Operational experiences with high-volume network intrusion detection

25 October 2004

proceedings article
Published by Association for Computing Machinery (ACM)

p. 2-11
https://doi.org/10.1145/1030083.1030086

Abstract

In large-scale environments, network intrusion detection systems (NIDSs) face extreme challenges with respect to traffic volume, traffic diversity, and resource management. While crucial for acceptance and operational deployment, the research literature mainly omits such practical difficulties. In this paper, we offer an evaluation based on extensive operational experience. More specifically, we identify and explore key factors with respect to resource management and efficient packet processing and highlight their impact using a set of real-world traces. On the one hand, these insights help us gauge the trade-offs of tuning a NIDS. On the other hand, they motivate us to explore several novel ways of reducing resource requirements. These enable us to improve the state management considerably as well as balance the processing load dynamically. Overall this enables us to operate a NIDS successfully in our high-volume network environments.

Keywords

This publication has 8 references indexed in Scilit:

The spread of the Witty worm
IEEE Security & Privacy, 2004
Enhancing byte-level network intrusion detection signatures with context
Published by Association for Computing Machinery (ACM) ,2003
Inside the Slammer worm
IEEE Security & Privacy, 2003
Difficulties in simulating the Internet
IEEE/ACM Transactions on Networking, 2001
Bro: a system for detecting network intruders in real-time
Computer Networks, 1999
Data networks as cascades
Published by Association for Computing Machinery (ACM) ,1998
Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level
IEEE/ACM Transactions on Networking, 1997
Empirically derived analytic models of wide-area TCP connections
IEEE/ACM Transactions on Networking, 1994