Characterizing the Performance of Network Intrusion Detection Sensors

Schaelicke, Lambert; Slabach, Thomas; Moore, Branden J.; Freeland, Curt

doi:10.1007/978-3-540-45248-5_9

Cited by 73 publications

(56 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Schaelicke et al [236] propose a methodology to measure the performance of rule-based IDPSs. They performed measurements for different packet payload sizes on a 100Mbit link, which was nearly saturated during the evaluation.…”

Section: Performance Analysis and Optimizationmentioning

confidence: 99%

See 1 more Smart Citation

Security configuration management in intrusion detection and prevention systems

Alsubhi

Alhazmi

Bouabdallah

et al. 2012

IJSN

View full text Add to dashboard Cite

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. IDPSs can be network or host-based and can collaborate in order to provide better detection of malicious traffic. Although several IDPS systems have been proposed, their appropriate configuration and control for effective detection/prevention of attacks and efficient resource consumption is still far from trivial.Another concern is related to the slowing down of system performance when maximum security is applied, hence the need to trade off between security enforcement levels and the performance and usability of an enterprise information system.In this dissertation, we present a security management framework for the configuration and control of the security enforcement mechanisms of an enterprise information system. The approach leverages the dynamic adaptation of security measures based on the assessment of system vulnerability and threat prediction, and provides several levels of attack containment. Furthermore, we study the impact of security enforcement levels on the performance and usability of an enterprise information system. In particular, we analyze the impact of an IDPS configuration on the resulting security of the network, and on the network performance. We also analyze the performance of the IDPS for different configurations and under different traffic characteristics. The analysis can then be used to predict the impact of a given security configuration on the prediction of the impact on network performance.iii Acknowledgements All praise is due to Allah who guided me through out this research and beyond.My deepest gratitude is to my advisor, Prof. Raouf Boutaba, for his guidance, support, patience, and encouragement. I have been amazingly fortunate to have an advisor who gave me the freedom to explore on my own, and at the same time the guidance to recover when my steps faltered. He was always available, professional, and friendly. I have learned from him to think differently, be optimistic, and be self motivated. This work would have not been done without his advice and valuable comments.

show abstract

Section: Performance Analysis and Optimizationmentioning

confidence: 99%

“…The evaluation of the IDPS performance for any given security configuration is a crucial step for improving their realtime capability [236].…”

Section: Analysis 41 Introductionmentioning

confidence: 99%

Security configuration management in intrusion detection and prevention systems

Alsubhi

Alhazmi

Bouabdallah

et al. 2012

IJSN

View full text Add to dashboard Cite

show abstract

“…Those that are most relevant to our work include papers that deal with problems related to the capacity and resource management in NIDS including [7], [9], [15], [17]. Of particular relevance is the study by Dreger et al in [5] which reports real world experiences with the Bro.…”

Section: Related Workmentioning

confidence: 99%

Improving NIDS Performance Through Hardware-based Connection Filtering

Garg

Yegneswaran

Barford

2006

2006 IEEE International Conference on Communications

View full text Add to dashboard Cite

Abstract-Traffic volume and diversity can have a significant impact on the ability of network intrusion detection systems (NIDS) to report malicious activity accurately. Based on the observation that a great deal of traffic is, in fact, not important to accurate attack identification, we investigate connection filtering as a method for improving the performance of NIDS. We describe three different classes of connection filters that were developed to explore the design space and trade off's in load reduction versus alarm rates. We implement instances of each filter class on a network processor that can be used with any NIDS that runs on commodity hardware, and evaluate the impact of each filter in a series of laboratory-based tests. First, we establish an idealized maximum performance by using static connection filters for all benign traffic. Next, we show that volume sensitive random connection filters can improve performance significantly with respect to alarm rates under heavy traffic load. Finally, we show that dynamic connection filters that attempt to infer benign traffic can improve performance almost to the level of idealized static filters. These results underscore the potential for hardware-based connection filtering as an effective means for improving the performance of NIDS.

show abstract

“…Although many IDPS systems have been proposed, their appropriate configuration and control for effective detection and prevention of attacks has always been far from trivial [5]. Another concern is related to the significant slowing down of system performance when maximum security is applied [3], [14]; hence arises the need to tradeoff between security enforcement levels on one side and the performance and usability of an enterprise information system on the other.…”

Section: Introductionmentioning

confidence: 99%

Policy-Based Security Configuration Management, Application to Intrusion Detection and Prevention

Alsubhi

Aib

Jérôme

et al. 2009

2009 IEEE International Conference on Communications

View full text Add to dashboard Cite

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against the variety of attacks that can compromise the security and well functioning of an enterprise information system. IDPSes can be network or host-based and can collaborate in order to provide better detections of malicious traffic. Although several IDPS systems have been proposed, their appropriate configuration and control for effective detection and prevention of attacks has always been far from trivial. Another concern is related to the slowing down of system performance when maximum security is applied, hence the need to trade off between security enforcement levels and the performance and usability of an enterprise information system.In this paper we motivate the need for and present a policy-based framework for the configuration and control of the security enforcement mechanisms of an enterprise information system. The approach is based on dynamic adaptation of security measures based on the assessment of system vulnerability and threat prediction and provides several levels of attack containment. As an application, we have implemented a dynamic policy-based adaptation mechanism between the Snort signature-based IDPS and the light weight anomaly-based FireCol IDS. Experiments conducted over the DARPA 2000 and 1999 intrusion detection evaluation datasets show the viability of our framework 1 .

show abstract

Characterizing the Performance of Network Intrusion Detection Sensors

Cited by 73 publications

References 11 publications

Security configuration management in intrusion detection and prevention systems

Security configuration management in intrusion detection and prevention systems

Improving NIDS Performance Through Hardware-based Connection Filtering

Policy-Based Security Configuration Management, Application to Intrusion Detection and Prevention

Contact Info

Product

Resources

About