TU Berlin

Internet Network ArchitecturesRobin Sommer's Publications

Page Content

to Navigation

Robin Sommer's Publications

Viable Network Intrusion Detection in High-Performance Environments
Citation key S-VNIDHE-05
Author Sommer, Robin
Year 2005
School Technische Universität München, Munich, Germany
Abstract Network intrusion detection systems (NIDS) continuously monitor network trafficc for malicious activity, raising alerts when they detect attacks. However, high-performance Gbps networks pose major challenges for these systems. Despite vendor promises, they often fail to work reliably in such environments. In this work, we set out to understand the trade-oóinvolved in network intrusion detection, and we mitigate the impact of their choice on operational security monitoring. We base our study on extensive experience with several large-scale network environments, including the Munich Scientic Network and the backbone of the University of California at Berkeley. In such networks, we find an immense trafficc diversity which requires a NIDS to deal robustly with unexpected situations. However, to accommodate any conceivable situation, a NIDS would need an unlimited supply of CPU cycles and memory. Thus, the operator of the system needs to trade-oôhe quality of the detection with resource demands. To provide the necessary tuning options, we devise several new mechanisms which allow to choose this trade-oáccording to the policy of a particular environment. Moreover, we enable a NIDS to transparently share its state across instances, thereby multiplying the available amount of resources. Another major trade-oôhat a NIDS faces is the decision when to alert: if it reports anything which could potentially be malicious, it will generate an unmanageable number of alerts; if it reports only the most obvious attacks, it will miss some. To improve the precision of the detection, we enable a NIDS to incorporate dirent kinds of network context into its analysis. Such contextual information can either be derived during operation or provided externally, e.g., by host applications. The thesis starts with recapitulating concepts and limitations of network intrusion detection, and then presents seven operational environments in which we have conducted our research. Next, we discuss our experiences with deploying four dirent NIDSs, open-source systems as well as commercial. We examine the resource usage of one of the systems in detail and improve the system's resource management. Then we introduce the concept of independent state, i.e., internal fine-grained state that can be shared among instances. The implementation of this concept provides us with a wealth of new operationally signi cant applications. Finally, we introduce contextual signatures which supplement traditional byte-level pattern matching with contextual information. We implement and evaluate all of our improvements within the framework provided by the open-source Bro NIDS.
Bibtex Type of Publication Doktorarbeit
Link to publication Download Bibtex entry


Quick Access

Schnellnavigation zur Seite über Nummerneingabe