Hyeong Ju Kim , Ik Kyun Kim , Dae Chul Park

The KIPS Transactions:PartC, Vol. 11, No. 3, pp. 319-326, Jun. 2004
10.3745/KIPSTC.2004.11.3.319,   PDF Download:

Abstract

To help network intrusion detection systems(NIDSs) keep up with the demands of today´s networks, that are the increasing network throughput and amount of attacks, a radical new approach in hardware and software system architecture is required. In this paper, we propose a Network Processor(NP) based In-Line mode NIDS that supports the packet payload inspection detecting the malicious behaviors, as well as the packet filtering and the traffic metering. In particular, we separate the filtering and metering functions from the deep packet inspection function using two-level searching scheme, thus the complicated and time-consuming operation of the deep packet inspection function does not hinder or stop the basic operations of the In-line mode system. From a proto-type NP-based NIDS implemented at a PC platform with an x86 processor running Linux, two Gigabit Ethernet ports, and 2.5Gbps Agere PayloadPlus(APP) NP solution, the experiment results show that our proposed scheme can reliably filter and meter the full traffic of two gigabit ports at the first level even though it can inspect the packet payload up to 320 Mbps in real-time at the second level, which can be compared to the performance of general-purpose processor based inspection. However, the simulation results show that the deep packet searching is also possible up to 2Gbps in wire speed when we adopt 10Gbps APP solution.

Statistics
Cite this article