This Article 
 Bibliographic References 
 Add to: 
An Active Splitter Architecture for Intrusion Detection and Prevention
January-March 2006 (vol. 3 no. 1)
pp. 31-44
State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing generic load distribution, traffic splitters should implement more active operations on the traffic stream, with the goal of reducing the load on the sensors. We present an active splitter architecture and three methods for improving performance. The first is early filtering/forwarding, where a fraction of the packets is processed on the splitter instead of the sensors. The second is the use of locality buffering, where the splitter reorders packets in a way that improves memory access locality on the sensors. The third is the use of cumulative acknowledgments, a method that optimizes the coordination between the traffic splitter and the sensors. Our experiments suggest that early filtering reduces the number of packets to be processed by 32 percent, giving an 8 percent increase in sensor performance, locality buffers improve sensor performance by 10-18 percent, while cumulative acknowledgments improve performance by 50-90 percent. We have also developed a prototype active splitter on an IXP1200 network processor and show that the cost of the proposed approach is reasonable.

[1] K.G. Anagnostakis, S. Antonatos, M. Polychronakis, and E.P. Markatos, “$E^2xB$ : A Domain-Specific String Matching Algorithm for Intrusion Detection,” Proc. IFIP Int'l Information Security Conf. (SEC '03), May 2003.
[2] S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, “Generating Realistic Workloads for Intrusion Detection Systems,” Proc. Fourth ACM SIGSOFT/SIGMETRICS Workshop Software and Performance (WOSP '04), Jan. 2004.
[3] S. Antonatos, K.G. Anagnostakis, M. Polychronakis, and E.P. Markatos, “Performance Analysis of Content Matching Intrusion Detection Systems,” Proc. Fourth IEEE/IPSJ Symp. Applications and the Internet (SAINT 2004), Jan. 2004.
[4] M. Bhattacharyya, M.G. Schultz, E. Eskin, S. Hershkop, and S.J. Stolfo, “MET: An Experimental System for Malicious Email Tracking,” Proc. New Security Paradigms Workshop (NSPW), pp. 1-12, Sept. 2002.
[5] Z. Cao, Z. Wang, and E.W. Zegura, “Performance of Hashing-Based Schemes for Internet Load Balancing,” Proc. IEEE Infocom, pp. 323-341, 2000.
[6] I. Charitakis, D. Pnevmatikatos, E.P. Markatos, and K.G. Anagnostakis, “Code Generation for Packet Header Intrusion Analysis on the IXP1200 Network Processor,” Proc. Seventh Int'l Workshop Software and Compilers for Embedded Systems (SCOPES '03), Sept. 2003.
[7] Cisco Catalyst 6500 Series IDS Module (IDSM-2)}, http:/, 2006.
[8] C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas, “A Hardware Platform for Network Intrusion Detection and Prevention,” Proc. Third Workshop Network Processors and Applications (NP3), Feb. 2004.
[9] C.J. Coit, S. Staniford, and J. McAlerney, “Towards Faster Pattern Matching for Intrusion Detection, or Exceeding the Speed of Snort,” Proc. Second DARPA Information Survivability Conf. and Exposition (DISCEX II), June 2002.
[10] Consystant Design Technologies, http:/, 2005.
[11] M. Fisk and G. Vargheseau, “An Analysis of Fast String Matching Applied to Content-Based Forwarding and Intrusion Detection,” Technical Report CS2001-0670 (updated version), Univ. of California at San Diego, 2002.
[12] G. Goldszmidt and G. Hunt, “Scaling Internet Services by Dynamic Allocation of Connections,” Proc. Sixth IFIP/IEEE Int'l Symp. Intergrated Network Management, pp. 171-184, May 1999.
[13] M. Handley, V. Paxson, and C. Kreibich, “Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics,” Proc. 10th USENIX Security Symp., 2001.
[14] Intel Corporation, “Intel IXP1200 Network Processor,” white paper, 2000, http:/
[15] Internet Security Systems Inc., http:/, 2006.
