|
Published Articles >> Table of Contents >> Abstract
21st Annual Computer Security Applications Conference (ACSAC'05)
pp. 59-71
Exploiting Independent State For Network Intrusion Detection
Robin Sommer, TU Munchen
Vern Paxson, ICSI/LBNL
Full Article Text:
 
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.24
Send link to a friend
| Abstract |
|
Network intrusion detection systems (NIDSs) critically
rely on processing a great deal of state. Often much of this
state resides solely in the volatile processor memory accessible
to a single user-level process on a single machine. In
this work we highlight the power of independent state, i.e.,
internal fine-grained state that can be propagated from one
instance of a NIDS to others running either concurrently or
subsequently. Independent state provides us with a wealth
of possible applications that hold promise for enhancing the
capabilities of NIDSs. We discuss an implementation of independent
state for the Bro NIDS and examine how we can
then leverage independent state for distributed processing,
load parallelization, selective preservation of state across
restarts and crashes, dynamic reconfiguration, high-level
policy maintenance, and support for profiling and debugging.
We have experimented with each of these applications
in several large environments and are now working to integrate
them into the sites’ operational monitoring. A performance
evaluation shows that our implementation is suitable
for use even in large-scale environments.
|
 Additional Information
|
Citation:
Robin Sommer, Vern Paxson,
"Exploiting Independent State For Network Intrusion Detection,"
acsac,
pp. 59-71,
21st Annual Computer Security Applications Conference (ACSAC'05),
2005
|
|
