Improvement and parallelization of Snort network intrusion detection mechanism using graphics processing unit
نویسندگان
چکیده مقاله:
Nowadays, Network Intrusion Detection Systems (NIDS) are widely used to provide full security on computer networks. IDS are categorized into two primary types, including signature-based systems and anomaly-based systems. The former is more commonly used than the latter due to its lower error rate. The core of a signature-based IDS is the pattern matching. This process is inherently a computationally intensive task, and in the worst case, about 80% of the total processing time of an IDS is spent on it. On the other hand, the rapid development of network bandwidth and high link speeds, which in turn leads to a loss of a large number of inbound packets in the network intrusion detection system, has posed challenges as crucial factors limiting the performance of this type of system. Snort is a signature-based NIDS that is highly interested due to being open-source, free, and easy to use. To resolve the challenges mentioned above, we propose an enhanced version of Snort, which is enriched by exploiting two key ideas. The first idea is the filtering of unnecessary packets based on a blacklist of source IP addresses. This filter is used as a preprocessing mechanism to improve the efficiency of the Snort. However, the packet filtering speed is decreased by increasing the network traffic volumes. Therefore, to accelerate the function of this mechanism, we have proposed a second crucial idea. The data-parallel nature of snort functions lets us parallelize two main computationally intensive functions of it on the graphical processing unit. These functions include the lookup on the blacklist filter in the preprocessing stage and the signature matching of Snort, which completes the intrusion detection process. For parallelizing the preprocessing step of Snort, first, a blacklist is provided from the DARPA dataset. Next, this blacklist is transferred together with the Snort ruleset to the global memory of the GPU. Finally, each thread concurrently matches each packet against the blacklist filters. For parallelizing the signature matching step of Snort, the well-known pattern matching algorithm of Boyer-Moore is parallelized similarly. Evaluation results show that the proposed method, by up to 30 times faster than the sequential version, significantly improves the blacklist-based filtering performance. Also, the efficiency of the proposed method in using GPU resources for parallel intrusion detection is 81 percent higher than the best state-of-the-art method.
منابع مشابه
Building intrusion pattern miner for Snort network intrusion detection system
In this paper, we enhance the functionalities of Snort network-based intrusion detection system to automatically generate patterns of misuse from attack data, and the ability of detecting sequential intrusion behaviors. To that, we implement an intrusion pattern discovery module which applies data mining technique to extract single intrusion patterns and sequential intrusion patterns from a col...
متن کاملDistributed Snort Network Intrusion Detection System with Load Balancing Approach
As we enjoy the conveniences that the Internet or computer networks have brought to us, the problems are getting larger, especially network security problems. A Network Intrusion Detection System (NIDS) is one of the critical components in a network nowadays. It can monitor and analyze activities of network users, and then uses knowledge of attack patterns to identify and prevent such attacks. ...
متن کاملA Hybrid Snort-Negative Selection Network Intrusion Detection Technique
Network Intrusion Detection Systems (NIDSs) are systems that monitor computer networks to detect, identify and prevent the malicious events, which attempt to compromise the integrity, confidentiality or availability of computer networks. The NIDS may be classified according to the detection technique into two types, the "Signature-Based" and "Anomaly-Based" NIDS. In order to increase the effici...
متن کاملContext-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases
Intrusion Detection Systems (IDS) use different techniques to reduce the number of false positives they generate. Simple network context information such as the communication session state has been added in IDS signatures to only raise alarms in the proper context. However, this is often not sufficient and more network context information needs to be added to these Stateful IDS (SIDS) signature...
متن کاملGnort: High Performance Network Intrusion Detection Using Graphics Processors
The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to of...
متن کاملRule Generalisation in Intrusion Detection Systems using Snort
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-so...
متن کاملمنابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
ذخیره در منابع من قبلا به منابع من ذحیره شده{@ msg_add @}
عنوان ژورنال
دوره 18 شماره 1
صفحات 150- 135
تاریخ انتشار 2021-05
با دنبال کردن یک ژورنال هنگامی که شماره جدید این ژورنال منتشر می شود به شما از طریق ایمیل اطلاع داده می شود.
کلمات کلیدی برای این مقاله ارائه نشده است
میزبانی شده توسط پلتفرم ابری doprax.com
copyright © 2015-2023