technology through quality of service conﬁguration and parallel Improving network intrusion detection system performance Journal of Computer and System Sciences

(1)

Contents lists available atScienceDirect

Journal of Computer and System Sciences

www.elsevier.com/locate/jcss

Improving network intrusion detection system performance through quality of service conﬁguration and parallel

technology

Waleed Bul’ajoul

^a^,^∗

, Anne James

^a

, Mandeep Pannu

^b

aFacultyofEngineeringandComputing,CoventryUniversity,Coventry,UK

bDepartmentofComputerScience,KwantlenPolytechnicUniversity,Surrey,BritishColumbia,Canada

a r t i c l e i n f o a b s t r a c t

Articlehistory:

Received10March2014

Receivedinrevisedform 12September 2014

Accepted22September2014 Availableonline18December2014

Keywords:

Networksecurity Intrusiondetectionsystem Intrusionprotectionsystem Parallelprocessing Switchconﬁguration QualityofService

Thispaper outlinesan innovative software development thatutilises Quality of Service (QoS) and parallel technologies in Cisco Catalyst Switches to increase the analytical performance of a Network Intrusion Detection and Protection System (NIDPS) when deployedinhigh-speednetworks.Wehavedesignedarealnetworktopresentexperiments that use aSnort NIDPS. Ourexperiments demonstrate the weaknessesof NIDPSs, such as inability toprocess multiple packets and propensity to droppackets in heavytraﬃc andhigh-speednetworkswithoutanalysingthem.WetestedSnort’sanalysisperformance, gaugingthenumberofpacketssent,analysed,dropped,ﬁltered,injected,andoutstanding.

We suggestusing QoSconﬁguration technologiesinaCiscoCatalyst 3560Series Switch andparallelSnortstoimproveNIDPSperformanceandtoreducethenumberofdropped packets.Ourresultsshowthatournovelconﬁgurationimprovesperformance.

1. Introduction

Inordertoprovidenewdevelopmentsandhighest-qualityservices,companiesimplementthelatesttechnologiesintheir infrastructure.A company’s networkplays a vital role inits business projects.Keeping the computer networkup-to-date withthelatestsoftwareandsecuritytechniquesisessential forsuccessandprogress.Reliability andsafetyarethemajor concerns in enabling a company to achieve success andboost its progress. However, networkscan also be considered a majorriskinanybusinessproject.Securityissueshaveincreasedastechnologyhasadvanced[1].Fuchsberger[2]reported that, accordingto a survey conductedby the Federal Bureau ofInvestigation and Crime Sceneof Investigation (FBI/CSI), viruses are behind manyattacks on businessnetworks. Moreover, Denial ofService(DoS) attacks andunauthorised user access(whichcanbeinitiated fromexternalorinternalLANsources)havealsoincreaseddramatically.Itisalsonoticeable that nowadays thereare powerful intrusion toolsavailable, allowing hackers to attack networks evenif they knowlittle of thesoftware. Attackers can now use severaltools simultaneouslyto achieve an objective.The 9th Annual Worldwide Infrastructure Security Report and ATLAS 2013 data report [3] said the number of Distributed Denial ofService (DDoS) attackshasgrown signiﬁcantly, nearlydoublingon ayear-to-year basis between2006and2010. Thesize peakofattacks in 2013 increasedby over 200percent from the previous year,with the largest reported attack at 309 Gbps, and with multiple respondents reporting attacks larger than 100 Gbps, the previous largest reported attack size. Additionally, in

*

Correspondingauthorat:ECbuilding,CoventryUniversity,PrioryStreet,CoventryCV15FB,UK.

E-mailaddresses:[email protected](W. Bul’ajoul),[email protected](A. James),[email protected](M. Pannu).

http://dx.doi.org/10.1016/j.jcss.2014.12.012

(2)

Fig. 1.Largest DDoS attack reported by Arbor networks[2].

2013, ATLAS observed more than 8x the number of attacks over 20 Gbps as compared to 2012 (see Fig. 1). Therefore, security products, such as firewalls, vulnerability assessment tools, antivirusprograms, andNetwork Intrusion Detection and Prevention Systems (NIDPSs), are utilised to reduce the risk of attacks. However, even these measures are not 100 percent effective in protecting networks. One problem is that in heavy traffic, packets can be dropped prior to analysis [4–6].Itis becomingrecognisedthat advantagecould be takenofmulti-coreto overcometheproblemofnetworktraffic ratesupersedingtherateatwhichNIDPSscanprocessincomingdata[7].

Thispaper,whichbuildsonourpreviouswork[8],describesresearchwhichaimstosolvetheproblemofdroppedpack- etswhichcanbeaprevalentissueforNIDPSsusedinheavyandhigh-speedtraﬃcenvironments.OurresearchusesSnort IDS(IntrusionDetectionSystem),inNetworkIntrusionDetectionSystem(NIDS)mode.Snortiscurrentlythemostpopular NIDPSsoftware.SnortcanbeinstalledinanymachineandrunsondifferentoperatingsystemssuchasWindowsandLinux.

Snort, which wasintroduced asalightweight IDS, hasdevelopedsignificantly inthelast 10years.We conductedexperi- ments totestSnortNIDSanalysisperformance underheavy andhigh-speedtraffic.Wealsodemonstratedthat SnortNIDS performance can increasethe numberofanalysedpackets anddecreasethenumberofdropped packetsusing alternative technologiessuchasaQualityofService(QoS)configurationandparalleltechnology.

Theremainingpartofthispaperisorganised asfollows:Section2givesabackgroundaboutsecuritymechanisms,stages andintrusiondetectiontechnologies.Section3explainsourexperimentaldesignandimplementation.Section4presentsthe resultsoftheexperimentsandtheevaluation.Then Section5givesanoverviewrelatedwork.FinallySection 6concludes thepaperandsuggestsrecommendationsandfurtherwork.

2. Background

2.1. Securitymechanismsandapproaches

Securityisamajorconcernineveryaspectofourdailylife.Newmethodsandequipmentareconstantlybeingdevised toensureprotection.Computernetworkscontinuetofacemanythreats.Wecanconsiderthreestagestoachievingsecurity in computer system networks: prevention, detection and correction. Prevention stops attacks before they enter system.

Detection catches the attacks after they have entered and then Correction rectiﬁes problems, which could be detected attacks or mistakenly prevented non-attacks. Prevention is the ideal solution, as compared to detection andcorrection, butitisimpossibletoprevent100percentofattacks[9].Detectiontechniquesprovideresultsthatcanbeusedtoprevent furtherattacksandaidcorrection.Thusthethreestagescombinedofferaneffectiveapproachtoachievingsecurity.Common securitymechanismsareﬁrewalls,antivirusprogramsandintrusiondetectionandpreventionsystems.

2.1.1. Firewall

In ordertosecurea corporatenetworkorsub-network, network trafficisusually filteredaccordingto criteriasuchas origin, destination, protocolorservice, typically throughdedicated routerscalledfirewalls.Firewalls area commonsecu- ritydefence andnowadaysaretreatedasan integral partofevery network. Afirewallmaybe softwareorhardware;its functionalityis basedonfiltering mechanismsspecifiedby a setofrules,known asapolicy,whichcan protect asystem from flooding attacks. The fundamental function of a firewallis to sortpackets according to allow/deny rules, basedon header-filedinformation.Thedisadvantageoffirewallsisthatthey cannotfullyprotectaninternal networksincetheyare unable to stop internal attacks.Forexample,maliciousandunwanted web trafficcan go througha firewalltostrike and damageaprotectedcomputersystem.Afirewallisasetofrulessuchastoallowordenyprotocols,portsoranIPaddress.

