Improvement and parallelization of Snort network intrusion detection mechanism using graphics processing unit

Authors

Abstract:

Nowadays, Network Intrusion Detection Systems (NIDS) are widely used to provide full security on computer networks. IDS are categorized into two primary types, including signature-based systems and anomaly-based systems. The former is more commonly used than the latter due to its lower error rate. The core of a signature-based IDS is the pattern matching. This process is inherently a computationally intensive task, and in the worst case, about 80% of the total processing time of an IDS is spent on it. On the other hand, the rapid development of network bandwidth and high link speeds, which in turn leads to a loss of a large number of inbound packets in the network intrusion detection system, has posed challenges as crucial factors limiting the performance of this type of system. Snort is a signature-based NIDS that is highly interested due to being open-source, free, and easy to use. To resolve the challenges mentioned above, we propose an enhanced version of Snort, which is enriched by exploiting two key ideas. The first idea is the filtering of unnecessary packets based on a blacklist of source IP addresses. This filter is used as a preprocessing mechanism to improve the efficiency of the Snort. However, the packet filtering speed is decreased by increasing the network traffic volumes. Therefore, to accelerate the function of this mechanism, we have proposed a second crucial idea. The data-parallel nature of snort functions lets us parallelize two main computationally intensive functions of it on the graphical processing unit. These functions include the lookup on the blacklist filter in the preprocessing stage and the signature matching of Snort, which completes the intrusion detection process. For parallelizing the preprocessing step of Snort, first, a blacklist is provided from the DARPA dataset. Next, this blacklist is transferred together with the Snort ruleset to the global memory of the GPU. Finally, each thread concurrently matches each packet against the blacklist filters. For parallelizing the signature matching step of Snort, the well-known pattern matching algorithm of Boyer-Moore is parallelized similarly. Evaluation results show that the proposed method, by up to 30 times faster than the sequential version, significantly improves the blacklist-based filtering performance. Also, the efficiency of the proposed method in using GPU resources for parallel intrusion detection is 81 percent higher than the best state-of-the-art method.

Upgrade to premium to download articles

Sign up to access the full text

Already have an account?login

similar resources

Building intrusion pattern miner for Snort network intrusion detection system

In this paper, we enhance the functionalities of Snort network-based intrusion detection system to automatically generate patterns of misuse from attack data, and the ability of detecting sequential intrusion behaviors. To that, we implement an intrusion pattern discovery module which applies data mining technique to extract single intrusion patterns and sequential intrusion patterns from a col...

full text

Distributed Snort Network Intrusion Detection System with Load Balancing Approach

As we enjoy the conveniences that the Internet or computer networks have brought to us, the problems are getting larger, especially network security problems. A Network Intrusion Detection System (NIDS) is one of the critical components in a network nowadays. It can monitor and analyze activities of network users, and then uses knowledge of attack patterns to identify and prevent such attacks. ...

full text

A Hybrid Snort-Negative Selection Network Intrusion Detection Technique

Network Intrusion Detection Systems (NIDSs) are systems that monitor computer networks to detect, identify and prevent the malicious events, which attempt to compromise the integrity, confidentiality or availability of computer networks. The NIDS may be classified according to the detection technique into two types, the "Signature-Based" and "Anomaly-Based" NIDS. In order to increase the effici...

full text

Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases

Intrusion Detection Systems (IDS) use different techniques to reduce the number of false positives they generate. Simple network context information such as the communication session state has been added in IDS signatures to only raise alarms in the proper context. However, this is often not sufficient and more network context information needs to be added to these Stateful IDS (SIDS) signature...

full text

Gnort: High Performance Network Intrusion Detection Using Graphics Processors

The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to of...

full text

Rule Generalisation in Intrusion Detection Systems using Snort

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-so...

full text

My Resources

Save resource for easier access later

Save to my library Already added to my library

{@ msg_add @}


Journal title

volume 18  issue 1

pages  150- 135

publication date 2021-05

By following a journal you will be notified via email when a new issue of this journal is published.

Keywords

No Keywords

Hosted on Doprax cloud platform doprax.com

copyright © 2015-2023