institution :
TU Munchen, Garching
Abstract :
Network intrusion detection systems (NIDSs) critically rely on processing a great deal of state. Often much of this state resides solely in the volatile processor memory accessible to a single user-level process on a single machine. In this work, we highlight the power of independent state, i.e., internal fine-grained state that can be propagated from one instance of a NIDS to others running either concurrently or subsequently. Independent state provides us with a wealth of possible applications that hold promise for enhancing the capabilities of NIDSs. We discuss an implementation of independent state for the Bro NIDS and examine how we can then leverage independent state for distributed processing, load parallelization, selective preservation of state across restarts and crashes, dynamic reconfiguration, high level policy maintenance, and support for profiling and debugging. We have experimented with each of these applications in several large environments and are now working to integrate them into the sites´ operational monitoring. A performance evaluation shows that our implementation is suitable for use even in large scale environments
Keywords :
computer networks; security of data; telecommunication security; distributed processing; dynamic reconfiguration; independent state; internal fine-grained state; load parallelization; network intrusion detection system; operational site monitoring; performance evaluation; selective state preservation; user-level process; volatile processor memory; Algorithm design and analysis; Computer crashes; Debugging; Detection algorithms; Distributed processing; Environmental management; Intrusion detection; Large-scale systems; Monitoring; Protocols;
Conference_Titel :
Computer Security Applications Conference, 21st Annual
Conference_Location :
Tucson, AZ
Print_ISBN :
0-7695-2461-3
DOI :
10.1109/CSAC.2005.24