Today’sDenialofService(DoS)attacksaretoocomplexforfirewallsbecausetheycannotdistinguishgoodtrafficfromDoS attack traffic [10]. Thefirewallprovides thebenefitof addedsecurityto strengthenanetwork whenused inconjunction withanIDS.

2.1.2. Antivirusprograms

Computer virusesareprograms whichcausecomputer failure anddamage computer data.Especiallyina networken- vironment, acomputer virus posesan immeasurable threatandcan be verydestructive. Antivirusprograms are software that canbe installedontoa computerinordertodetect,prevent andmakedecisionsregardingwhethertoquarantineor

(3)

Fig. 2.An example of network-based IDPS.

deletemaliciousprograms such asmalware,worms orviruses.Althoughantivirusprogramsmonitorthe integrityofdata filesagainst illegalmodifications,they areunabletoblockunwantednetworktrafficintendedtodamagethenetwork.An- tivirussoftwareisinstalledonlyatexplicitpointsoftheservers,suchastheinterfacebetweenthenetworksegmenttobe protectedandoutsideenvironments[5].

2.1.3. Intrusiondetectionandpreventionsystems(IDPSs)

IDPStechnologiesdetectandreacttounauthorisedaccesstonetworksystems,providingreal-timemonitoringofnetwork traffic.IDPSscanbesoftware- orhardware-based,orcanbeacombinationofboth.Hardware-basedIDPSsareeffectivefor large organisations and companies, butare very expensive. However, software-basedIDPSs runningon the samedevices orserverscanidentifyanddealwithattacksgeneratedfrominsideorfromoutsidethenetwork,andcanalsoprotectthe security policiesofthat network andtheir internal threats. Deployinga firewallwithan IDPS isa usefulwaytoprovide extrasecurityandthusstrengthenthenetwork[11].Intrusiondetectionisoneofthemosttestedandreliabletechnologies tomonitorincomingandoutgoingnetworktrafficandtoidentifyunauthorised usageandmishandlingofcomputersystem networks[12].In addition,intrusion detection can identifythe activityof maliciousattackers. It iscritical toimplement intrusiondetectionandpreventionincomputernetworksthathavehightrafficandhigh-speedconnectivity[13].

Adistinctionisoftenmadebetweenintrusiondetectionsystems(IDS) andintrusionpreventionsystems(IPS).Thisdis- tinction isthat theIDSdetects intrusionsandreportsthem,whereas theIPSdetects, reportsandpreventsthemthrough blocking.Therefore the IPScan be seen asan extension ofthe IDS. However nowadaysthe technologieshave converged andmostIDSsystemscoverpreventionaswellasdetection.Themodeofoperationbetweendetectionandpreventionmay beselected viaaconfigurationsetting.Furthermore,thedifferencebetweenafirewallandIPScan beindistinguishableto theuser astheseparate technologiesareoften combinedtoa single gatewaysentrysystem. The firewallchecksheaders onpacketsandblocksdepending onheaderinformationsuchasprotocoltype,sourceaddress,destinationaddress,source port, and/ordestination port accordingtonetworksecurity policy.TheIPSchecks bothheaders andpayload,blockingon recognisableknownfeatures accordingtonetworksecuritypolicy.Inourwork weuseSnortwhichcanact asan IPSand IDSandcanthereforebeconsideredtobeanIDPS.InthisresearchthemodeinwhichweranSnortwasNetworkDetection System(NIDS)mode.

IDPSsarestillunabletocontrolallthreatsandmaliciousactivities[8,10,14].Toovercomethedesignandimplementation diﬃculties,novelIDPSsolutionsarebeingsoughtinthecontextofmultiplecharacteristicsofadvancedcomputernetworks.

Thesecharacteristics include: realtime;highspeeds andhighloads; increasing difficultiesfor defenders;anddecreasing difficultiesforattackers.IDPSsneedtobeconfiguredproperlytoachievethedesiredoutput.

Manyvendorsarenowtryingtoproducesecurityappliancesthatcanprotectnetworksandwhichcombinetechnologies.

Forexample,theCiscoASA5500seriesisarangeofessentialCiscoproductsthataimstosecureanorganisation’snetwork fromendto end[14].Theproductcomes indifferentsizesandhasbeenapopularchoicefornetworkdesignersbecause of its highperformance. The Cisco ASA5500 Seriesintegrates multiple full-featured, high-performance securityservices, includingapplication-awareﬁrewall,SSL(Secure SocketsLayer)andIPsec(InternetProtocolSecurity) VPN (VirtualPrivate Network),IPSwithglobalcorrelationandguaranteedcoverage,antivirus,antispam,antiphishing,andwebﬁlteringservices.

2.2. Typesofintrusiondetectionandpreventionsystems

Some of the existing types ofIDPSs are: network-based (NIDPS); host-based (HIDPS); and graph-basedIDS (GrIDPS).

Hydridsystemsalsoexistwhichcombineoneormoretypesintoasinglesystem[13].

2.2.1. Network-basedIDPS

ANetworkIntrusionDetectionSystem(NIDPS)isacommontechniqueusedtoanalysetraﬃcatallOpenSystemsInter- connection(OPI)layersbydetectingthepresenceofnormaltraﬃcorsuspiciousactivities[16].

Tobeeffectivea NIDPSmustseethe entirenetworkandmustbeplaced atanappropriate pointinthe network.Ina hub-basednetworktheNIDPScanbeplacedatthehubandcanseealltraﬃcbutthisisnotpossibleinaswitchednetwork where there is no hub. In a switched network, port mirroring or spanning is used to enable a complete view but this causesoverhead.TheNIDPSitselfisaffectedbyDoSandDDoSattacks,similartothosemadeagainstIPgateways.Encrypted networktraﬃc(packets)cannotbedetectedbytheNIDPS(seeFig. 2).

2.2.2. Host-basedIDPS

AHostIntrusionDetectionSystem(HIDPS)isasoftwareagentthatcanbeinstalledinaparticularcomputerinorderto monitorandanalyseeventsonthatparticularhosttodetectanysuspiciousbehaviour[17].

(4)

Fig. 3.An example of host-based IDPS.

HIDPSsarecapableofintegratingcodeanalysis, monitoringsystemcalls,detecting bufferoverflows,privilegingmisuse, privileging abuse,filesystems,librarylists,applications,systemconfigurations,systemloganalyses,andmanyothers[11].

These things can be done by HIDPSsbecause they are designedto operate witha specific hostandwith respectto ap- plicationssuchaswebservers,databaseservers,fileservers,mailservers, andDNSservers.Theyareoftenintegratedinto server softwareandcanbe relativelyeasily implementedtocommunicate withothernetwork componentsandoperating systems.Theycaninspectencryptedtrafficbecausetheycananalyse packetsattheapplicationends.HoweverHIDPSshave some disadvantages.Theyconsumecomputersystemresourcesthatareneededforservicesandmayconflictwithexisting securitypolicies(suchasfirewalls)andoperatingsystems.ItisdifficultforHIDPSstoanalyseintrusionattemptsonmultiple computers. HIDPSscanbe verydifficulttomaintain inlargenetworkswithdifferentoperatingsystemsandconfigurations andcan bedisabled byattackersonce asystemiscompromised. TheHIDPS approachalsorequiresmanyhoststo reboot afteracompleteinstallationoranupdateandmanyessentialserverscannotsupportthisoperation(seeFig. 3).

