An active splitter architecture for intrusion detection and prevention

An active splitter architecture for intrusion detection and prevention

State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing gen...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2006-01, Vol.3 (1), p.31-44
Hauptverfasser: Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K.G., Markatos, E.P.
Format: Artikel
Sprache:eng
Schlagworte:
Alliances
Architecture
Central processing units
Computer networks
Costs
CPUs
Design
Filtering
Filtration
Flexibility
High-speed networks
Inspection
Intrusion
Intrusion detection
intrusion detection and prevention
Intrusion detection systems
network processors
Network security
Network-level security and protection
Networks
Optimization methods
Performance enhancement
Prevention
Protocols
Prototypes
Sensor systems
Sensors
Software
Studies
Telecommunication traffic
Traffic congestion
Traffic engineering
Traffic flow
Workloads
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 44
container_issue 1
container_start_page 31
container_title IEEE transactions on dependable and secure computing
container_volume 3
creator Xinidis, K.
Charitakis, I.
Antonatos, S.
Anagnostakis, K.G.
Markatos, E.P.
description State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing generic load distribution, traffic splitters should implement more active operations on the traffic stream, with the goal of reducing the load on the sensors. We present an active splitter architecture and three methods for improving performance. The first is early filtering/forwarding, where a fraction of the packets is processed on the splitter instead of the sensors. The second is the use of locality buffering, where the splitter reorders packets in a way that improves memory access locality on the sensors. The third is the use of cumulative acknowledgments, a method that optimizes the coordination between the traffic splitter and the sensors. Our experiments suggest that early filtering reduces the number of packets to be processed by 32 percent, giving an 8 percent increase in sensor performance, locality buffers improve sensor performance by 10-18 percent, while cumulative acknowledgments improve performance by 50-90 percent. We have also developed a prototype active splitter on an IXP1200 network processor and show that the cost of the proposed approach is reasonable.
doi_str_mv 10.1109/TDSC.2006.6
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_miscellaneous_743317487</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1593585</ieee_id><sourcerecordid>28029903</sourcerecordid><originalsourceid>FETCH-LOGICAL-c375t-79bd62611ea2a043f7e1b8fb40372e51400a061b442bd8680066765b1ce7d49c3</originalsourceid><addsrcrecordid>eNqF0T1LxEAQBuAgCuppZWkTLLSQnDP7vaWcnyBYeNbLJplg5EzO3UTw37vhBMFCq50dHgZe3iw7Qpgjgr1YXj0t5gxAzdVWtodWYAGAZjvNUshCWo272X6MrwBMGCv2spvLLvfV0H5QHterdhgo5D5UL-1A1TAGyps-5G03hDG2fZfXNO2nyXd1vg70Qd30Pch2Gr-KdPj9zrLnm-vl4q54eLy9X1w-FBXXcii0LWvFFCJ55kHwRhOWpikFcM1IogDwoLAUgpW1USYlUVrJEivStbAVn2Vnm7vr0L-PFAf31saKVivfUT9GZ1IoblCIf6UWnKMWRid5-qdkBpi1wBM8-QVf-zF0Ka9joCSmXDah8w2qQh9joMatQ_vmw6dDcFNJbirJTSU5lfTxRrdE9COl5dJI_gXBF4t_</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>206516119</pqid></control><display><type>article</type><title>An active splitter architecture for intrusion detection and prevention</title><source>IEEE Electronic Library (IEL)</source><creator>Xinidis, K. ; Charitakis, I. ; Antonatos, S. ; Anagnostakis, K.G. ; Markatos, E.P.</creator><creatorcontrib>Xinidis, K. ; Charitakis, I. ; Antonatos, S. ; Anagnostakis, K.G. ; Markatos, E.P.</creatorcontrib><description>State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing generic load distribution, traffic splitters should implement more active operations on the traffic stream, with the goal of reducing the load on the sensors. We present an active splitter architecture and three methods for improving performance. The first is early filtering/forwarding, where a fraction of the packets is processed on the splitter instead of the sensors. The second is the use of locality buffering, where the splitter reorders packets in a way that improves memory access locality on the sensors. The third is the use of cumulative acknowledgments, a method that optimizes the coordination between the traffic splitter and the sensors. Our experiments suggest that early filtering reduces the number of packets to be processed by 32 percent, giving an 8 percent increase in sensor performance, locality buffers improve sensor performance by 10-18 percent, while cumulative acknowledgments improve performance by 50-90 percent. We have also developed a prototype active splitter on an IXP1200 network processor and show that the cost of the proposed approach is reasonable.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2006.6</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Alliances ; Architecture ; Central processing units ; Computer networks ; Costs ; CPUs ; Design ; Filtering ; Filtration ; Flexibility ; High-speed networks ; Inspection ; Intrusion ; Intrusion detection ; intrusion detection and prevention ; Intrusion detection systems ; network processors ; Network security ; Network-level security and protection ; Networks ; Optimization methods ; Performance enhancement ; Prevention ; Protocols ; Prototypes ; Sensor systems ; Sensors ; Software ; Studies ; Telecommunication traffic ; Traffic congestion ; Traffic engineering ; Traffic flow ; Workloads</subject><ispartof>IEEE transactions on dependable and secure computing, 2006-01, Vol.3 (1), p.31-44</ispartof><rights>Copyright IEEE Computer Society Jan-Mar 2006</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c375t-79bd62611ea2a043f7e1b8fb40372e51400a061b442bd8680066765b1ce7d49c3</citedby><cites>FETCH-LOGICAL-c375t-79bd62611ea2a043f7e1b8fb40372e51400a061b442bd8680066765b1ce7d49c3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1593585$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,778,782,794,27907,27908,54741</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/1593585$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Xinidis, K.