Article

Packet pre-filtering for network intrusion detection

Authors:

Ioannis Sourdis,

Vasilis Dimopoulos,

Dionisios Pnevmatikatos,

Stamatis VassiliadisAuthors Info & Claims

ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

Pages 183 - 192

https://doi.org/10.1145/1185347.1185372

Published: 03 December 2006 Publication History

Abstract

As Intrusion Detection Systems (IDS)utilize more complex syntax to efficiently describe complex attacks, their processing requirements increase rapidly. Hardware and, even more, software platforms face difficulties in keeping up with the computationally intensive IDS tasks, and face overheads that can substantially diminish performance.In this paper we introduce a packet pre-filtering approach as a means to resolve, or at least alleviate, the increasing needs of current and future intrusion detection systems. We observe that it is very rare for a single incoming packet to fully or partially match more than a few tens of IDS rules. We capitalize on this observation selecting a small portion from each IDS rule to be matched in the pre-filtering step. The result of this partial match is a small subset of rules that are candidates for a full match. Given this pruned set of rules that can apply to a packet, a second-stage, full-match engine can sustain higher throughput.We use DefCon traces and recent Snort IDS rule-set,and show that matching the header and up to an 8-character prefix for each payload rule on each incoming packet can determine that on average 1.8 rules may apply on each packet, while the maximum number of rules to be checked across all packets is 32. Effectively, packet pre-filtering prevents matching at least 99%of the SNORT rules per packet and as a result minimizes processing and improves the scalability of the system. We also propose and evaluate the cost and performance of a reconfigurable architecture that uses multiple processing engines in order to exploit the benefits of pre-filtering.

References

[1]

S. Antonatos, M. Polychronakis, P. Akritidis, K. D. Anagnostakis, and E. P. Markatos. Piranha: Fast and memory-efficient pattern matching for intrusion detection.In Proceedings 20th IFIP International Information Security Conference (SEC 2005) May 2005.

[2]

Z. K. Baker and V. K. Prasanna. A Methodology for Synthesis of Efficient Intrusion Detection systems on FPGAs. In IEEE Symposium on Field-Programmable Custom Computing Machines April 2004.

Digital Library

[3]

J. Bispo, I. Sourdis, J. M. Cardoso, and S. Vassiliadis. Regular Expression Matching for Reconfigurable Packet Inspection. In IEEE International Conference on Field Programmable Technology (FPT)2006.

[4]

C. R. Clark and D. E. Schimmel. Scalable Parallel Pattern-Matching on High-Speed Networks. In IEEE Symposium on Field-Programmable Custom Computing Machines April 2004.

Digital Library

[5]

V. Dimopoulos, G. Papadopoulos, and D. Pnevmatikatos. On the importance of header classification in hw/sw network intrusion detection systems. In Proceedings of the 10th Panhel lenic Conference on Informatics (PCI)November 11-13, 2005.

Digital Library

[6]

M. Fisk and G. Varghese. An Analysis of Fast String Matching Applied to Content-based Forwarding and Intrusion Detection. In Techical Report CS2001 0670 (updated version)University of California -San Diego, 2002.

Digital Library

[7]

R. Franklin, D. Carver, and B. Hutchings. Assisting Network Intrusion Detection with Reconfigurable Hardware. In IEEE Symposium on Field-Programmable Custom Computing Machines April 2002.

Digital Library

[8]

E. Markatos, S. Antonatos, M. Polyhronakis, and K. G. Anagnostakis. Exclusion-based signature matching for intrusion detection. In Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN) pages 146--152, November 2002.

[9]

J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos. Implementation of a Content-Scanning Module for an Internet Firewall. In IEEE Symposium on Field-Programmable Custom Computing Machines April 2003.

Digital Library

[10]

G. Papadopoulos and D. Pnevmatikatos. Hashing + Memory =Low Cost, Exact Pattern Matching. In Proceedings of 15th International Conference on Field Programmable Logic and Applications 2005.

[11]

R. Sidhu and V. K. Prasanna. Fast Regular Expression Matching using FPGAs. In IEEE Symposium on Field-Programmable Custom Computing Machines April 2001.

Digital Library

[12]

SNORT official web site.http://www.snort.org.

[13]

H. Song and J. W. Lockwood. Efficient packet classiffication for network intrusion detection using fpga. In FPGA pages 238--245,2005.

Digital Library

[14]

Sourcefire. Snort rule optimizer. In www.sourcefire.com/whitepapers/sf snort20 ruleop.pdf June 2002.

[15]

I. Sourdis and D. Pnevmatikatos. Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. In IEEE Symposium on Field-Programmable Custom Computing Machines April 2004.

Digital Library

[16]

I. Sourdis, D. Pnevmatikatos, S. Wong, and S. Vassiliadis. A Reconfigurable Perfect-Hashing Scheme for Packet Inspection. In Proceedings of 15th Int. Conf. on Field Programmable Logic and Applications 2005.

[17]

The Shmoo Group: the Capture the Flag Data. http://cctf.shmoo.com/.

