On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures

On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures

Signature-based Network Intrusion Detection Systems (NIDS) have become state-of-the-art in modern network security solutions. However, most systems are not designed for modern high-speed network links. In the field of network monitoring, an alternative solution has become the choice for such high-sp...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2022-01, Vol.19 (1), p.495-506
Hauptverfasser: Erlacher, Felix, Dressler, Falko
Format: Artikel
Sprache:eng
Schlagworte:
flow monitoring
Hardware
High speed
high-speed networks
Internet
Intrusion detection
Intrusion detection systems
IP (Internet Protocol)
Monitoring
Network security
Pattern matching
Payloads
Protocols
Security
Signatures
Throughput
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 506
container_issue 1
container_start_page 495
container_title IEEE transactions on dependable and secure computing
container_volume 19
creator Erlacher, Felix
Dressler, Falko
description Signature-based Network Intrusion Detection Systems (NIDS) have become state-of-the-art in modern network security solutions. However, most systems are not designed for modern high-speed network links. In the field of network monitoring, an alternative solution has become the choice for such high-speed networks. Flow-monitoring, typically based on the Internet Protocol Flow Information Export (IPFIX) standard, now goes well beyond collecting statistical information about network connections. Current solutions are even able to include selected parts of the payload in these Flows to be used in conjunction with NIDS. Recently, we extended this concept to application layer HTTP Flows. We now present our improved version of the IPFIX-based Signature-based Intrusion Detection System (FIXIDS). Fixids makes use of HTTP intrusion detection signatures from the popular Snort system and applies them to incoming IPFIX-conforming HTTP Flows. Our evaluation shows that Fixids can deal with four times higher network data rates without drops compared to Snort, while maintaining the same event detection rate. Furthermore, a substantial part of the data traffic can be outsourced to Fixids so that Snort can be relieved of a significant portion of rules and traffic. This increases both the detection rate and the data rate the overall security appliance can handle.
doi_str_mv 10.1109/TDSC.2020.2973992
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_2619588859</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8999496</ieee_id><sourcerecordid>2619588859</sourcerecordid><originalsourceid>FETCH-LOGICAL-c293t-81718b3805363c90727e3b0b249bd351775fb6237fc1a06fda9b079fd9f1f2793</originalsourceid><addsrcrecordid>eNo9kMtOwzAQRS0EEqXwAYhNJNYufsSxZwkppZUquki7tvKwS6o2CbYjxN-TqBWrOYt770gHoUdKZpQSeNnOs3TGCCMzBpIDsCs0oRBTTAhV1wOLWGABkt6iO-8PhLBYQTxBn5smWtb7L5x1xlTR4tj-4LfcD7hqgut93TbR3ARThpF2vm72Uda0LuC0PXV5qIujibJ63-Shd8bfoxubH715uNwp2i3et-kSrzcfq_R1jUsGPGBFJVUFV0TwhJdAJJOGF6RgMRQVF1RKYYuEcWlLmpPEVjkURIKtwFLLJPApej7vdq797o0P-tD2rhleapZQEEopMaboOVW61ntnrO5cfcrdr6ZEj9r0qE2P2vRF29B5OndqY8x_XgFADAn_AykgZ8o</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2619588859</pqid></control><display><type>article</type><title>On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures</title><source>IEEE Electronic Library (IEL)</source><creator>Erlacher, Felix ; Dressler, Falko</creator><creatorcontrib>Erlacher, Felix ; Dressler, Falko</creatorcontrib><description>Signature-based Network Intrusion Detection Systems (NIDS) have become state-of-the-art in modern network security solutions. However, most systems are not designed for modern high-speed network links. In the field of network monitoring, an alternative solution has become the choice for such high-speed networks. Flow-monitoring, typically based on the Internet Protocol Flow Information Export (IPFIX) standard, now goes well beyond collecting statistical information about network connections. Current solutions are even able to include selected parts of the payload in these Flows to be used in conjunction with NIDS. Recently, we extended this concept to application layer HTTP Flows. We now present our improved version of the IPFIX-based Signature-based Intrusion Detection System (FIXIDS). Fixids makes use of HTTP intrusion detection signatures from the popular Snort system and applies them to incoming IPFIX-conforming HTTP Flows. Our evaluation shows that Fixids can deal with four times higher network data rates without drops compared to Snort, while maintaining the same event detection rate. Furthermore, a substantial part of the data traffic can be outsourced to Fixids so that Snort can be relieved of a significant portion of rules and traffic. This increases both the detection rate and the data rate the overall security appliance can handle.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2020.2973992</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>flow monitoring ; Hardware ; High speed ; high-speed networks ; Internet ; Intrusion detection ; Intrusion detection systems ; IP (Internet Protocol) ; Monitoring ; Network security ; Pattern matching ; Payloads ; Protocols ; Security ; Signatures ; Throughput</subject><ispartof>IEEE transactions on dependable and secure computing, 2022-01, Vol.19 (1), p.495-506</ispartof><rights>Copyright IEEE Computer Society 2022</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c293t-81718b3805363c90727e3b0b249bd351775fb6237fc1a06fda9b079fd9f1f2793</citedby><cites>FETCH-LOGICAL-c293t-81718b3805363c90727e3b0b249bd351775fb6237fc1a06fda9b079fd9f1f2793</cites><orcidid>0000-0002-1989-1750 ; 0000-0001-5169-3060</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8999496$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8999496$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Erlacher, Felix</creatorcontrib><creatorcontrib>Dressler, Falko</creatorcontrib><title>On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Signature-based Network Intrusion Detection Systems (NIDS) have become state-of-the-art in modern network security solutions. However, most systems are not designed for modern high-speed