Exploiting independent state for network intrusion detection
Sommer, R.
Paxson, V.
TU Munchen, Garching;
This paper appears in: Computer Security Applications Conference, 21st Annual
Publication Date: 5-9 Dec. 2005
On page(s): 13 pp.-71
Location: Tucson, AZ,
ISSN: 1063-9527
ISBN: 0-7695-2461-3
INSPEC Accession Number: 8970216
Digital Object Identifier: 10.1109/CSAC.2005.24
Current Version Published: 2006-01-03
Abstract
Network intrusion detection systems (NIDSs) critically rely on processing a great deal of state. Often much of this state resides solely in the volatile processor memory accessible to a single user-level process on a single machine. In this work, we highlight the power of independent state, i.e., internal fine-grained state that can be propagated from one instance of a NIDS to others running either concurrently or subsequently. Independent state provides us with a wealth of possible applications that hold promise for enhancing the capabilities of NIDSs. We discuss an implementation of independent state for the Bro NIDS and examine how we can then leverage independent state for distributed processing, load parallelization, selective preservation of state across restarts and crashes, dynamic reconfiguration, high level policy maintenance, and support for profiling and debugging. We have experimented with each of these applications in several large environments and are now working to integrate them into the sites' operational monitoring. A performance evaluation shows that our implementation is suitable for use even in large scale environments
Index
Terms
Available to subscribers and IEEE members.
References
Available to subscribers and IEEE members.
Citing Documents
Available to subscribers and IEEE members.
Cart