2.2.3. Graph-basedIDPS

Graph-based IDPSs (GrIDPSs) are designed to protect computer networks from large-scale malicious attacks, which severely affectcomputer networks. Network traﬃc and computersare linked through GrIDPs. The advantages ofGrIDSs arethattheycangatherdataaboutcomputeractivityacrossanetworkandhelptorecognise comprehensiveautomatedor coordinated attacksinrealtime. Theyallownetwork systemstostate andimplementpoliciesspecifying whichusersare permittedtoutilisetheparticularservicesofanindividualhostorgroupofhosts.Assumptionsmadeinthiskindofsystem includetheexistenceofrelatednetworkswithinasingleorganisationthathasanindependentinfrastructureandsovereign departments. Itisdiﬃculttopicturehowthissystemwouldworktogain insightintotheworkingoftheGrIDSsystemin amodernandinnovativeenterpriseenvironmentwherethiskindofsituationdoesnotexist.Italsoassumesthatnosingle componentofthenetworkisactivelyhostile,andthereforetheIDPSmustbedesignedtooperateinnon-hostilesituations.

2.3. Networkintrusiondetectionandpreventionsystemmethodology

The functionalcomponents ofan integratedNIDPS are: eventsmanagement; adata source;an analysisengine; anda responsemanager[14,18].Eventsmanagementgathersinformationoneventstoandfromthemonitoredsystem(seeFig. 4).

The datasource istheeventgenerator, whichisclassiﬁedinto thefollowingfourcategories: application-based monitors;

host-basedmonitors;target-basedmonitors;andnetwork-basedmonitors.Thedatasourcestoresmultipleeventsrecorded byeventmanagement.Theanalysisenginecollectsdatafromthedatasourceinordertoanalyseanddeterminewhetherthe dataisfreeofpolicyviolationsorotherattacks.Thisenginecanutilise anomaly/statisticaldetection,misuse/signature-based detection, orboth.The analysisengineprocesseseventsandtransmits alerts.The responsemanager neutralizesanattack onceitisdetected.Theresponsemanagerrespondstoeventsandstopsintrusions.

Most existing NIDPSs utilise either misuse detection or non-regular detection. The technique of misuse detection is employed toﬁndknownintrusionsand/or apatternofsignatures.Duetoitsrelianceonsignatures,its detectionspeed is quitefastandhasalowfalsepositiverate.IDPSmethodologyisdividedintothefollowingfourcategories.

2.3.1. Misuse/signature-baseddetection

This type ofdetectionsystemuses knownsignatures ofmaliciouscodes, whichare storedinan IDPS database. Well- knownpatternsofattacksresultfromtheuseofmaliciouscodesandknownsoftwarevulnerabilities.Thiskindofdetection system is highly eﬃcient foruse in a small NIDPS. The major drawback ofsuch a system is that its database must be regularly updated,resultinginanever-increasingdatabasethatmustincludeasmanyavailablesignaturesaspossible[14, 18].

2.3.2. Anomaly/statisticaldetection

Anomaly/statisticaldetectionisa comparison-basedmethodwhich comparesanyactivitytotheprofileforall possible learnedactivitiesthroughstatisticaldata,factsandfigures.Therearetwotypesofprofile,fixedanddynamic.Afixedprofile

(5)

Fig. 4.General architecture for a NIDPS.

is themost efficientascompared to other schemes, becauseit terminatesthe occurrenceof anyunusualbehaviour and it classifiesthebehaviour asanomalous. Adynamic profile cannot becreated withoutan existing fixed profile;once the dynamic profilehas beencreated,itallows the attackertoobserveandalter his orher behaviourin long-termactivities [14,18].

2.3.3. Protocolanalysisdetection

ThisNIDPStechniquedependsonthebehaviouroftheprotocols.Itobservestheprotocolbehaviourandthencompares itto thosestoredinits protocolbehaviourdatabase. It detectsanomalies inthepacket ontheheadpartofthe protocol.

Thistechniqueisquiteeffective,butcanbeeasilyavoidedbyattackersworkinginsidetheprotocollimitations[18].

2.3.4. Hybridmethodologies

Thistype ofsystemcombines twoormore intrusion detectionsystemsmethodologiesinorder toanalyse,detect and matchanysuspicious behaviourandsignature malicious codethat attempttoattack network.The powerofcombination meansitcandetectmoretypesofintrusion,therebyprovidingrelativelybetterresultsascomparedtoothermethods.

3. Experimentdesignandimplementation 3.1. Networkdesign

Arealnetworkhasservedasamodelforthepurposeofanalysisanddataacquisition.Weusedseveraltools,including both software and hardware, to meet our objectives. Snort 2.9.4.6, which was issued in April 2013, was used as NIDS software;aWinPcaptooltocapturepacketsonWindows7and8operatingsystems;aNetScanProtooltomanageacertain type oftrafficinthenetwork;a PacketGenerator tooltogenerate/sendnetwork trafficofdifferentvaluesandspeedsper ms;a CiscoCatalyst3560SeriesSwitch [19],whichsupportsQoSconfiguration;anda computersystemconsistingoffour standardmachinesconnectedthroughVMwareVirtual.Fig. 5showsthenetworkdesignfortheexperiment.

3.2. Snortcomponentfunctions

Snortisan easytouseandpopularopen-sourceIDPS [6,20–22].Itisaccessiblefreeofcostandrankedamongthetop systemswiththebestfeaturesavailablenowadays.Itwasreleasedasan open-sourceNIDSbasedonrule-baseddetection, whichstoredinformationintextfilesthatcouldbemodifiedbyatexteditor.Rulesaregroupedintocategories,andtherules belongingtoeachcategoryarestoredasinformationinseparatefiles,whicharethenintegratedintothemainconfiguration file named “snort.conf”. The data iscaptured in termsof the described rules, which are read atthe initialization ofthe Snortandcomprisetheinternaldatastructure[6,22].ASnortsystemconsistsofthefollowingmajorcomponents:apacket decoder;pre-processors;adetectionengine;aloggingandalertingsystem;andoutputmodules.

ThebasicstructureisrepresentedinFig. 6.Whenapacketarrivesatthenetwork,Snortlistensandcapturespackets.In thebeginning,thepacketdecoder receivespackets frommultiplenetworkinterfacessuch asPoint-to-Point Protocol(PPP) orEthernetandSerial-Line-Internet-Protocol(SLIP), thenpre-processessuchpackets readyforthedetectionengine[6,21].

The detection engine performs three maintasks: sniffing,analysis anddetection. It can perform network traffic analysis andcontentsearching/matchinginbothreal-timeandforforensicpost-processing[21,22].Snortcanbeconfiguredinthree

(6)

Fig. 5.Experiment network design.

Fig. 6.Snort architecture[25].

main modes:sniffer, packetlogger, andnetworkintrusion detection. Innetworkintrusion detectionmode,Snortanalyses thenetwork traﬃcagainstasetofdeﬁnedrulesinordertodetectintrusionthreats. Inourexperiments,we focusonthe Snortcapabilityasanetwork intrusiondetectionsystemaswe aimtoseehowmanypacketscould beanalysedby Snort undervaryingconditions.Ithasbeenshownpreviouslythatinhighspeedandheavy loadconditions,packetsaredropped

(7)

[4–6]. InourexperimentsSnortanalyser isnot setup toperformactions basedon userdeﬁnedrules.Itsimply analyses andidentiﬁesthepackets.

