The Experts below are selected from a list of 5748 Experts worldwide ranked by ideXlab platform
Martin Klima - One of the best experts on this subject based on the ideXlab platform.
-
network based intrusion prevention system prototype with multi detection a position paper
International Conference on Security and Cryptography, 2014Co-Authors: Daniel Kavan, Klara Skodova, Martin KlimaAbstract:The ongoing need to protect key nodes of network infrastructure has been a pressing issue since the outburst of modern Internet threats. This paper presents ideas on building a novel network-based intrusion prevention system combining the advantages of different types of latest intrusion detection systems. Special attention is also given to means of traffic data acquisition as well as security policy decision and enforcement possibilities. With regard to recent trends in PaaS and SaaS, common deployment specific for private and public cloud platforms is considered.
Muttukrishnan Rajarajan - One of the best experts on this subject based on the ideXlab platform.
-
review a survey of intrusion detection techniques in cloud
Journal of Network and Computer Applications, 2013Co-Authors: Chirag Modi, Dhiren R Patel, Bhavesh Borisaniya, Hiren Patel, Avi Patel, Muttukrishnan RajarajanAbstract:In this paper, we survey different intrusions affecting availability, confidentiality and integrity of Cloud resources and services. Proposals incorporating intrusion Detection Systems (IDS) and intrusion prevention Systems (IPS) in Cloud are examined. We recommend IDS/IPS positioning in Cloud environment to achieve desired security in the next generation networks.
Nicholas Weaver - One of the best experts on this subject based on the ideXlab platform.
-
an architecture for exploiting multi core processors to parallelize network intrusion prevention
Network and System Security, 2009Co-Authors: Robin Sommer, Vern Paxson, Nicholas WeaverAbstract:It is becoming increasingly difficult to implement effective systems for preventing network attacks, due to the combination of the rising sophistication of attacks requiring more complex analyses to detect; the relentless growth in the volume of network traffic that we must analyze; and, critically, the failure in recent years for uniprocessor performance to sustain the exponential gains that for so many years CPUs have enjoyed. For commodity hardware, tomorrow's performance gains will instead come from multi-core architectures in which a whole set of CPUs executes concurrently. Taking advantage of the full power of multi-core processors for network intrusion prevention requires an in-depth approach. In this work we frame an architecture customized for parallel execution of network attack analysis. At the lowest layer of the architecture is an ‘Active Network Interface’, a custom device based on an inexpensive FPGA platform. The analysis itself is structured as an event-based system, which allows us to find many opportunities for concurrent execution, since events introduce a natural asynchrony into the analysis while still maintaining good cache locality. A preliminary evaluation demonstrates the potential of this architecture. Copyright © 2009 John Wiley & Sons, Ltd.
-
shunting a hardware software architecture for flexible high performance network intrusion prevention
Computer and Communications Security, 2007Co-Authors: Jose M Gonzalez, Vern Paxson, Nicholas WeaverAbstract:Stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise. Yet it remains the case that in many environments, much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as of "likely uninteresting." We present a combined hardware/software architecture, Shunting, that provides a lightweight mechanism for an intrusion prevention system (IPS) to take advantage of the "heavy-tailed" nature of network traffic to offload work from software to hardware. The primary innovation of Shunting is the introduction of a simple in-line hardware element that caches rules for IP addresses and connection 5-tuples, as well as fixed rules for IP/TCP flags. The caches, using a highest-priority match, yield a per-packet decision: forward the packet; drop it; or divert it through the IPS. By manipulating cache entries, the IPS can specify what traffic it no longer wishes to examine, including directly blocking malicious sources or cutting through portions of a single flow once the it has had an opportunity to "vet" them, all on a fine-grained basis. We have implemented a prototype Shunt hardware design using the NetFPGA 2 platform, capable of Gigabit Ethernet operation. In addition, we have adapted the Bro intrusion detection system to utilize the Shunt framework to offload less-interesting traffic. We evaluate the effectiveness of the resulting system using traces from three sites, finding that the IDS can use this mechanism to offload 55%-90% of the traffic, as well as gaining intrusion prevention functionality.
-
an architecture for exploiting multi core processors to parallelize network intrusion prevention
IEEE Sarnoff Symposium, 2007Co-Authors: Vern Paxson, Robin Sommer, Nicholas WeaverAbstract:It is becoming increasingly difficult to implement effective systems for preventing network attacks, due to the combination of (1) the rising sophistication of attacks requiring more complex analysis to detect, (2) the relentless growth in the volume of network traffic that we must analyze, and, critically, (3) the failure in recent years for uniprocessor performance to sustain the exponential gains that for so many years CPUs enjoyed (ldquoMoorepsilas Lawrdquo). For commodity hardware, tomorrowpsilas performance gains will instead come from multicore architectures in which a whole set of CPUs executes concurrently. Taking advantage of the full power of multi-core processors for network intrusion prevention requires an indepth approach. In this work we frame an architecture customized for parallel execution of network attack analysis. At the lowest layer of the architecture is an ldquoActive Network Interfacerdquo (ANI), a custom device based on an inexpensive FPGA platform. The ANI provides the inline interface to the network, reading in packets and forwarding them after they are approved. It also serves as the front-end for dispatching copies of the packets to a set of analysis threads. The analysis itself is structured as an event-based system, which allows us to find many opportunities for concurrent execution, since events introduce a natural, decoupled asynchrony into the flow of analysis while still maintaining good cache locality. Finally, by associating events with the packets that ultimately stimulated them, we can determine when all analysis for a given packet has completed, and thus that it is safe to forward the pending packet - providing none of the analysis elements previously signaled that the packet should instead be discarded.
