Literature Database Entry

limmer2010dialog-based


Tobias Limmer and Falko Dressler, "Dialog-based Payload Aggregation for Intrusion Detection," Proceedings of 17th ACM Conference on Computer and Communications Security (CCS 2010), Poster Session, Chicago, IL, October 2010, pp. 708-710.

Abstract

Network-based Intrusion Detection System (IDS) like Snort or Bro that have to analyze the packet payload for all the received data show severe performance problems if used in high-speed networks. Recent research results improve pattern matchers based on efficient algorithms or using specialized hardware. We approach the problem in a completely different way by considerably reducing the amount of data to be analyzed with only marginal impact on the detection quality. Dialog-based Payload Aggregation (DPA) uses TCP sequence numbers to decide which parts of the payload need to be analyzed by the IDS. Whenever a connection starts, or if the direction of the data transmission between peers changes, we forward the next N bytes of traffic to an attached IDS. All data transferred after the window is discarded. Our analysis using live network traffic and multiple Snort rulesets shows that most of the pattern matches occur at the beginning of connections or directly after direction changes in the data streams. According to our experimental results, our method reduces the data rate to be processed to around 1\% in a typical network while retaining more than 98\% of all detected events. Assuming a linear relationship between the data rate and processing time of an IDS, in the best case, this results in a speedup of two magnitudes.

Quick access

Original Version PDF (free download, provided by ACM Author-Izer)
Original Version DOI (at publishers web site)
Authors' Version PDF (PDF on this web site)
BibTeX BibTeX

Contact

Tobias Limmer
Falko Dressler

BibTeX reference

@inproceedings{limmer2010dialog-based,
    author = {Limmer, Tobias and Dressler, Falko},
    title = {{Dialog-based Payload Aggregation for Intrusion Detection}},
    booktitle = {17th ACM Conference on Computer and Communications Security (CCS 2010), Poster Session},
    pages = {708-710},
    year = {2010},
    month = {October},
    address = {Chicago, IL},
    publisher = {ACM},
    doi = {10.1145/1866307.1866405},
   }
   
   

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at www.springerlink.com.

This page was automatically generated using BibDB and bib2web.