The detection engine is time-critical and the mostimportant part of the Snort. It utilises different processing times basedonthelength ofthepacket,thespecificationsofthesystem,andthenumberofrulesdefinedinthesystem.Snort sometimesdropspacketswhenitrunsinrealtimeNIDSmode,particularlywhentrafficisheavyandhigh-volume[6].Snort rulesareemployedtodetectintrusiveactionstobepresentedinthedatapacket.Inthedetectionmode,Snortiscapableof readingchains(internaldatastructures),whichhavetobematchedagainstallpackets.Ifapacketdoesnotmatchanyrule, itwillbeblocked;otherwiseappropriate actionistaken[6].Loggingandalertsdependonthenatureofwhatisdetected insidethepackets.Ifanysuspiciousactivityisfoundinsideapacket,thepacketusuallylogs themaliciousactivityand/or generatesanalert.Logsareusuallystoredinsimpletext-basedfilessuchastcpdumpstyle.Outputmodules(plug-ins)are capableofperformingmultipleoperationsdependingontheresultsgeneratedbytheloggingandalertingsystemofSnort.

Ingeneral,outputmodulescontroltheformofoutcomeproducedbytheloggingandalertingsystem.

3.3. CiscoCatalyst3560Seriesswitches

Thiscategory belongsto layer 2and3 switches.It provides supportfor IP-basedsoftware,for exampleRate limiting, Access ControlLists(ACLs),QoS. IPv6,andadvanced routing protocols.Policy andclassenterprise features are supported byIP servicesoftware.Despiteapacket’ssizeandcontent,thisswitch providesthebesteffort servicesforeachpacket of networktraﬃc.Thepacketsaresentwithnosuretyofdelaybounds,reliability,orthroughput[19].

3.4. Qualityofservice(QoS)technique

AQoStechnique permitsthecontrol oftrafficover anetwork andguarantees thethroughputoftraffic applicationsin termsoftimescale.QoSconcernstheperformanceofthenetworktrafficoverseveraltechnologies,includingAsynchronous TransferMode(ATM),802.1networks,IP-routednetworks,Framerelay,andSynchronousOpticalNetwork(SONET)asseen fromtheuser’sperspective.Furthermore,QoScan usecongestionavoidance andmanagement techniquesalongwithcon- figuration of network traffic, andprioritizes traffic based on its importance [23]. QoSfeatures can be classifiedinto the followingfunctions:classificationandmarking;policing;congestionmanagement;andcongestionavoidance.Thefeaturesof QoSprovide betterandmore reliablenetwork servicesthrough thefollowing features:support fordedicatedbandwidth;

improvedlosscharacteristics;managementandavoidanceofnetworkcongestion;shapingnetworktraﬃc;andsettingtraﬃc prioritiesacrossthenetwork.

3.5. Performancemetrics

PerformancemetricsareusedintheexperimentstomeasuretheabilityoftheNIDStoperformaparticulartaskandto ﬁtwithintheperformance constraints.ThesemetricsmeasureandevaluatetheparametersthatimpactNIDSperformance.

Thefollowingaspectsweremeasuredintheexperiments.

3.5.1. Packetgeneration

TheperformanceofTCP,UDP,andICMPprotocolswasmeasuredwhenrunningovertheIPv4header.TheWinPcapand PacketsGeneratortoolwereusedtovarythetypeoftraﬃcintermsofIPheaderprotocol(TCP,UDPandICMP),speed,the numberofpacketsandpacketsize.

3.5.2. Timingstatistics

TheSnortprocessortimeincludestotalsecondsandpacketsaswellaspacketprocessingrates.

3.5.3. PacketsI/Ototals

ThesearethepercentagesofthetotalpacketsprocessedbySnort.ThespeciﬁcmetricsusedareshowninTable 1.

3.5.4. Protocolstatistics

AlltraﬃcforallprotocolsdecodedbySnortaresummarizedintheSnortbreakdownsectionwhichincludescategories suchasEth(Ethernetinterfaces);VLAN;IP4;Frag(Fragmentedpackages);ICMP;UDP;TCPandothers.

3.5.5. Snort-NIDSthroughput

This metric defines the level of traffic up to which the NIDS performs without dropping anypackets. Thismetric is affectedbytheuseofQoSconfigurationandparalleltechnology.

4. Experimentresultsandevaluation Thepurposesoftheexperimentsare:

(8)

Table 1

Snortperformancemetrics.

Performance metrics Description

Packets received ThenumberofpacketsreceivedbySnort.

Packets analysed Thenumberandpercentageofpacketsanalysed fromthetotalpacketsreceived.

Packets dropped Thenumberandpercentageofpacketsdropped fromthetotalpacketsreceived.

Packets ﬁltered Thenumberandpercentageofpacketsﬁlteredout andnothandedtoSnortforanalysis

Packets outstanding Thenumberandpercentageofthepacketsbuffered waitingprocessing/ornotprocessed.

Packets injected Thenumberofinjectedpacketswhicharetheresult ofactiveresponse,whichcanbeconﬁguredfor inlineorpassivemodes.

Fig. 7.Snort reaction to IP header at 8 ms transmission time intervals.

1) to show Snort-NIDS performance under (a) high speed traffic (Experiment 1), (b) heavy traffic (Experiment 2) and (c) largedatatraffic(Experiment3).

2) toshowhowQoSconﬁguration,whichoffersqueuetechnologyimprovesperformanceofSnortNIDS(Experiment4).

3) toshowhowparalleltechnologyandQoSimproveperformanceofSnortNIDS(Experiment5).

4.1. Experiment1.Snort-NIDSreactionstohigh-speednetworktraﬃc

We used NetScanPro toolsto manage IP traﬃc inthe networkandthe packet generatortool to send anumber ofIP packets in differentspeedsper ms. We sent 13,000 packets (eachpacket carries 1 KB) atdifferenttime intervals(8 ms, 4 ms,1 ms).Table 2andFigs. 7,8 and9showtheSnortoutputandresultsofourexperiments.

AsdemonstratedintheresultsshowninFigs. 7,8,and 9,allthepacketsthatweresentreachedthewire.Snortanalysed 99.992percentofthepacketsinincomingtraﬃcwhenpacketsweretransmittedin8 msintervals(seeFig. 7),butwhenthe speedoftransmissionwasincreasedto4 ms,Snortstarteddroppingpackets,analysingonly62percentanddroppingmore than22percentofthetotalpacketsreceived(seeFig. 8).Whenthespeedoftransmissionwas increasedto1 msintervals,

(9)

Table 2

Samenumberofpacketsbutdifferentspeeds.

Packets sent (13,000) 8 ms interval 4 ms interval 1 ms interval

Packets received 100% 100% 100%

Packets analysed 99.992% 62.165% 16.070%

Packets dropped 0.00% 27.449% 45.631%

Packets ﬁltered 0.00% 0.00% 0.00%

Packets outstanding 0.008% 37.835% 83.930%

Packets injected 0.00% 0.00% 0.00%

Fig. 10.Snort reaction to heavy traﬃc (100 KB packets).

Snortdroppedmorethan46percentofpackets(seeFig. 9).OurexperimentdemonstratedthatSnortanalysisperformance wasdecreasedasthespeedoftransmissionincreased.

4.2. Experiment2.Snort-NIDSreactionstoheavy-traﬃcnetworks

Here,thetransmissionrateofpacketswaskept tothesamespeed(1 msintervals)toobtainafairanalysisofdifferent numbersofpackets(eachpacketcarried1 KB).Wesent 100,500and1000packets batchesat1 ms intervals.Figs. 10,11 and12showtheSnortresults(seeTable 3).

AsdemonstratedbytheresultsshowninFigs. 10,11,and 12,allthepacketsthatweresentreachedthewire.InFig. 10, whenwesent100packets,Snortanalysed100%ofthetotalpacketsthatitreceived.Asthenumberofpacketsincreasedto 500and1000, Snortstarteddroppingpackets(seeFigs. 11 and12).Ourexperimentshowsthatasthenumberofpackets increases,morepacketsaredropped.