Cited By

Muhammad AMurtza ISaadia AKifayat K(2023)Cortex-inspired ensemble based network intrusion detection systemNeural Computing and Applications10.1007/s00521-023-08561-635:21(15415-15428)Online publication date: 11-Apr-2023
https://doi.org/10.1007/s00521-023-08561-6
Bogoevski ZJovanovski IVelichkovska BEfnusheva D(2023)Network Traffic Analysis and Control by Application of Machine LearningArtificial Intelligence Application in Networks and Systems10.1007/978-3-031-35314-7_35(390-399)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35314-7_35
Li WWang YLi J(2022)Enhancing blockchain-based filtration mechanism via IPFS for collaborative intrusion detection in IoT networksJournal of Systems Architecture10.1016/j.sysarc.2022.102510127(102510)Online publication date: Jun-2022
https://doi.org/10.1016/j.sysarc.2022.102510
Show More Cited By

Index Terms

Packet pre-filtering for network intrusion detection
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Improving the accuracy of network intrusion detection systems under load using selective packet discarding
EUROSEC '10: Proceedings of the Third European Workshop on System Security

Under conditions of heavy traffic load or sudden traffic bursts, the peak processing throughput of network intrusion detection systems (NIDS) may not be sufficient for inspecting all monitored traffic, and the packet capturing subsystem inevitably drops ...
Deep packet pre-filtering and finite state encoding for adaptive intrusion detection system

An intrusion detection system (IDS) is a promising technique for detecting and thwarting attacks on computer systems and networks. In the context of ever-changing threats, new attacks are constantly created, and new rules for identifying them are ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

December 2006

202 pages

ISBN:1595935800

DOI:10.1145/1185347

General Chair:
Laxmi N. Bhuyan
University of California, Riverside, USA
,
Program Chairs:
Michel Dubois
University of Southern California, USA
,
Will Eatherton
Cisco, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ANCS06

Sponsor:

ANCS06: Symposium on Architecture for Networking and Communications Systems

December 3 - 5, 2006

California, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
810
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)4

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Muhammad AMurtza ISaadia AKifayat K(2023)Cortex-inspired ensemble based network intrusion detection systemNeural Computing and Applications10.1007/s00521-023-08561-635:21(15415-15428)Online publication date: 11-Apr-2023
https://doi.org/10.1007/s00521-023-08561-6
Bogoevski ZJovanovski IVelichkovska BEfnusheva D(2023)Network Traffic Analysis and Control by Application of Machine LearningArtificial Intelligence Application in Networks and Systems10.1007/978-3-031-35314-7_35(390-399)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35314-7_35
Li WWang YLi J(2022)Enhancing blockchain-based filtration mechanism via IPFS for collaborative intrusion detection in IoT networksJournal of Systems Architecture10.1016/j.sysarc.2022.102510127(102510)Online publication date: Jun-2022
https://doi.org/10.1016/j.sysarc.2022.102510
Todorov ZEfnusheva DNikolic T(2021)FPGA Implementation of Computer Network Security Protection with Machine Learning2021 IEEE 32nd International Conference on Microelectronics (MIEL)10.1109/MIEL52794.2021.9569201(263-266)Online publication date: 12-Sep-2021
https://doi.org/10.1109/MIEL52794.2021.9569201
Hajj SEl Sibai RBou Abdo JDemerjian JMakhoul AGuyeux C(2021)Anomaly‐based intrusion detection systemsTransactions on Emerging Telecommunications Technologies10.1002/ett.424032:4Online publication date: 5-Apr-2021
https://dl.acm.org/doi/10.1002/ett.4240
Meng WLi WTug STan J(2020)Towards blockchain-enabled single character frequency-based exclusive signature matching in IoT-assisted smart citiesJournal of Parallel and Distributed Computing10.1016/j.jpdc.2020.05.013Online publication date: Jun-2020
https://doi.org/10.1016/j.jpdc.2020.05.013
Kabir MHartmann S(2018)Cyber security challenges: An efficient intrusion detection system design2018 International Young Engineers Forum (YEF-ECE)10.1109/YEF-ECE.2018.8368933(19-24)Online publication date: May-2018
https://doi.org/10.1109/YEF-ECE.2018.8368933
Meng WLi WKwok L(2017)Towards Effective Trust-Based Packet Filtering in Collaborative Network EnvironmentsIEEE Transactions on Network and Service Management10.1109/TNSM.2017.266489314:1(233-245)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1109/TNSM.2017.2664893
Ghabel SLighvan MBaklou AKhanli L(2015)Search acceleration in preprocessing mechanism of network intrusion detection systems using graphics processors2015 7th Conference on Information and Knowledge Technology (IKT)10.1109/IKT.2015.7288744(1-5)Online publication date: May-2015
https://doi.org/10.1109/IKT.2015.7288744
Meng YKwok L(2014)Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detectionJournal of Network and Computer Applications10.5555/3170014.317017039:C(83-92)Online publication date: 1-Mar-2014
https://dl.acm.org/doi/10.5555/3170014.3170170
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten