By Topic

Achieving Flow-Level Controllability in Network Intrusion Detection System

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Bo Song ; Inst. of Comput. Technol., Chinese Acad. of Sci., Beijing, China ; Weibing Yang ; Mingyu Chen ; Xiaofang Zhao
more authors

Current network intrusion detection systems are lack of controllability, manifested as significant packet loss due to the long-term resources occupation by a single flow. The reasons can be classified into two kinds. The first kind is known as normal reasons, that is, the processing of mass arriving packets of a large flow can not be limited to a determinable period of time and thus makes other flows starved. The second kind, in which the CPU is trapped in a dead-loop like state due to processing some packets with particular content of a flow, is considered as abnormal reasons. In fact, it is a kind of software crashes. In this paper, we discuss the innate defects of traditional packet-driven NIDS, and implement a flow-driven framework which can achieve fine-grained controllability. An Active Two-threshold scheme based on ideal Exit-Point (ATEP) is proposed in order to diminish data preserving overhead during flow switches and to detect crash in time. A quick crash recovery mechanism is also given which can recover the trapped thread from 90% crashes in 0.2 ms. The experimental results show that our flow-driven framework with ATEP scheme can achieve higher throughput and less packet loss ratio than the uncontrollable packet-driven systems with less than 1% of extra CPU overhead. What's more, in the case of crash occurrence, the ATEP scheme is still able to maintain rather steady throughput without sudden decrease.

Published in:

Software Engineering Artificial Intelligence Networking and Parallel/Distributed Computing (SNPD), 2010 11th ACIS International Conference on

Date of Conference:

9-11 June 2010