4.3. Experiment3.Snort-NIDSreactionstolargepackets

Forthisexperiment, thenumberofpackets waskepttothesamevalue (13,000)andthesamespeed (1 ms)toobtain afairanalysisofdifferentsizes(lengths)ofpackets.Weincreasedthesizeofeachpacketsentstartedfrom1byte,to400 bytes,andto800bytes.Figs. 13,14 and15showtheSnortresults.

(10)

Table 3

Samespeedlimitanddifferentnumbersofpackets.

Numberofpackets

(Transmission interval1 ms)

100 500 1000

Packets analysed 100% 50.000% 30.482%

Packets dropped 0.00% 33.333% 41.009%

Fig. 13.Snort reaction to packet sizes (1 byte).

(11)

Fig. 14.Snort reaction to packet sizes (400 bytes).

Fig. 15.Snort reaction to packet sizes (800 bytes).

Table 4

Samespeedandvaluebutdifferentpacketsize.

PacketNumber

(speed 13,000 per 1 ms)

1 byte 400 bytes 800 bytes

Packets analysed 100% 43.995% 24.437%

Packets dropped 0.00% 35.899% 43.040%

As shownin Figs. 13,14 and 15, when we sent 13,000 packets at1 ms intervals (eachpacket carries 1 byte), Snort analysed100percentofthetotalpacketsreceived(seeFig. 13).Asthesizeofthepacketswasincreasedto400bytesSnort dropped morethan 35percentofthem (see Fig. 14),andwhen thepacketsize was increasedto800bytes (eachpacket carries800bytes),Snortaccordinglydroppedmore(see Fig. 15). Ourexperimentdemonstratedthat morepacketswillbe droppedaspacketsizeincreases(seeTable 4).

4.4. Experiment4.Snort-NIDSusingQoSconﬁgurationtechnologyinhigh-speedtraﬃc

Criticalanalysesweredoneforexperiments1,2and3(seeFigs. 16,17 and18respectively).ThefiguresshowthatSnort performanceanalysisthroughputisaffectedbyhigh-speedandheavytraffic,andmorepacketsaredroppedasthenumber andsizeofpacketsandthespeedoftrafficincreases.Snorthasalimitedtimetoprocessandanalyseanytrafficsuccessfully andifanetwork’strafficspeedlimitishigherthanSnort’slimit,Snortwilldroppackets.

Tosolvethisproblem,weusedaCiscoCatalyst3560Seriesswitch,whichsupportsQoSconfiguration,toloadthetraffic intoanumberofinterfacesequallyanddividetrafficintostreamsinordertoanalyseeachportionoftrafficindividuallyto determinewhetheritwasfree ofmaliciouscodes.WeconfiguredSnortandQoStoreorderandcontroltraffic speedsuch thatitissimilartoprocessortimeandloadtrafficspeed.

Inthe IEEE802.1network protocol, theClassofService(CoS) parameterwhich residesatlayer2, enablesdifferentia- tionofthe packet.Thisvalue canthen beused toprovidedifferentiated servicesfordifferenttypesofpacket.Other QoS

(12)

Fig. 16.Snort reactions to IP headers with increasing traﬃc speeds.

Fig. 17.Snort reactions to IP headers with increasing traﬃc values.

Fig. 18.Snort reactions to IP headers with increasing packet sizes.

mechanisms operateatlayer3,forinstanceDiffServ(Differentiated Services)whichallow differenttypesofservicetobe offered dependingonacode.Forinstancetherecould beapolicytogiveacertaintype ofpackagepriority.Toimplement QoSbasedontheDiffServarchitecture,whichspecifiesthateachpacketbeclassifieduponentryintothenetworkandad- justedfordifferenttrafficspeeds,wechanged/classifiedtheswitchframetothedefaultworkingfromlayer2tolayer3by mappingthetrafficvaluesfromCoStoDifferentiatedServicesCodePoint(DSCP)values.Fig. 19illustratestherelativelayers atwhichCoSandDSCPoperate.TheCoSvaluesarefrom0–7andtheDSCPvaluesarefrom0–63. Todistinguishbetween packet classes,a classmap andpolicy map functionswere used toclassify traffic insidethe switch [23]. Classificationis theprocessofdistinguishingonekindoftrafficfromanotherbyexaminingfieldsinthepacket.Classificationoccursonthe physical interfaceoron aper-port,per-VLANbasis. Policinginvolvescreatingapolicy that specifiesthe bandwidthlimits forthetrafficandappliesittotheinterface.Policingcanbeappliedtoapacketperdirectionandcanoccurontheingress andegressinterfaces.

One ofthe mechanismsthatQoSoffersisqueuetechnology,whichcangive aswitch anewlogicalthroughput-traffic- forwarding plan [23,24]. QoS offers two input queues (ingress queues) and four output queues (egress queues) at the physicaloutputinterfaces(portsandVLANs)[23,24].AsshowninFig. 20,weconfiguredtheswitchtotwoinputqueuesand fouroutputqueues,andeachinputqueuehasapolicy(policymap)andmarking(classmap).Weconfiguredthebandwidth, thresholdandpriorityforeachinputandoutputqueuetotreattraffic intheinputandoutputqueues.Wealsoconfigured thespeedlimitforeachingressqueueandegressqueueusingoneoftwofunctionsinsidetheswitchcalledShapedorShare RoundRobin(SRR)[23,24].TheShapedfunctionisonlyavailableonegressqueues,andaqueuereservesonlyaportionofa port’sbandwidth.SRRisavailableonbothingressandegressqueues.Itguaranteesaqueueaportionofaport’sbandwidth, but doesnot limit the queueto that guaranteed amount.The main idea hereis to allocatea specific traffic weight and speedlimitforeachqueue,whichallowsanumberofpacketstobesentatspecifictimeintervals,therebyreducingtraffic congestionevenifthetrafficishigh-speedandheavy.

We sent 13000 packets (eachpacket carries 1 KB) at1 ms intervalsto the network. As the resultsshown inFig. 21 demonstrate,Snortanalysed100percentofthetraﬃcthatreachedthewirewith0percentdropped.Experiment1showed

(13)

Fig. 19.Layer for CoS and DSCP values.

Fig. 20.Snort with QoS architecture.

that 45% of packets were dropped (see Fig. 9) when thisQoS conﬁguration was not used. The results show that Snort performanceanalysesaresigniﬁcantlyimprovedwhenusingQoStechnology.

4.5. Experiment5.ParallelSnort-NIDSwithQoStechnologyinhigh-speednetworktraﬃc

Inexperiment1,Snortdroppedmorethan45percent(seeFig. 9).WhenweusedSnortwithQoSinexperiment4,Snort dropped 0percent (see Fig. 21). However,the difference betweenexperiments1 and4isSnort’s processortimes,which were33 sand101 srespectively(seeFig. 22).

As a solutionto reduce Snort’sprocessor time, we suggest usingparallel NIDS technology withQoSto increase NIDS performance analysisand decrease processor time. As we show in Fig. 23, we configured and treatedtraffic using QoS configuration,whichproducedfouroutputqueues.Theneachqueuewasscannedusinganaccesslistfunction(ACL)which filters traffic according to classification and enabled different packages to be sent to specific Snorts. Each package was directedtoaparallelSnort.UsinganACLandQoSconfiguration,youcananalyseandclassifyseparatetypesoftraffic and sendthesetoseparatequeues.Inthisexperimentweincreasedthenumberofpacketssentto40,000.Eachpacketwas1 KB insizeandtheintervalbetweeneachtransmissionwas1 ms.

