Transcript An Active Traffic Splitter Architecture for Intrusion

An Active Traffic Splitter
Architecture for Intrusion
Detection
Ioannis Charitakis
Institute of Computer Science
Foundation of Research
And Technology Hellas, FORTH
Joint work with: Evangelos Markatos, FORTH
Kostas Anagnastakis, UPENN
MASCOTS 2003
Overview
• Introduction
– Snort and Network Intrusion Detection Systems
• NIDS: highly intensive operation
– Simple Splitter
• An Active Traffic Splitter
– Light-weight functionality
• Early Filtering and Locality Buffers
– Improves NIDS performance up to 19%
– Summary and Future Work
MASCOTS 2003
Introduction
• Snort (www.snort.org)
– Passive Network Monitoring
– 1500-1700 rules (grouped by application)
– Highly Intensive Operation
• Current Snort Performance
– One high end PC: 300-400 Mbit/s
– Multi gigabit links ?
– Multiple Sensors
MASCOTS 2003
Simple Splitter
SnortV2
Find
target
Sensor
High rate
single link
Lower rate
multiple links
SnortV2
SPLITTER
MASCOTS 2003
SENSORS
Motivation
Use an Active Splitter
• Move simple IDS functionality from sensor
to splitter
– Use of Early Filtering (EF)
• Enhance performance of each sensor
transparently.
– No need to modify sensors
– Use of Locality Buffering (LB)
MASCOTS 2003
Simple Splitter (repeated)
SnortV2
Find
target
Sensor
High rate
single link
Lower rate
multiple links
SnortV2
SPLITTER
MASCOTS 2003
SENSORS
Active Splitter Architecture
LB: Traffic
Shaping
EF
Reduce
#pkts to
process
SnortV2
Find
target
Sensor
LB: Traffic
Shaping
SnortV2
SENSORS
MASCOTS 2003
ACTIVE
SPLITTER
Active Splitter Feature: EF
• Early Filtering
– Discard packets before reaching any sensor
– Fewer packets to process, Fewer interrupts
Early Filtering
•Header-only rules
•10% of all rules
•Small packets
•No payload
MASCOTS 2003
No match
Further
processing
Active Splitter Feature: LB
• Locality Buffers
– Group similar packets together
– Enhance performance of cache memory
web
p2p
MASCOTS 2003
ftp
web
p2p
SnortV2
Active Splitter Feature: LB
• Locality Buffers
– Group similar packets together
– Enhance performance of cache memory
ftp
web
MASCOTS 2003
web
p2p
p2p
SnortV2
LB: Implementation
Locality Buffer 1
Locality Buffer 2
Hash on
dst port
SnortV2
Locality Buffer N
MASCOTS 2003
Performance Measurements
• Simple Splitter versus :
– Splitter/LB
– Splitter/EF
– Splitter/LB+EF
• Simulations
– All measurements on same machine
– Trace (NLANR) split and shaped to several files
– Snort v2 build 20
• Measured processing time (user + system time)
MASCOTS 2003
PM: Per number of Sensors
MASCOTS 2003
PM: Burst size
MASCOTS 2003
Early Filtering Performance
• Number of packets with no content
– 40% with no payload
• Reduction in system time
– 16.8% (10.1  8.7sec)
• Reduction in user time
– 6.6% (45.67  42.66sec)
• Combined reduction
– 8%
MASCOTS 2003
LB + EF Performance
•
•
•
•
4 Sensors
16 LBs
256 KB / LB
Aggregate User Time
– 19.8%
(47.27  37.88sec)
• Slowest Sensor
– 14.4%
MASCOTS 2003
(12.38  10.93sec)
Summary and Future Work
• Active Splitter
– Early Filtering
– Locality Buffers
• Enhances performance Transparently
– No need to change Sensors
– Simulations are promising
• Future Work
– Implementation
MASCOTS 2003