-
the shunt an fpga based accelerator for network intrusion prevention
Field Programmable Gate Arrays, 2007Co-Authors: Nicholas Weaver, Vern Paxson, Jose M GonzalezAbstract:The sophistication and complexity of analysis performed by today's network intrusion prevention systems (IPSs) benefits greatly from implementation using general-purpose CPUs. Yet the performance of such CPUs increasingly lags behind that necessary to process today's high-rate traffic streams. A key observation, however, is that much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as "likely uninteresting." To this end, we have developed an in-line, FPGA-based IPS ac-celerator, the Shunt, using the NetFPGA2 platform. The Shunt functions as the forwarding device used by the IPS; it alone processes the bulk of the traffic, offloading the memory bus and leaving the CPU free to inspect the subset of the traffic deemed germane for security analysis. To do so, the Shunt maintains several large state tables indexed by packet header fields, including IP/TCP flags, source and destination IP addresses, and connection tuples. The tables yield decision values the element makes on a packet-by-packet basis: forward the packet, drop it, or divert it through the IPS. By manipulating table entries, the IPS can specify the traffic it wishes to examine, directly block malicious traffic, and "cut through" traffic streams once it has had an opportunity to "vet" them, all on a fine-grained basis. We base our design on a novel series of caches, with a "fail safe" miss policy, coupled to a host PC to handle both cache management and higher level IPS analysis. The design requires only 2 MB of SRAM for its extensive caches, and can sup-port four Gbps Ethernets on a single Virtex 2 Pro 30.
-
rethinking hardware support for network analysis and intrusion prevention
USENIX conference on Hot topics in security, 2006Co-Authors: Vern Paxson, John W Lockwood, Robin Sommer, Krste Asanovic, Sarang Dharmapurikar, Ruoming Pang, Nicholas WeaverAbstract:The performance pressures on implementing effective network security monitoring are growing fiercely due to rising traffic rates, the need to perform much more sophisticated forms of analysis, the requirement for inline processing, and the collapse of Moore's law for sequential processing. Given these growing pressures, we argue that it is time to fundamentally rethink the nature of using hardware to support network security analysis. Clearly, to do so we must leverage massively parallel computing elements, as only these can provide the necessary performance. The key, however, is to devise an abstraction of parallel processing that will allow us to expose the parallelism latent in semantically rich, stateful analysis algorithms; and that we can then further compile to hardware platforms with different capabilities.
Yingdar Lin - One of the best experts on this subject based on the ideXlab platform.
-
an extended sdn architecture for network function virtualization with a case study on intrusion prevention
IEEE Network, 2015Co-Authors: Yingdar Lin, Poching Lin, Chihhung Yeh, Yaochun Wang, Yuancheng LaiAbstract:In conventional software-defined networking (SDN), a controller classifies the traffic redirected from a switch to determine the path to network function virtualization (NFV) modules. The redirection generates a large volume of control-plane traffic. We propose an extended SDN architecture to reduce the traffic overhead to the controller for providing NFV. The extension includes two-layer traffic classification in the data plane, extended OpenFlow protocol messages and service chaining mechanisms. Network events are analyzed in the data plane instead of the control plane. The efficiency is evaluated with a case study of intrusion prevention. The evaluation shows that only 0.12 percent of the input traffic is handled by the controller, while 77.23 percent is handled on the controller in conventional SDN.
-
extracting attack sessions from real traffic with intrusion prevention systems
International Conference on Communications, 2009Co-Authors: Iwei Chen, Poching Lin, C C Luo, Tsunghuan Cheng, Yingdar Lin, Yuancheng Lai, F C LinAbstract:False Positive (FP) and False Negative (FN) happen to every intrusion prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%
-
resource allocation in network processors for network intrusion prevention systems
Journal of Systems and Software, 2007Co-Authors: Yineng Lin, Yingdar Lin, Yaochung Chang, Yuanchen LaiAbstract:Networking applications with high memory access overhead gradually exploit network processors that feature multiple hardware multithreaded processor cores along with a versatile memory hierarchy. Given rich hardware resources, however, the performance depends on whether those resources are properly allocated. In this work, we develop an NIPS (Network intrusion prevention System) edge gateway over the Intel IXP2400 by characterizing/mapping the processing stages onto hardware components. The impact and strategy of resource allocation are also investigated through internal and external benchmarks. Important conclusions include: (1) the system throughput is influenced mostly by the total number of threads, namely IxJ, where I and J represent the numbers of processors and threads per processor, respectively, as long as the processors are not fully utilized, (2) given an application, algorithm and hardware specification, an appropriate (I, J) for packet inspection can be derived and (3) the effectiveness of multiple memory banks for tackling the SRAM bottleneck is affected considerably by the algorithms adopted.
Daniel Kavan - One of the best experts on this subject based on the ideXlab platform.
-
network based intrusion prevention system prototype with multi detection a position paper
International Conference on Security and Cryptography, 2014Co-Authors: Daniel Kavan, Klara Skodova, Martin KlimaAbstract:The ongoing need to protect key nodes of network infrastructure has been a pressing issue since the outburst of modern Internet threats. This paper presents ideas on building a novel network-based intrusion prevention system combining the advantages of different types of latest intrusion detection systems. Special attention is also given to means of traffic data acquisition as well as security policy decision and enforcement possibilities. With regard to recent trends in PaaS and SaaS, common deployment specific for private and public cloud platforms is considered.
