Improving the performance efficiency of an IDS by exploiting temporal locality in network traffic
Visualitza/Obre
06298204.pdf (246,7Kb) (Accés restringit)
Sol·licita una còpia a l'autor
Què és aquest botó?
Aquest botó permet demanar una còpia d'un document restringit a l'autor. Es mostra quan:
- Disposem del correu electrònic de l'autor
- El document té una mida inferior a 20 Mb
- Es tracta d'un document d'accés restringit per decisió de l'autor o d'un document d'accés restringit per política de l'editorial
Cita com:
hdl:2117/19428
Tipus de documentText en actes de congrés
Data publicació2012
Condicions d'accésAccés restringit per política de l'editorial
Tots els drets reservats. Aquesta obra està protegida pels drets de propietat intel·lectual i
industrial corresponents. Sense perjudici de les exempcions legals existents, queda prohibida la seva
reproducció, distribució, comunicació pública o transformació sense l'autorització del titular dels drets
Abstract
Network traffic has traditionally exhibited temporal locality in the header field of packets. Such locality is intuitive and is a consequence of the semantics of network protocols. However, in contrast, the locality in the packet payload has not been studied in significant detail. In this work we study temporal locality in the packet payload. Temporal locality can also be viewed as redundancy, and we observe significant redundancy in the packet payload. We investigate mechanisms to exploit it in a networking application.
We choose Intrusion Detection Systems (IDS) as a case study. An IDS like the popular Snort operates by scanning packet payload
for known attack strings. It first builds a Finite State Machine (FSM) from a database of attack strings, and traverses this FSM
using bytes from the packet payload. So temporal locality in network traffic provides us an opportunity to accelerate this
FSM traversal. Our mechanism dynamically identifies redundant bytes in the packet and skips their redundant FSM traversal. We
further parallelize our mechanism by performing the redundancy identification concurrently with stages of Snort packet processing. IDS are commonly deployed in commodity processors, and we evaluate our mechanism on an Intel Core i3. Our performance study indicates that the length of the redundant chunk is a key factor in performance. We also observe important performance benefits in deploying our redundancy-aware mechanism in the Snort IDS[32].
CitacióSreekar Shenoy, G.; Tubella, J.; Gonzalez, A. Improving the performance efficiency of an IDS by exploiting temporal locality in network traffic. A: IEEE/ACM International Symposium on Modelling, Analysis and Simulation of Computer and Telecommunication Systems. "Proceedings of the 2012 IEEE 20th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, MASCOTS 2012". 2012, p. 439-448.
ISBN978-076954793-0
Fitxers | Descripció | Mida | Format | Visualitza |
---|---|---|---|---|
06298204.pdf | 246,7Kb | Accés restringit |