High-Speed Intrusion Detection

Description

As networks become faster, there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers. We propose a partitioning approach to network security analysis that supports in-depth, stateful intrusion detection on high-speed links. The approach is centered around a slicing mechanism that divides the overall network traffic into subsets of manageable size. The traffic partitioning is done so that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interactions unnecessary.

Software

The Slicer
A modified version of Snort that performs the slicing of the traffic.
- snort-slice.tgz [MD5 Checksum]
The Splitter
A kernel module that performs the splitting of the traffic flow.
- split.tgz [MD5 Checksum]

Publications

C. Kruegel, F. Valeur, G. Vigna, and R.A. Kemmerer, "Stateful Intrusion Detection for High-Speed Networks," in Proceedings of the IEEE Symposium on Research on Security and Privacy, pp. 285-293, IEEE Press, Oakland, CA, May 2002.[PDF, BibTeX]

People

Acknowledgments

This research was supported by the Army Research Office, under agreement DAAD19-01-1-0484 and by the Defense Advanced Research Projects Agency (DARPA) and Rome Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-97-1-0207.