As theresults showninFigs. 24 and25 demonstrate, whenwe testedSnortas normalwithoutanytraﬃc treatment, wesentnearly40,000packets in1 ms,Snortanalysed16percentofthetotalpacketsreceivedin55 s,butwhenweused a single SnortNIDS withaQoSconﬁguration andsent thesamepackets Snortanalysed all thepackets that reachedthe

(14)

Fig. 21.Snort with QoS reactions to an IP header in high-speed and heavy traﬃc networks.

Fig. 22.Snort processor time (13,000 1 KB packets, at 1 ms intervals).

Fig. 23.Architecture for parallel Snort-NIDS using QoS and ACLs.

(15)

Fig. 24.Snort without QoS.

Fig. 25.Snort with QoS.

Fig. 26.Paralell Snort with QoS.

wirein302 s withoutdropping any.Using parallelNIDS technology(inthree queues),Snortanalysed 100percentofthe packetsinlesstime(103 s),showinganimprovementofaround60%orroughly3timesspeedup.Ourexperimentsprove thatSnortperformanceanalysisimprovessigniﬁcantlyusingQoSandparallelNIDstechnology.Ithasprocessedmorethan 40,000 KBin103 s with0percentdropped (see Figs. 26, 27). Obviously speedup dependsonthe numberofprocessors usedandfargreaterspeedupispossible.

4.6. Summaryofexperiments

Experiments1 to 3 have shownthat Snort drops packets in heavy andhigh speed traﬃc. In experiment4 we show how QoS conﬁgurationwithin theCisco Catalyst 3560 Seriesswitch can enhance performance such that packets are no

(16)

Fig. 27.Snort processor time for 40,000 KB sending in 1 ms.

Fig. 28.Snort used with different processors.

longerdropped.HoweverSnorttakeslongertorun.Experiment5showshowparalleltechnologycanbeusedtospeedup processing.

IntheSnortoutputsassociatedwithourexperiments(Figs. 7,8,9,10,11,12,14,15,21,24,25 and 26)weseethatthe numberofpacketsdroppedisthesameasthenumberofoutstandingpackets.Thisisbecauseinourcontextbothofthese metrics refertothenumberofpacketsnotseenby Snort.Howeverwe noticethereisadiscrepancyinthecorresponding percentages output, a resultof the internal Snort processing. We have taken the lower percentage associated with the dropped packets in our analysis. Had we takenthe higher percentage associated withoutstanding packets, the gains in performanceandspeedupthroughusingourmethodwouldhavebeenevengreater.

ItisimportanttonotethatwhenyoutestSnortwithaQoSconfigurationunderdifferentprocessors,theQoSconfigura- tionwillbedifferentdepending onwhichtypeofprocessorisrunningSnort,specificallyitsspeed(seeFig. 28).Wetested Snortatthesamespeedandforthesamevalues,butwithdifferentprocessors:theIntelPentium^® DCPU2.2 GHz(Intel P4),theIntel^® corei52.27 GHz(Corei5)andtheIntel^® corei72.40 GHz(Corei7).Snortperformanceanalysiswasaffected.

ItperformedbetterwiththeIntel^® corei7processorthantheothers.

5. Relatedwork

DuetothefactthatnumerouscomputersystemsareunabletodetectorpreventthreatssuchasDoS/DDoSattacks,the impacts ofthesekindsofattacksareimmeasurableandirremediable[8].Suchattackersamend,stealanddestroyvaluable information,andatworstdamageavictim’scomputersystem.Theirmainpurposeistostoporslowdowntheperformance of legitimateusers’ computer network systemsby exploiting vulnerabilitiessuch as mis-conﬁgurationandsoftware bugs generated frominternal andexternal networks. Despitethe existence ofa variety ofsecurity protections, attackersoften attemptto renderservicesmerelyunavailableto intendedlegitimateusers[25].Here,it isinsuﬃcienttodepend onlyon preventiontechniques,especiallywhenanattackerhassuccessfullyobtainedvulnerableinformationfromthenetwork.

Some researchers[5,10,13,26]haveinvestigatedspeciﬁctechnologiesandmethodologiestodetectnetwork attacksthat occur inrealtime,usingopen sourceIDSs,likeSnort,workinginhigh-speed,heavy-traﬃcnetworks, whileothers[27,28]

haveused comparisonsbetweenIDStoolsto achievethe bestthroughputresultswithdifferentIDSs.Ourworkaddresses performanceinadifferentway.ItexplorestheuseofparalleltechnologywithnetworkswitchconﬁgurationtoimproveQoS andhenceNIDSperformance.

Salah and Qahtan [29] implemented a hybrid scheme in Linux OS to prove that a hybrid scheme can improve the performance ofgeneral-purpose network desktopsor servers runningnetwork I/O-bandapplications whensuch network hosts were exposed to both light and heavy traffic load conditions.The standard on subscribed configurations of Linux networking subsystems, asrevealedby Salah andQahtan,failed tomeet Snort’sperformance level.In orderto achievea highthroughput ofanalysedtraffic withSnort, theytuned thebudget parameterofthe LinuxNetworksubsystem,which controlstheutilisation timeofthecentralprocessingunitcycle.Ourworkissimilartothisinthatitexploresconfiguration inageneralpurposeenvironmentbutitisdifferentinthatitexploresconfigurationatamulti-layerswitchlevel.Thusitis network-basedratherthanthehost-based.

Shiri,ShanmugamandIdris[5]proposedaparalleltechniqueforimprovingtheperformanceofasignature-basedNIDS.

TheirideawastosenddifferenttypesofpacketstodifferentparallelSnortsforanalysisandtheyobtaineda40%improve-

(17)

mentinprocessingtime.Schuff,ChoeandPai[30]proposedamulti-threadSnortcalledMultiSnortwhichexecutesmultiple instancesoftheoriginalSnortinparallel.Ourresearchissimilartotheseinthatwealsosenddifferenttypesofpacketto parallel Snorts.However, whileourwork confirms thefindings ofprevious research, themain differenceis that wehave provideddetailonhowtoachieve theimprovementthroughQoSandparallelisationusingindustry standardsoftwaresys- tems.Anotherdifferenceisthatwehaveconcentratedonanalysisandalsoprovidedfurtherexperimentswithgreaterdetail of influentialparameters. Chen etal. [31] presented Para-Snort which revisedthe structure of the original Snortdecou- pling thedecoding partso that thisactivityis carriedout centrally beforethe parallel queuesare formed.The approach alsousedcentralloadbalancingtodistributepacketstoparallelSnortprocessingunits.OurworkdiffersfromChenetal.’s workinthat weparallelise thewholeofSnort,formingtheparallel queuesintheswitchbeforesending packetstoSnort pre-processinganddecoding.Theproblemwithcentraldecoding, pre-processingandloadbalancingmodules isthat they could becomeadditional bottlenecks inthe system. Chenetal.alsoresearched howto reduce theloadbalancing bottle neckissue.

