Analyzing pattern matching algorithms applied on snort intrusion detection system

Currently, intrusion detection system has become widely used as a network perimeter security. The used of IDS to prevent the extremely sophisticated attacks in most of our industries, governmental organization and educational institutions .However ,Intrusion detection system can be either host-based or network based intrusion detection system, in a host-base intrusion it monitors the host where its configured while the network-based IDS it monitors both inbound and outbound traffic network. Furthermore, signature based or anomaly based detection techniques are used to detect malicious packets or attack in both network and host-based intrusion detection systems. Therefore, the challenges faced by most of the signature based detection systems like Snort tool is incapability to detect malicious traffic at higher traffic network, which resulted in a packet drooping and subjected the network where this signature based system is configured as a network perimeter security. The challenges resulted as a result of inefficiency of the pattern matching algorithms to efficiently perform pattern matching. Moreover, this project research work aim to compare the current Boyer-Moore pattern matching algorithm applied by the snort IDS with the Quick Search pattern matching algorithm in order to evaluate their performance and recommend for the implementation of the new pattern matching algorithm that will enhance snort detection performance

On the Optimality of Virtualized Security Function Placement in Multi-Tenant Data Centers

Security and service protection against cyber attacks remain among the primary challenges for virtualized, multi-tenant Data Centres (DCs), for reasons that vary from lack of resource isolation to the monolithic nature of legacy middleboxes. Although security is currently considered a property of the underlying infrastructure, diverse services require protection against different threats and at timescales which are on par with those of service deployment and elastic resource provisioning. We address the resource allocation problem of deploying customised security services over a virtualized, multi-tenant DC. We formulate the problem in Integral Linear Programming (ILP) as an instance of the NP-hard variable size variable cost bin packing problem with the objective of maximising the residual resources after allocation. We propose a modified version of the Best Fit Decreasing algorithm (BFD) to solve the problem in polynomial time and we show that BFD optimises the objective function up to 80% more than other algorithms

Intrusion detection systems for smart home IoT devices: experimental comparison study

Smart homes are one of the most promising applications of the emerging Internet of Things (IoT) technology. With the growing number of IoT related devices such as smart thermostats, smart fridges, smart speaker, smart light bulbs and smart locks, smart homes promise to make our lives easier and more comfortable. However, the increased deployment of such smart devices brings an increase in potential security risks and home privacy breaches. In order to overcome such risks, Intrusion Detection Systems are presented as pertinent tools that can provide network-level protection for smart devices deployed in home environments. These systems monitor the network activities of the smart home-connected de-vices and focus on alerting suspicious or malicious activity. They also can deal with detected abnormal activities by hindering the impostors in accessing the victim devices. However, the employment of such systems in the context of a smart home can be challenging due to the devices hardware limitations, which may restrict their ability to counter the existing and emerging attack vectors. Therefore, this paper proposes an experimental comparison between the widely used open-source NIDSs namely Snort, Suricata and Bro IDS to find the most appropriate one for smart homes in term of detection accuracy and resources consumption including CP and memory utilization. Experimental Results show that Suricata is the best performing NIDS for smart homesComment: 7 pages, 4 figures, 2 table

A NOVEL EVALUATION APPROACH TO FINDING LIGHTWEIGHT MACHINE LEARNING ALGORITHMS FOR INTRUSION DETECTION IN COMPUTER NETWORK

Building practical and efficient intrusion detection systems in computer network is important in industrial areas today and machine learning technique provides a set of effective algorithms to detect network intrusion. To find out appropriate algorithms for building such kinds of systems, it is necessary to evaluate various types of machine learning algorithms based on specific criteria. In this paper, we propose a novel evaluation formula which incorporates 6 indexes into our comprehensive measurement, including precision, recall, root mean square error, training time, sample complexity and practicability, in order to find algorithms which have high detection rate, low training time, need less training samples and are easy to use like constructing, understanding and analyzing models. Detailed evaluation process is designed to get all necessary assessment indicators and 6 kinds of machine learning algorithms are evaluated. Experimental results illustrate that Logistic Regression shows the best overall performance

A comparative experimental design and performance analysis of Snort-based Intrusion Detection System in practical computer networks

