Network intrusion detection systems (NIDS) are one of the latest developments in security. The matching of packet strings against collected signatures dominates signature-based NIDS performance. This work presents FNP/sup 2/, an efficient pattern-matching engine designed for Network Processor platform which conducts matching sets of patterns in parallel. This work shows that combining our string matching methodology, hashing engine supported by most network processors, and characteristics of current Snort signatures frequently improves performance and reduces number of memory accesses compared to current NIDS pattern matching algorithms. Another contribution is to highlight that, besides total number of searching patterns, shortest pattern length is also a major influence on NIDS multi-pattern matching algorithm performance.
The common means of defense for network security systems is to block the intrusions by matching the signatures. Intrusion-signature matching is the critical operation. However, small and medium-sized enterprise (SME) or Small Office Home Office (SOHO) network security systems may not have sufficient resources to maintain good matching performance with full-set rules. Code generation is a technique used to convert data structures or instruction to other forms to obtain greater benefits within execution environments. This study analyzes intrusion detection system (IDS) signatures and discovers character occurrence to be significantly uneven. Based on this property, this study designs a method to generate a string matching source code according to the state table of AC algorithm for embedded network intrusion detection platforms. The generated source code requires less memory and relies not only on table lookup, but also on the ability of processor. This method can upgrade the performance by compiling optimization and contribute to the application of network processors and DSP-like based platforms. From evaluation, this method requires use of only 20% memory and can achieve 86% performance in clean traffic compared to the original Aho-Corasick algorithm (AC).
Software-Defined Networking (SDN) is an emerging architecture that is ideal for today's high-bandwidth, dynamic network environments. In this architecture, the control and data planes are decoupled from each other. Although much research has been performed into how SDN can resolve some of the most-glaring security issues of traditional networking, less research has addressed cloud security threats, and, in particular, botnet/malware detection and in-cloud attacks. This work proposes an intrusion prevention system for cloud networking with SDN solutions. To realize collaborative defense, mechanisms of botnet/malware blocking, scan filtering and honeypot are implemented. Malicious traffic is isolated because bot-infected VMs are removed effectively and efficiently from the private cloud. The scanning behavior can be filtered at a very early stage of prevention, making the VMs less exploitable. A honeypot mechanism is also deployed to trap attackers. Experimental results show the high detection rate, high prevention accuracy and low vulnerability of the proposed system.
Zero-day attack is a critical network attack. The zero-day attack period (ZDAP) is the period from the release of malware/exploit until a patch becomes available. IDS/IPS cannot effectively block zero-day attacks because they use pattern-based signatures in general. This paper proposes a Prophetic Defender (PD) by which ZDAP can be minimized. Prior to actual attack, hackers scan networks to identify hosts with vulnerable ports. If this port scanning can be detected early, zero-day attacks will become detectable. PD architecture makes use of a honeypot-based pseudo server deployed to detect malicious port scans. A port-scanning honeypot was operated by us in 6 years from 2009 to 2015. By analyzing the 6-year port-scanning log data, we understand that PD is effective for detecting and blocking zero-day attacks. The block rate of the proposed architecture is 98.5%.
This paper proposes a defense in depth network security architecture and applies the data mining technologies to analyze the alerts collected from distributed intrusion detection and prevention systems (IDS/IPS). The proposed defense in depth architecture consists of a global policy server (GPS) to manage the scattered intrusion detection and prevention systems, each of which is managed by a local policy server (LPS). The key component of the GPS is the security information management (SIM) module where data mining technology is employed to analyze the events (alerts) collected from the LPSs. Once a DDoS attack is recognized by the SIM module, the GPS informs the LPS (IDS/IPS) to adjust the thresholds immediately to block the attack from the sources. To evaluate the effectiveness of the proposed defense in depth architecture, a prototyping is implemented, where three different data mining tools are employed. Experiment results demonstrate that for detecting the DDOS attacks, the proposed data mining-based defense in depth architecture performs very well on attack detection rate and false alarm rate.
In recent years, the size of virus signature databases has been growing rapidly, leading to a corresponding reduction in the performance of anti-virus (AV) software. In general, virus signature databases comprise string-based and hash-based (e.g., MD5) signatures. Currently the majority of signatures are hash-based and Cloud-based AV systems rely on them as the local cache to reduce the network loading. In this paper, we provide a novel scheme for looking up MD5 checksums to improve virus scanning performance involving hash-based signatures. The authors treat the range hash in which characters occur as a filter to avoid unnecessary lookups and keep the range of the exact search range to a minimum. The scheme is 135 times faster than ClamAV's in clean/general cases and only required 4MB of memory for hash-based filtering. This scheme could easily be extended to other hash-based applications.
This paper proposes a cost effective architecture for network security switch to deep inspect the traffic among switching ports. A security service engine (SSE) with packet deep inspection ability is also designed to accompany with manageable L2 switches. By properly configuring the VLAN parameters, packets from switch ports of the L2 switch are forwarded to the SSE, via the gigabit Ethernet interface, for deeply inspection. For security reason, abnormal/malicious packets are dropped by the SSE directly while normal packets are forwarded back to the switch to the correct output port. To evaluate the performance and latency of the proposed architecture, a cost effective P4-based SSE is also implemented as an intrusion detection and prevention system (IPS) with layer-7 content inspection function. The obtained measurements show that the proposed architecture is practical with high throughput and low latency. With IPC-based SSE implementation, the traditional L2 switches can now provide content security service in a very cost effective way.
This paper proposes a scalable and high available (HA) architecture for implementing cost effective security switches. In this architecture, each "security switch" consists of a traditional layer-2 switch and a "security switch engine (SSE)" which provides packet content inspection service. These two components are connected via a Gigabit Ethernet link. A mechanism is proposed to interconnect a group of "security switches" to provide the HA feature. A system of four security switches is implemented and the experimental results show that the HA function works successfully even only one SSE is active. The SSE is implemented with full intrusion prevention function on a standard high performance Industrial PC with the performance of 1.2Gbps for UDP packets and 400Mbps for TCP flows. Therefore the proposed security switch architecture can be realized in a very cost effective mechanism to provide Intranet protection.
As the network is growing fast and the viruses are spreading around the network more frequently, network intrusion prevention system (NIPS) is becoming more and more important. The traditional way for intrusion prevention is done by pure software solution with high performance CPU. However, this method is out of date, when gigabit network is booming and the high performance throughput is required. In recent years, the programmable hardware solutions have been proposed but they cannot deal with deep and large amount of pattern matching and are lack of flexibility when signatures are growing up. In this paper, we propose a novel pattern-matching coprocessor that overcomes the difficulties in TCAM implementation when pattern length is deep and signature set is large. Since patterns are all stored in TCAM, it is a scalable and flexible system.
'/%3e%3cuse xlink:href='%23a' transform='rotate(60)'/%3e%3ccircle r='17' fill='%23000095'/%3e%3ccircle r='15' fill='%23fff'/%3e%3c/svg%3e)
'/%3e%3cuse xlink:href='%23a' transform='rotate(23.036 .093 25.536)'/%3e%3cuse xlink:href='%23a' transform='rotate(45.87 1.273 16.18)'/%3e%3cuse xlink:href='%23a' transform='rotate(69.945 .996 12.078)'/%3e%3cuse xlink:href='%23a' transform='rotate(20.66 -19.689 31.932)'/%3e%3c/svg%3e)