</creatorcontrib><creatorcontrib>Charitakis, I.</creatorcontrib><creatorcontrib>Antonatos, S.</creatorcontrib><creatorcontrib>Anagnostakis, K.G.</creatorcontrib><creatorcontrib>Markatos, E.P.</creatorcontrib><title>An active splitter architecture for intrusion detection and prevention</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing generic load distribution, traffic splitters should implement more active operations on the traffic stream, with the goal of reducing the load on the sensors. We present an active splitter architecture and three methods for improving performance. The first is early filtering/forwarding, where a fraction of the packets is processed on the splitter instead of the sensors. The second is the use of locality buffering, where the splitter reorders packets in a way that improves memory access locality on the sensors. The third is the use of cumulative acknowledgments, a method that optimizes the coordination between the traffic splitter and the sensors. Our experiments suggest that early filtering reduces the number of packets to be processed by 32 percent, giving an 8 percent increase in sensor performance, locality buffers improve sensor performance by 10-18 percent, while cumulative acknowledgments improve performance by 50-90 percent. We have also developed a prototype active splitter on an IXP1200 network processor and show that the cost of the proposed approach is reasonable.</description><subject>Alliances</subject><subject>Architecture</subject><subject>Central processing units</subject><subject>Computer networks</subject><subject>Costs</subject><subject>CPUs</subject><subject>Design</subject><subject>Filtering</subject><subject>Filtration</subject><subject>Flexibility</subject><subject>High-speed networks</subject><subject>Inspection</subject><subject>Intrusion</subject><subject>Intrusion detection</subject><subject>intrusion detection and prevention</subject><subject>Intrusion detection systems</subject><subject>network processors</subject><subject>Network security</subject><subject>Network-level security and protection</subject><subject>Networks</subject><subject>Optimization methods</subject><subject>Performance enhancement</subject><subject>Prevention</subject><subject>Protocols</subject><subject>Prototypes</subject><subject>Sensor systems</subject><subject>Sensors</subject><subject>Software</subject><subject>Studies</subject><subject>Telecommunication traffic</subject><subject>Traffic congestion</subject><subject>Traffic engineering</subject><subject>Traffic flow</subject><subject>Workloads</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2006</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GNUQQ</sourceid><recordid>eNqF0T1LxEAQBuAgCuppZWkTLLSQnDP7vaWcnyBYeNbLJplg5EzO3UTw37vhBMFCq50dHgZe3iw7Qpgjgr1YXj0t5gxAzdVWtodWYAGAZjvNUshCWo272X6MrwBMGCv2spvLLvfV0H5QHterdhgo5D5UL-1A1TAGyps-5G03hDG2fZfXNO2nyXd1vg70Qd30Pch2Gr-KdPj9zrLnm-vl4q54eLy9X1w-FBXXcii0LWvFFCJ55kHwRhOWpikFcM1IogDwoLAUgpW1USYlUVrJEivStbAVn2Vnm7vr0L-PFAf31saKVivfUT9GZ1IoblCIf6UWnKMWRid5-qdkBpi1wBM8-QVf-zF0Ka9joCSmXDah8w2qQh9joMatQ_vmw6dDcFNJbirJTSU5lfTxRrdE9COl5dJI_gXBF4t_</recordid><startdate>200601</startdate><enddate>200601</enddate><creator>Xinidis, K.</creator><creator>Charitakis, I.</creator><creator>Antonatos, S.</creator><creator>Anagnostakis, K.G.</creator><creator>Markatos, E.P.</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>3V.</scope><scope>7WY</scope><scope>7WZ</scope><scope>7XB</scope><scope>87Z</scope><scope>8AL</scope><scope>8FE</scope><scope>8FG</scope><scope>8FK</scope><scope>8FL</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>FRNLG</scope><scope>F~G</scope><scope>GNUQQ</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K60</scope><scope>K6~</scope><scope>K7-</scope><scope>L.-</scope><scope>L6V</scope><scope>M0C</scope><scope>M0N</scope><scope>M7S</scope><scope>P5Z</scope><scope>P62</scope><scope>PQBIZ</scope><scope>PQBZA</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>PYYUZ</scope><scope>Q9U</scope><scope>7SC</scope><scope>8FD</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>7SP</scope><scope>F28</scope><scope>FR3</scope></search><sort><creationdate>200601</creationdate><title>An active splitter architecture for intrusion detection and prevention</title><author>Xinidis, K. ; Charitakis, I. ; Antonatos, S. ; Anagnostakis, K.G. ; Markatos, E.P.