As one of the most reliable technologies, network intrusion detection system (NIDS) allows the monitoring of incoming and outgoing traffic to identify unauthorised usage and mishandling of attackers in computer network systems. To this extent, this paper investigates the experimental performance of Snort-based NIDS (S-NIDS) in a practical network with the latest technology in various network scenarios including high data speed and/or heavy traffic and/or large packet size. An effective testbed is designed based on Snort using different muti-core processors, e.g., i5 and i7, with different operating systems, e.g., Windows 7, Windows Server and Linux. Furthermore, considering an enterprise network consisting of multiple virtual local area networks (VLANs), a centralised parallel S-NIDS (CPS-NIDS) is proposed with the support of a centralised database server to deal with high data speed and heavy traffic. Experimental evaluation is carried out for each network configuration to evaluate the performance of the S-NIDS in different network scenarios as well as validating the effectiveness of the proposed CPS-NIDS. In particular, by analysing packet analysis efficiency, an improved performance of up to 10% is shown to be achieved with Linux over other operating systems, while up to 8% of improved performance can be achieved with i7 over i5 processors

Mitigação de ataques em redes definidas por software utilizando o sistema de detecção de intrusão baseado em rede Snort

TCC (graduação) - Universidade Federal de Santa Catarina. Campus Araranguá. Tecnologias da Informação e ComunicaçãoAs Redes Definidas por Software (do inglês SDN) surgiram como um novo modelo de operações de rede de computadores para atender as crescentes demandas atuais das redes, que requerem rapidez na implementação e resposta a mudanças. Em vista disso, o trabalho tem como objetivo geral investigar o uso do sistema de detecção de intrusão baseado em rede Snort em um ambiente de rede SDN para verificar sua eficácia no auxílio à mitigação de ataques destinados à rede. Para tal, inicialmente foi efetuada uma pesquisa bibliográfica e documental para estudo sobre as áreas envolvidas e para buscar as possíveis ferramentas capazes de realizar os testes executados no trabalho. Diante desta pesquisa, foi realizada a simulação de um ambiente virtualizado de rede SDN com o controlador da rede integrado ao Snort, onde foram executados ataques cibernéticos para a coleta e análise quali-quantitativa de resultados sobre a habilidade desta ferramenta de segurança em contribuir na detecção e mitigação dos ataques emitidos à rede. Diante disso, os resultados demonstraram que o Snort conseguiu detectar os ataques executados no ambiente e enviar alertas ao controlador da rede, portanto, concluiu-se que a ferramenta Snort conseguiu efetivamente desempenhar o seu papel na segurança da rede SDN.Software-defined Networking (SDN) emerged as a new model to operate computer networks to meet the growing current demands of networks, which require speedy implementation and response to changes. In view of this, this work aims to investigate the use of the Snort network-based intrusion detection system in an SDN network environment to verify its effectiveness in helping to mitigate attacks aimed at the network. To this end, a bibliographic and documentary research was initially carried out to study the areas involved and to search for possible tools capable of carrying out the tests performed in this work. On account of this research, a simulation of a virtualized SDN network environment was performed with the network controller integrated to Snort, where cyberattacks were performed for the collection and qualitative and quantitative analysis of results on the ability of this security tool to contribute to the detection and mitigation of the attacks emitted to the network. The results showed that Snort was able to detect attacks performed in the environment and send alerts to the network controller, therefore, it was concluded that the Snort tool was able to effectively play its role in the security of the SDN network

Energy Efficient Hardware Accelerators for Packet Classification and String Matching

This thesis focuses on the design of new algorithms and energy efficient high throughput hardware accelerators that implement packet classification and fixed string matching. These computationally heavy and memory intensive tasks are used by networking equipment to inspect all packets at wire speed. The constant growth in Internet usage has made them increasingly difficult to implement at core network line speeds. Packet classification is used to sort packets into different flows by comparing their headers to a list of rules. A flow is used to decide a packet’s priority and the manner in which it is processed. Fixed string matching is used to inspect a packet’s payload to check if it contains any strings associated with known viruses, attacks or other harmful activities. The contributions of this thesis towards the area of packet classification are hardware accelerators that allow packet classification to be implemented at core network line speeds when classifying packets using rulesets containing tens of thousands of rules. The hardware accelerators use modified versions of the HyperCuts packet classification algorithm. An adaptive clocking unit is also presented that dynamically adjusts the clock speed of a packet classification hardware accelerator so that its processing capacity matches the processing needs of the network traffic. This keeps dynamic power consumption to a minimum. Contributions made towards the area of fixed string matching include a new algorithm that builds a state machine that is used to search for strings with the aid of default transition pointers. The use of default transition pointers keep memory consumption low, allowing state machines capable of searching for thousands of strings to be small enough to fit in the on-chip memory of devices such as FPGAs. A hardware accelerator is also presented that uses these state machines to search through the payloads of packets for strings at core network line speeds