An Active Splitter Architecture for Intrusion Detection and Prevention Konstantinos Xinidis, Ioannis Charitakis, Spiros Antonatos, Kostas G. Anagnostakis, Evangelos P. Markatos Presented by: Hargyo T. Nugroho Computer Network & System Research Laboratory Chung Yuan Christian University

How it works?(1) Splliter: Intel IXP 1200 P3 1.13 Ghz 8 KB L1 cache, 512 KB L2 cache 512 MB memory Sensors: P4 Xeon 2.66 Ghz (HT disabled) 64 bit wide clocked at 66 Mhz PCI Bus 512 MB DDR

How it works?(2) Early Filtering and Forwarding Filtering: Only intrusion suspect would be forwarded Using 165 non payload SNORT rules / EF rule set : only header processing The rules is implemented on IXP1200 as a ME code (S2I). Packet will be filtered out if no EF rule is match and no payload.

Early Filtering and Forwarding

Filtering: Only intrusion suspect would be forwarded

Using 165 non payload SNORT rules / EF rule set : only header processing

The rules is implemented on IXP1200 as a ME code (S2I).

Packet will be filtered out if no EF rule is match and no payload.

How it works?(3) Load Distribution An hash-based load balancing to divide the network traffic among the end sensors. Using CRC16-like hash applied on Src – Dst – Dst port of the packet. The last N bit of the result specify the dest. sensor All packets of the same flow will always be assigned to the same sensor

Load Distribution

An hash-based load balancing to divide the network traffic among the end sensors.

Using CRC16-like hash applied on Src – Dst – Dst port of the packet. The last N bit of the result specify the dest. sensor

All packets of the same flow will always be assigned to the same sensor

How it works?(4) Locality Buffering A technique for adapting the packet stream in a way that accelerates sensor processing by increasing the locality of memory accesses. Using dst-static (dedicated LBs for specific ports) Each packet is assigned to one of 16 LBs based on hash func.computed on packet`s dest. port

Locality Buffering

A technique for adapting the packet stream in a way that accelerates sensor processing by increasing the locality of memory accesses.

Using dst-static (dedicated LBs for specific ports)

Each packet is assigned to one of 16 LBs based on hash func.computed on packet`s dest. port

How it works?(6) Cumulative Acknowledgment A mechanism for reducing the redundant communication between the splitter and the sensors. The splitter needs approval from the sensors to decide the action should be performed eq. to forward or drop a packet. Using PCACKs : an ACK for a set of packets not related to may intrusion attempt.

Cumulative Acknowledgment

A mechanism for reducing the redundant communication between the splitter and the sensors.

The splitter needs approval from the sensors to decide the action should be performed eq. to forward or drop a packet.

Using PCACKs : an ACK for a set of packets not related to may intrusion attempt.

Experimental Result (1) 40% packets are ACKs no payload 99% does not match the rule of EF. Usertime reduced 6.6 % System time reduced 16.8 % Overall : 8 %

40% packets are ACKs

no payload

99% does not match the rule of EF.

Usertime reduced 6.6 %

System time reduced 16.8 %

Overall : 8 %

Experimental Result (2) Improve 11.4 % for 8 sensors Improve 13.8 % for 1 sensors Number of sensors increased, the agrgregate user time is decreasing

Improve 11.4 % for 8 sensors

Improve 13.8 % for 1 sensors

Number of sensors increased, the agrgregate user time is decreasing

Experimental Result (3) Burst??

Experimental Result (4)

Experimental Result (5) CACKs perform forwarding latency

Summary & My Tought The proposed architecture has shown 8 % improvement for early filtering, 10-17 percent for locality buffering, There is a big difference in the performance between LBs in splitter and LBs in libpcap (morethan 40 % improved). It could be because of the used of dst-static LBs or the latency caused by P-ACKs. EF and LBs can be very good combination and interesting to be implemented on hardware

The proposed architecture has shown 8 % improvement for early filtering, 10-17 percent for locality buffering,

There is a big difference in the performance between LBs in splitter and LBs in libpcap (morethan 40 % improved). It could be because of the used of dst-static LBs or the latency caused by P-ACKs.

EF and LBs can be very good combination and interesting to be implemented on hardware