network links. In the field of network monitoring, an alternative solution has become the choice for such high-speed networks. Flow-monitoring, typically based on the Internet Protocol Flow Information Export (IPFIX) standard, now goes well beyond collecting statistical information about network connections. Current solutions are even able to include selected parts of the payload in these Flows to be used in conjunction with NIDS. Recently, we extended this concept to application layer HTTP Flows. We now present our improved version of the IPFIX-based Signature-based Intrusion Detection System (FIXIDS). Fixids makes use of HTTP intrusion detection signatures from the popular Snort system and applies them to incoming IPFIX-conforming HTTP Flows. Our evaluation shows that Fixids can deal with four times higher network data rates without drops compared to Snort, while maintaining the same event detection rate. Furthermore, a substantial part of the data traffic can be outsourced to Fixids so that Snort can be relieved of a significant portion of rules and traffic. This increases both the detection rate and the data rate the overall security appliance can handle.</description><subject>flow monitoring</subject><subject>Hardware</subject><subject>High speed</subject><subject>high-speed networks</subject><subject>Internet</subject><subject>Intrusion detection</subject><subject>Intrusion detection systems</subject><subject>IP (Internet Protocol)</subject><subject>Monitoring</subject><subject>Network security</subject><subject>Pattern matching</subject><subject>Payloads</subject><subject>Protocols</subject><subject>Security</subject><subject>Signatures</subject><subject>Throughput</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kMtOwzAQRS0EEqXwAYhNJNYufsSxZwkppZUquki7tvKwS6o2CbYjxN-TqBWrOYt770gHoUdKZpQSeNnOs3TGCCMzBpIDsCs0oRBTTAhV1wOLWGABkt6iO-8PhLBYQTxBn5smWtb7L5x1xlTR4tj-4LfcD7hqgut93TbR3ARThpF2vm72Uda0LuC0PXV5qIujibJ63-Shd8bfoxubH715uNwp2i3et-kSrzcfq_R1jUsGPGBFJVUFV0TwhJdAJJOGF6RgMRQVF1RKYYuEcWlLmpPEVjkURIKtwFLLJPApej7vdq797o0P-tD2rhleapZQEEopMaboOVW61ntnrO5cfcrdr6ZEj9r0qE2P2vRF29B5OndqY8x_XgFADAn_AykgZ8o</recordid><startdate>202201</startdate><enddate>202201</enddate><creator>Erlacher, Felix</creator><creator>Dressler, Falko</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0002-1989-1750</orcidid><orcidid>https://orcid.org/0000-0001-5169-3060</orcidid></search><sort><creationdate>202201</creationdate><title>On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures</title><author>Erlacher, Felix ; Dressler, Falko</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c293t-81718b3805363c90727e3b0b249bd351775fb6237fc1a06fda9b079fd9f1f2793</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>flow monitoring</topic><topic>Hardware</topic><topic>High speed</topic><topic>high-speed networks</topic><topic>Internet</topic><topic>Intrusion detection</topic><topic>Intrusion detection systems</topic><topic>IP (Internet Protocol)</topic><topic>Monitoring</topic><topic>Network security</topic><topic>Pattern matching</topic><topic>Payloads</topic><topic>Protocols</topic><topic>Security</topic><topic>Signatures</topic><topic>Throughput</topic><toplevel>online_resources</toplevel><creatorcontrib>Erlacher, Felix</creatorcontrib><creatorcontrib>Dressler, Falko</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Erlacher, Felix</au><au>Dressler, Falko</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2022-01</date><risdate>2022</risdate><volume>19</volume><issue>1</issue><spage>495</spage><epage>506</epage><pages>495-506</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Signature-based Network Intrusion Detection Systems (NIDS) have become state-of-the-art in modern network security solutions. However, most systems are not designed for modern high-speed network links. In the field of network monitoring, an alternative solution has become the choice for such high-speed networks. Flow-monitoring, typically based on the Internet Protocol Flow Information Export (IPFIX) standard, now goes well beyond collecting statistical information about network connections. Current solutions are even able to include selected parts of the payload in these Flows to be used in conjunction with NIDS. Recently, we extended this concept to application layer HTTP Flows. We now present our improved version of the IPFIX-based Signature-based Intrusion Detection System (FIXIDS). Fixids makes use of HTTP intrusion detection signatures from the popular Snort system and applies them to incoming IPFIX-conforming HTTP Flows. Our evaluation shows that Fixids can deal with four times higher network data rates without drops compared to Snort, while maintaining the same event detection rate. Furthermore, a substantial part of the data traffic can be outsourced to Fixids so that Snort can be relieved of a significant portion of rules and traffic. This increases both the detection rate and the data rate the overall security appliance can handle.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2020.2973992</doi><tpages>12</tpages><orcidid>https://orcid.org/0000-0002-1989-1750</orcidid><orcidid>https://orcid.org/0000-0001-5169-3060</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2022-01, Vol.19 (1), p.495-506
issn 1545-5971
1941-0018
language eng
recordid cdi_proquest_journals_2619588859
source IEEE Electronic Library (IEL)
subjects flow monitoring
Hardware
High speed
high-speed networks
Internet
Intrusion detection
Intrusion detection systems
IP (Internet Protocol)
Monitoring
Network security
Pattern matching
Payloads
Protocols
Security
Signatures
Throughput
title On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T05%3A25%3A32IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=On%20High-Speed%20Flow-Based%20Intrusion%20Detection%20Using%20Snort-Compatible%20Signatures&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Erlacher,%20Felix&rft.date=2022-01&rft.volume=19&rft.issue=1&rft.spage=495&rft.epage=506&rft.pages=495-506&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2020.2973992&rft_dat=%3Cproquest_RIE%3E2619588859%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2619588859&rft_id=info:pmid/&rft_ieee_id=8999496&rfr_iscdi=true