[16] T. Karagiannis, A. Broido, M. Faloutsos, and K. Claffy, “Transport Layer Identification of P2P Traffic,” Proc. Internet Measurement Conf. (IMC), Oct. 2004.
[17] C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer, “Stateful Intrusion Detection for High-Speed Networks,” Proc. IEEE Symp. Security and Privacy, pp. 285-294, May 2002.
[18] C. Kruegel and G. Vigna, “Anomaly Detection of Web-Based Attacks,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), pp. 251-261, Oct. 2003.
[19] W. Lee, S.J. Stolfo, P.K. Chan, E. Eskin, W. Fan, M. Miller, S. Hershkop, and J. Zhang, “Real-Time Data Mining Based Intrusion Detection,” Proc. DISCEX II, June 2001.
[20] S. Li, J. Torresen, and O. Soraasen, “Exploiting Reconfigurable Hardware for Network Security,” Proc. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM '03), Apr. 2003.
[21] R. Lippmann, J.W. Haines, D.J. Fried, J. Korba, and K. Das, “The 1999 DARPA Off-Line Intrusion Detection Evaluation,” Computer Networks, vol. 34, no. 4, pp. 579-595, Oct. 2000.
[22] E.P. Markatos, D.N. Pnevmatikatos, M.D. Flouris, and M.G.H. Katevenis, “Web-Conscious Storage Management for Web Proxies,” IEEE/ACM Trans. Networks, vol. 10, no. 6, pp. 735-748, 2002.
[23] M. Necker, D. Contis, and D. Schimmel, “TCP-Stream Reassembly and State Tracking in Hardware,” Proc. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM '02), Apr. 2002.
[24] NetScreen Technologies, http:/, 2005.
[25] Network Associates, Inc., http:/, 2005.
[26] NLANR, “MRA Traffic Archive,” Sept. 2002, http://pma.nlanr. net/PMA/SitesMRA.html.
[27] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Proc. Seventh USENIX Security Symp., Jan. 1998.
[28] Peapod, “Radware Linkproof,” , 2006.
[29] M. Roesch, “Snort: Lightweight Intrusion Detection for Networks,” Proc. Second USENIX Symp. Internet Technologies and Systems, Nov. 1999, http:/
[30] M. Schiffman, “The Million Packet March,” /, 2006.
[31] D.V. Schuehler, J. Moscola, and J.W. Lockwood, “Architecture for a Hardware-Based, TCP/IP Content-Processing System,” IEEE Micro, vol. 24, no. 1, pp. 62-69, 2004.
[32] Sourcefire, Snort 2.0 - Detection Revisited, Oct. 2002, .
[33] Intel Xeon Processor MP Specification Update, Oct. 2005, 29074135.pdf.
[34] TippingPoint Technolgies Inc., http:/, 2005.
[35] Top Layer Networks, http:/, 2006.
[36] TopLayer, “IDS Load Balancer,” http:/, 2006.
[37] T. Toth and C. Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution,” Proc. Fifth Symp. Recent Advances in Intrusion Detection (RAID), Oct. 2002.
[38] T. Toth and C. Kruegel, “Connection-History Based Anomaly Detection,” Proc. IEEE Workshop Information Assurance and Security, June 2002.
[39] K. Wang and S.J. Stolfo, “Anomalous Payload-Based Network Intrusion Detection,” Proc. Seventh Int'l Symp. Recent Advanced in Intrusion Detection (RAID), pp. 201-222, Sept. 2004.

Index Terms:
Network-level security and protection, network processors, intrusion detection and prevention.
Konstantinos Xinidis, Ioannis Charitakis, Spiros Antonatos, Kostas G. Anagnostakis, Evangelos P. Markatos, "An Active Splitter Architecture for Intrusion Detection and Prevention," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 1, pp. 31-44, Jan.-March 2006, doi:10.1109/TDSC.2006.6
Usage of this product signifies your acceptance of the Terms of Use.