Viable Network Intrusion Detection in High-Performance Environments

Network intrusion detection systems (NIDS) continuously monitor network trac for malicious activity, raising alerts when they detect attacks. However, high-performance Gbps networks pose major challenges for these systems. Despite vendor promises, they often fail to work reliably in such environments. In this work, we set out to understand the trade-o s involved in network intrusion detection, and we mitigate the impact of their choice on operational security monitoring. We base our study on extensive experience with several large-scale network environments, including the Munich Scienti c Network and the backbone of the University of California at Berkeley. In such networks, we nd an immense trac diversity which requires a NIDS to deal robustly with unexpected situations. However, to accommodate any conceivable situation, a NIDS would need an unlimited supply of CPU cycles and memory. Thus, the operator of the system needs to trade-o the quality of the detection with resource demands. To provide the necessary tuning options, we devise several new mechanisms which allow to choose this trade-o according to the policy of a particular environment. Moreover, we enable a NIDS to transparently share its state across instances, thereby multiplying the available amount of resources. Another major trade-o that a NIDS faces is the decision when to alert: if it reports anything which could potentially be malicious, it will generate an unmanageable number of alerts; if it reports only the most obvious attacks, it will miss some. To improve the precision of the detection, we enable a NIDS to incorporate di erent kinds of network context into its analysis. Such contextual information can either be derived during operation or provided externally, e.g., by host applications.

Click here for free

download this thesis