Vasiliadis, Polychronakis, andIoannidis [32] proposed a new model fora multi-parallel IDS architecture (MIDeA) for high-performance processingandstateful analysisofnetwork traffic. Theirsolutionoffers parallelism ata subcomponent level,withNICs, CPUsandGPUs doing specialisedtasks to improvescalabilityandrunning time.They showedthat pro- cessingspeedscanreachupto5.2 Gbpswithzeropacketlossinamulti-processorsystem.Theirsolutionoffersparallelism atasubcomponentlevel,withNICs,CPUsandGPUsdoing specialisedtasks.Jiangetal.[7]proposed aparallel designfor NIDS ona TILERAGX36 many-coreprocessor. Theyexplored data andpipelineparallelism andoptimizedthe architecture byexploitingexistingfeaturesofTILERAGX36tobreakthebottlenecksintheparalleldesign.Theyachievedthroughputof 11 Gbps.Jamshedetal.presentedKargus[33],asystemwhichexploitshighprocessingparallelismbybalancingthepattern matchingworkloadswithmulti-coreCPUsandheterogeneousGPUs.Kargusadaptsitsresourceusagedependingonthein- putrate,tosavepower.TheresearchshowsthatKargushandlesupto33 Gbpsofnormaltrafficandachieves9to10 Gbps evenwhenallpacketscontainattack signatures.Thevariousapproachesdescribedinthisparagrapharenotdirectlycom- parableintermsofthroughputasdifferentnumbersofprocessorsanddataisusedineach.Howevertheexperimentsshow whatcanbegainedbyparallelisingNIDPSs inordertocombatproblemsofhigherspeedsandincreasing traffic.Ourwork differsfromtheworkdescribed inthisparagraphinthearchitecture used.WehaveshownhowQoStechnologyandpar- allelismcanhaveimpactinhighspeedandheavytraffic networkusingan industrystandardswitchandstandarddesktop processors. Webelieve, oursolutionis amoreaccessible wayofreceivinggood resultsasitcan be activatedatahigher level,namelyatthelevelofconfiguringtheCISCOswitchsoftwareandreplicatingSnortonstandardmachines.Furtherim- provementscouldbemadeifhigherperformance equipmentwasused.Howeverwebelievethatthereisroom forvarious approachesandmoreexplorationofsuitabilityofvariousmethodsinvaryingcircumstances.Inthiswayuserscanapplythe solutionthatismostsuitableforthem.

Inthecontextofbigdataanddistributedsystems,Zhaoetal.[34] havedevelopedasecurityframeworkinG-Hadoop.

Thisworkfocusesonauthenticationandaccessratherthanintrusiondetectionbutoffersaninterestingnewdirection.The frameworkcouldbeenhancedwithintrusiondetectionandprotectionfunctionalitytocreateamorecompletesolution.Our workhasfocused onstandardbusinessinfrastructureandother workhasconcentratedonsingleclusterhigh-performance infrastructure.Cross-clustersecurityservicesinahighperformanceenvironment suchasthat affordedby G-Hadoopisan areawhereattentioniswelcome.Interestingworkisbeingcarriedoutintheclassificationofinternettrafficwhichcanbe usedtosupportattackdetection.Inordertocounteractlimitationsofcurrentinternettrafficclassificationtechniques,which are basedonlyon headerandpayload inspection,Wang etal.[35] havedevelopeda systemwhichcan classify trafficin termsoftheirintended applicationbyconsideringpacket andflowcharacteristics.Amachine learningapproachhasbeen usedtodeveloptheclassifier.Extracomplexityintroducedbymoredemandingrules,albeitwiththepurposeofproducing betterdetectionperformance,supportsourcontentionforparallelNIDSinhigh-speedandheavytrafficenvironments.

Vendor companies are aiming to develop security solutions to protect the enterprise network. Equipment has been designedtomeetconnectivityspeedandloadstandards.TheimprovementsinthethroughputofNIDSwehaveshownare achievedbypairing theASACiscoequipmentwithSnort[15,19,20].Theprinciplesofourworkcould beapplied toother equipmentcombinationswheresimilarfacilitiesareoffered.

6. Conclusion,recommendationsandfurtherresearch 6.1. Conclusion

Formany years attacksmade onnetworks haverisen dramatically. The major reasonfor thisis the unlimitedaccess to anduseofsoftware (written anduploaded towebsites by technicalexperts)by inadequately trainedpeople. Network disruptionsmaybecausedintentionally byseveraltypesofdirectedattack.Theseattacksaremadeatvariouslayersinthe TCP/IP protocolsuite,including theapplicationlayer. Besides the externalbody,attacks can be madeon thenetwork by theinternalbodyaswell.However,anIDPSisconsideredtobeoneofthebesttechnologiestodetectthreatsandattacks.

NIDPSs have attracted the interest of manyorganisations and governments, andany Internet user can deploy them. An NIDPSusuallyfeaturesfourstagestosecureacomputersystemnetwork:scanning,analysing,detecting,andcorrecting.Our paperfocused onNIDPS weakness in scanningand analysingin high-speednetwork connectivity. We suggest usingQoS

(18)

conﬁgurationtoimproveNIDPSanalysisperformanceandaparalleltechnologytoreduceNIDPSprocessingtime.Asaresult ofourapproach,systemscanbeconﬁguredsuchthatattackscanbethwartedmoreeasily.

6.2. Recommendation

There is much yet to be learned about QoS technology. Some features of QoS may boost NIDPS performance, such as congestionmanagement and congestionavoidance. Congestionmanagement isbalanced queuing, whichevaluates the internal DSCPand determines which ofthe four egress queues in which to place thepackets. There are manyitems to configure when it comes to queuing: defining the priority queue, defining a queue set, guaranteeing buffer availability, limiting memory allocation, specifying buffer allocation, setting drop thresholds, mapping CoS to DSCP value to queue, configuring SRR, andlimiting bandwidth onan outbound queue. A lotof things incongestion avoidance mayhelp with NIDS performance,such assettingoutputqueuing, configuringWeightedTailDrop (WTD)parameterstoafour-queueset, WTD thresholds for a queue, guaranteed buffer availability for a queue’s maximum memory and allocation of a queue buffer forall output queuesofan interface. Werecommend that QoStechnologyis exploitedtoachieve better detection andprotection.Wealsorecommendtheuseofparalleltechnology.

6.3. Furtherresearch

ThispapercentredonthefailureofNIDPSstopreventattacksthatoccurinhighspeednetworkconnectively.Itdescribed experimentswhichpresentedtheweaknessofNIDPSsandwhichimprovedNIDPSsintermsofperformance,eﬃciencyand effectiveness.Multi-core could beusedasa solutionforhigh-speeddataandnetwork connectively.Multi-coreprocessors provideenhancementwithhighcapabilitiesandcansecurenetworksfromattacks,buttheyincreasethecomplexityofthe security system.Advancesintheutilisationofmulti-coreprocessors forintrusion detectionhaveyettobe fullyexploited.

However,therearetwomajorareasofconcernincomputersecurity:thespeedandvolumeofattacks;andthecomplexity ofmulti-stageattacks.Byusingmulti-coreprocessorsappropriately,wecanadvanceNIDPSstocopewithsuchconcerns.In thearea ofdevelopmentoftheNIDPSdetectionfunction,intelligenttechniquescanbeexploitedtodevelopnewrulesfor moreprecisedetectionofattackstocounteractthegrowthindiversityanddeviousness.Thecurrentandanticipatedfuture demandsforonlinesecurityrequiretherevisionofexistingsystemstowardsthedevelopmentofimprovedparallelsystems aswellasstrongerrulesets.

References

[1]J.Jang-Jaccard,S.Nepal,Asurveyofemergingthreatsincybersecurity,J.Comput.Syst.Sci.80 (5)(2014)973–993.

[2] A.Fuchsberger,Intrusiondetectionsystemsandintrusionpreventionsystems,Inf.Secur.Tech.Rep.10(2005)134–139,http://www.sciencedirect.com.

lcproxy.shu.ac.uk/science/article/pii/S1363412705000415.AccessedSeptember14,2013.

[3] ArborNetworks,9thannualworldwideinfrastructuresecurityreportandATLASdata,http://www.arbornetworks.com/resources/infrastructure-security- report,2013.AccessedMarch25,2014.