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c375t-79bd62611ea2a043f7e1b8fb40372e51400a061b442bd8680066765b1ce7d49c3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2006</creationdate><topic>Alliances</topic><topic>Architecture</topic><topic>Central processing units</topic><topic>Computer networks</topic><topic>Costs</topic><topic>CPUs</topic><topic>Design</topic><topic>Filtering</topic><topic>Filtration</topic><topic>Flexibility</topic><topic>High-speed networks</topic><topic>Inspection</topic><topic>Intrusion</topic><topic>Intrusion detection</topic><topic>intrusion detection and prevention</topic><topic>Intrusion detection systems</topic><topic>network processors</topic><topic>Network security</topic><topic>Network-level security and protection</topic><topic>Networks</topic><topic>Optimization methods</topic><topic>Performance enhancement</topic><topic>Prevention</topic><topic>Protocols</topic><topic>Prototypes</topic><topic>Sensor systems</topic><topic>Sensors</topic><topic>Software</topic><topic>Studies</topic><topic>Telecommunication traffic</topic><topic>Traffic congestion</topic><topic>Traffic engineering</topic><topic>Traffic flow</topic><topic>Workloads</topic><toplevel>online_resources</toplevel><creatorcontrib>Xinidis, K.</creatorcontrib><creatorcontrib>Charitakis, I.</creatorcontrib><creatorcontrib>Antonatos, S.</creatorcontrib><creatorcontrib>Anagnostakis, K.G.</creatorcontrib><creatorcontrib>Markatos, E.P.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Central (Corporate)</collection><collection>ABI/INFORM Collection</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>ABI/INFORM Global (Alumni Edition)</collection><collection>Computing Database (Alumni Edition)</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>ABI/INFORM Collection (Alumni Edition)</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Business Premium Collection</collection><collection>Technology Collection (ProQuest)</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>Business Premium Collection (Alumni)</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>ProQuest Central Student</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Business Collection (Alumni Edition)</collection><collection>ProQuest Business Collection</collection><collection>Computer Science Database</collection><collection>ABI/INFORM Professional Advanced</collection><collection>ProQuest Engineering Collection</collection><collection>ABI/INFORM Global</collection><collection>Computing Database</collection><collection>Engineering Database</collection><collection>Advanced Technologies &amp; Aerospace Database</collection><collection>ProQuest Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest One Business</collection><collection>ProQuest One Business (Alumni)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>ABI/INFORM Collection China</collection><collection>ProQuest Central Basic</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>ANTE: Abstracts in New Technology &amp; Engineering</collection><collection>Engineering Research Database</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Xinidis, K.</au><au>Charitakis, I.</au><au>Antonatos, S.</au><au>Anagnostakis, K.G.</au><au>Markatos, E.P.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>An active splitter architecture for intrusion detection and prevention</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2006-01</date><risdate>2006</risdate><volume>3</volume><issue>1</issue><spage>31</spage><epage>44</epage><pages>31-44</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing generic load distribution, traffic splitters should implement more active operations on the traffic stream, with the goal of reducing the load on the sensors. We present an active splitter architecture and three methods for improving performance. The first is early filtering/forwarding, where a fraction of the packets is processed on the splitter instead of the sensors. The second is the use of locality buffering, where the splitter reorders packets in a way that improves memory access locality on the sensors. The third is the use of cumulative acknowledgments, a method that optimizes the coordination between the traffic splitter and the sensors. Our experiments suggest that early filtering reduces the number of packets to be processed by 32 percent, giving an 8 percent increase in sensor performance, locality buffers improve sensor performance by 10-18 percent, while cumulative acknowledgments improve performance by 50-90 percent. We have also developed a prototype active splitter on an IXP1200 network processor and show that the cost of the proposed approach is reasonable.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2006.6</doi><tpages>14</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2006-01, Vol.3 (1), p.31-44
issn 1545-5971
1941-0018
language eng
recordid cdi_proquest_miscellaneous_743317487
source IEEE Electronic Library (IEL)
subjects Alliances
Architecture
Central processing units
Computer networks
Costs
CPUs
Design
Filtering
Filtration
Flexibility
High-speed networks
Inspection
Intrusion
Intrusion detection
intrusion detection and prevention
Intrusion detection systems
network processors
Network security
Network-level security and protection
Networks
Optimization methods
Performance enhancement
Prevention
Protocols
Prototypes
Sensor systems
Sensors
Software
Studies
Telecommunication traffic
Traffic congestion
Traffic engineering
Traffic flow
Workloads
title An active splitter architecture for intrusion detection and prevention
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-16T07%3A00%3A13IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=An%20active%20splitter%20architecture%20for%20intrusion%20detection%20and%20prevention&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Xinidis,%20K.&rft.date=2006-01&rft.volume=3&rft.issue=1&rft.spage=31&rft.epage=44&rft.pages=31-44&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2006.6&rft_dat=%3Cproquest_RIE%3E28029903%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=206516119&rft_id=info:pmid/&rft_ieee_id=1593585&rfr_iscdi=true