An Active Traffic Splitter Architecture for Intrusion Detection

An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And Technology Hellas, FORTH Joint work with: Evangelos Markatos, FORTH Kostas Anagnastakis, UPENN MASCOTS 2003

Overview • Introduction – Snort and Network Intrusion Detection Systems • NIDS: highly intensive operation – Simple Splitter • An Active Traffic Splitter – Light-weight functionality • Early Filtering and Locality Buffers – Improves NIDS performance up to 19% – Summary and Future Work MASCOTS 2003

Introduction • Snort (www. snort. org) – Passive Network Monitoring – 1500 -1700 rules (grouped by application) – Highly Intensive Operation • Current Snort Performance – One high end PC: 300 -400 Mbit/s – Multi gigabit links ? – Multiple Sensors MASCOTS 2003

Simple Splitter Snort. V 2 Find target Sensor High rate single link Lower rate multiple links Snort. V 2 SPLITTER MASCOTS 2003 SENSORS

Motivation Use an Active Splitter • Move simple IDS functionality from sensor to splitter – Use of Early Filtering (EF) • Enhance performance of each sensor transparently. – No need to modify sensors – Use of Locality Buffering (LB) MASCOTS 2003

Simple Splitter (repeated) Snort. V 2 Find target Sensor High rate single link Lower rate multiple links Snort. V 2 SPLITTER MASCOTS 2003 SENSORS

Active Splitter Architecture EF Reduce #pkts to process MASCOTS 2003 Find target Sensor LB: Traffic Shaping ACTIVE SPLITTER Snort. V 2 SENSORS

Active Splitter Feature: EF • Early Filtering – Discard packets before reaching any sensor – Fewer packets to process, Fewer interrupts Early Filtering • Header-only rules • 10% of all rules • Small packets • No payload MASCOTS 2003 No match Further processing

Active Splitter Feature: LB • Locality Buffers – Group similar packets together – Enhance performance of cache memory web p 2 p MASCOTS 2003 ftp web p 2 p Snort. V 2

Active Splitter Feature: LB • Locality Buffers – Group similar packets together – Enhance performance of cache memory ftp web MASCOTS 2003 web p 2 p Snort. V 2

LB: Implementation Locality Buffer 1 Hash on dst port Locality Buffer 2 Snort. V 2 Locality Buffer N MASCOTS 2003

Performance Measurements • Simple Splitter versus : – Splitter/LB – Splitter/EF – Splitter/LB+EF • Simulations – All measurements on same machine – Trace (NLANR) split and shaped to several files – Snort v 2 build 20 • Measured processing time (user + system time) MASCOTS 2003

PM: Per number of Sensors MASCOTS 2003

PM: Burst size MASCOTS 2003

Early Filtering Performance • Number of packets with no content – 40% with no payload • Reduction in system time – 16. 8% (10. 1 8. 7 sec) • Reduction in user time – 6. 6% (45. 67 42. 66 sec) • Combined reduction – 8% MASCOTS 2003

LB + EF Performance • • 4 Sensors 16 LBs 256 KB / LB Aggregate User Time – 19. 8% (47. 27 37. 88 sec) • Slowest Sensor – 14. 4% MASCOTS 2003 (12. 38 10. 93 sec)

Summary and Future Work • Active Splitter – Early Filtering – Locality Buffers • Enhances performance Transparently – No need to change Sensors – Simulations are promising • Future Work – Implementation MASCOTS 2003