[4]E.Albin,N.C.Rowe,ArealisticexperimentalcomparisonoftheSuricataandSnortintrusion-detectionsystems,in:Workshopsofthe26thInternational ConferenceonAdvancedInformationNetworkingandApplications,WAINA,IEEE,2012,pp. 122–127.

[5]F.I.Shiri,B.Shanmugam,N.B.Idris,Aparalleltechniqueforimprovingtheperformanceofsignature-basednetworkintrusiondetectionsystem,in:

Proceedingsof3rdInternationalConferenceCommunicationSoftwareandNetworks,ICCSN,IEEE,2011,pp. 692–696.

[6]J.Beale,B.Caswell,T.Kohlenberg,M.Poor,Snort2.1IntrusionDetection,seconded.,SyngressPublishing,2004.

[7] H.Jiang,G.Zhang,G.Xie,K.Salamatian,L.Mathy,Scalablehigh-performanceparalleldesignfornetworkintrusiondetectionsystemsonmany-core processors,in:ProceedingsoftheninthACM/IEEEsymposiumonArchitecturesfornetworkingandcommunicationssystems,IEEE,pp. 137–146.

[8]W.Bul’ajoul,A.James,M.Pannu,Networkintrusiondetectionsystemsinhigh-speedtraﬃcincomputernetworks,in:Proceedingsof10thInternational Conferenceone-BusinessEngineering,ICEBE,IEEE,2013,pp. 168–175.

[9]G.M.Nazer,A.A.L.Selvakumar,Currentintrusiondetectiontechniquesininformationtechnology—a detailedanalysis,Eur.J.Sci.Res.65(2011)611–624.

[10]S.Beg,U.Naru,M.Ashraf,S.Moshin,Feasibilityofintrusiondetectionsystemwithhighperformancecomputing:a survey,Int.J.Adv.Comput.Sci.1 (2010)26–35.

[11]K.Scarfone,P.Mell,GuidetoIntrusionDetectionandPreventionSystems(IDPS),RecommendationsoftheNationalInstituteofStandardsandTechnol- ogy,NISTSpecialPublication800-94,2012.

[12]A.Patcha,J.Park,Anoverviewofanomalydetectiontechniques:existingsolutionsandlatesttechnologicaltrends,Comput.Netw.51(2007)3448–3470.

[13]W.Jiang,H.Song,Y.Dai,Real-timeintrusiondetectionforhigh-speednetworks,Comput.Secur.24(2005)287–294.

[14]D.Mudzingwa,R.Agrawal,Astudyofmethodologiesusedinintrusiondetectionandpreventionsystem(IDPS),in:ProceedingsofIEEESoutheastcon, 2012,pp. 1–6.

[15] Cisco Systems, CiscoASA 5585-X adaptive security appliance, n.d.http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next- generation-ﬁrewalls/product_data_sheet0900aecd802930c5.html,2014.AccessedJuly 17.

[16] T.M.Wu,IntrusionDetectionSystems,IntrusionAssuranceTechnologyAnalysisCenter,Herndon,VA,sixthed.,2009,http://iac.dtic.mil/csiac/download/

intrusion_detection.pdf,2009.AccessedSeptember 15,2013.

[17] H.Kozushko,Intrusiondetection:host-basedandnetwork-basedintrusiondetectionsystems,Independentstudy,2003.

[18]M.S.Hoque,M.A.Mukit,M.A.Bikas,Animplementationofintrusiondetectionsystemusinggeneticalgorithm,Int.J.Netw.Secur.Appl.IV(2012) 111–112.

[19] CiscoSystems,CiscoCatalyst3560Seriesswitches,n.d.http://www.cisco.com/en/US/products/hw/switches/ps5528/,2013.AccessedOctober 11.

[20]M.Roesch,M.Snort,Lightweightintrusiondetectionfornetworks,in:ProceedingsoftheConferenceonLargeInstallationSystemAdministration,LISA, vol. 99,1999,pp. 229–238.

[21]R.U.Rahman,IntrusionDetectionSystemwithSnort:AdvancedIDSTechniqueswithSnort,Apache,PHP,MySQLandACID,PearsonEducationand PrenticeHallProfessional,2003.

(19)

[22]R.Chi,IntrusiondetectionsystembasedonSnort,in:Proceedingsofthe9thInternationalSymposiumonLinearDrivesforIndustryApplications, vol. 3,Springer,Heidelberg,Berlin,2014,pp. 657–664.

[23] CiscoSystems,Qualityofservicedesignoverview,n.d.http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoSIntro.html, 2013.AccessedOctober 20.

[24] Cisco Systems, Understanding queuing with hierarchicalqueuing framework, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/

sol_ov_c22-708224.html.AccessedNovember 15,2012.

[25]H.J.Kim,A.Pamnami,M.Patel,State-of-the-ArtinIntrusionDetectionSystems,DepartmentofElectricalandComputerEngineeringStevensInstitute ofTechnology,Hoboken,2007.

[26]M.Jamshed,J.Lee,S.Moon,I.Yun,D.Kim,S.Lee,Y.Yi,K.S.ParkKargus,Ahighly-scalablesoftware-basedintrusiondetectionsystem,in:Proceedings ofthe2012ACMConferenceonComputerandCommunicationsSecurity,ACM,2012,pp. 317–328.

[27]K.R.Karthikeyan,A.Indra,Intrusiondetectiontoolsandtechniques–asurvey,Int.J.Comput.TheoryEng.2(2010)901–906.

[28]P.Mehra,AbriefstudyandcomparisonofSnortandBroOpensourcenetworkintrusiondetectionsystem,Int.J.Adv.Res.Comput.Commun.Eng.

1 (6)(2012)383–386.

[29]K.Salah,A.Qahtan,Implementationandexperimentalperformanceevaluationofahybridinterrupt-handlingscheme,Comput.Commun.32 (1)(2009) 179–188.

[30]D.L.Schuff,Y.R.Choe,V.S.Pai,Conservativevs.optimisticparallelizationofstatefulnetworkintrusiondetection,in:Proceedingsofthe12thACM SIGPLANSymposiumonPrinciplesandPracticeofParallelProgramming,2007.

[31]X.Chen,Y.Wu,L.Xu,Y.Xue,J.Li,Para-Snort:amulti-threadSnortonmulti-coreIA platform,in:ProceedingsofParallelandDistributedComputing andSystems,PDCS,2009.

[32]M.Vasiliadis,S.Polychronakis,S.Ioannidis,MIDeA:a multi-parallelintrusiondetectionarchitecture,in:Proceedingsofthe18thACMConferenceon ComputerandCommunicationsSecurity,ACM,2011,pp. 297–308.

[33]M.Jamshed,J.Lee,S.Moon,I.Yun,D.Kim,S.Lee,Y.Yi,K.Park,Kargus:ahighly-scalablesoftware-basedintrusiondetectionsystem,in:Proceedings oftheACMConferenceonComputerandCommunicationsSecurity,CCS,2012.

[34]J.Zhao,L.Wang,J.Tao,J.Chen,W.Sun,R.Ranjan,J.Kolodziej,A.Streit,D.Georgakopoulos,AsecurityframeworkinG-Hadoopforbigdatacomputing acrossdistributedClouddatacentres,J.Comput.Syst.Sci.80 (5)(2014)994–1007.

[35]Y.Wang,Y.Xiang,J.Zhang,W.Zhou,B.Xie,Internettraﬃcclusteringwithsideinformation,J.Comput.Syst.Sci.80 (5)(2014)1021–1036.