A high performance network intrusion detection engine based on network processor

Abstract

As Internet application grows explosively, the attacks of hackers on network are increasing rapidly, and becoming more seriously. Thus information security is emerging as an important factor in designing network systems, and network intrusion detection systems (NIDS) are becoming a key issue. However, the performance of current intrusion detection system can not handle the increasing internet traffic. The reason is that most of the intrusion detection engines(IDEs), core components that perform detection of network intrusion, are implemented by software. Generally there are two approaches for enhancing the performance of NIDS; software-based IDEs and hardware-based IDEs. Software-based IDEs, such as Snort, are implemented by software using general processores. To improve the performance of software-based IDEs, many researches have focused on enhancing pattern matching algorithms. On the other hand, hardware-based IDEs use special hard-wired processors for high speed packet processing or new techniques utilizing hardware for efficient pattern matching. However, both approaches have limitation from the viewpoint of performance and flexibility. In this thesis, to achieve fast packet processing and dynamic adaptation of intrusion patterns that are continuously updated, we propose a network processor based high performance network intrusion detection system (NP-NIDS). In our implementation, Intel``s network processors, IXP1200 and IXP2400, are used due to their higher programmability. To develop a high performance intrusion detection engine with a network processor, which has limited resources, we design an optimized architecture and algorithms. In addition, for more efficient detection engine scheduling, we proposed task allocation methods on multi-processing processors. We implement a prototype of network processor based network intrusion detection systems, and its performance is evaluated by simulations. A RISC based network processor is specialized for fas...