Performance analysis of content matching intrusion detection systems

S. Antonatos; K. G. Anagnostakis; E. P. Markatos; M. Polychronakis

doi:10.1109/SAINT.2004.1266118

Performance analysis of content matching intrusion detection systems

S. Antonatos
, K. G. Anagnostakis
, E. P. Markatos
, M. Polychronakis

Computer Science

Foundation for Research and Technology-Hellas
University of Pennsylvania

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

39 Scopus citations

Abstract

Although Network Intrusion Detection Systems (nIDS) are widely used, there is limited understanding of how these systems perform in different settings and how they should be evaluated. This paper examines how nIDS performance is affected by traffic characteristics, rulesets, string matching algorithms and processor architecture. The analysis presented in this paper shows that nIDS performance is very sensitive to these factors. Evaluating a nIDS therefore requires careful consideration of a fairly extensive set of scenarios. Our results also highlight potential dangers with the use of workloads based on combining widely-available packet header traces with synthetic packet content as well as with the use of synthetic rulesets.

Original language	English
Title of host publication	Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)
Pages	208-215
Number of pages	8
DOIs	https://doi.org/10.1109/SAINT.2004.1266118
State	Published - 2004
Event	Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004) - Tokyo, Japan Duration: Jan 26 2004 → Jan 30 2004

Publication series

Name	Proceedings - International Symposium on Applications and the Internet

Conference

Conference	Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)
Country/Territory	Japan
City	Tokyo
Period	01/26/04 → 01/30/04

Keywords

Intrusion detection
Security
Workload characterization and generation

Access to Document

10.1109/SAINT.2004.1266118

Cite this

Antonatos, S., Anagnostakis, K. G., Markatos, E. P., & Polychronakis, M. (2004). Performance analysis of content matching intrusion detection systems. In Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004) (pp. 208-215). (Proceedings - International Symposium on Applications and the Internet). https://doi.org/10.1109/SAINT.2004.1266118

@inproceedings{d7925826286c4c4ba02c10ec2254e4e7,

title = "Performance analysis of content matching intrusion detection systems",

abstract = "Although Network Intrusion Detection Systems (nIDS) are widely used, there is limited understanding of how these systems perform in different settings and how they should be evaluated. This paper examines how nIDS performance is affected by traffic characteristics, rulesets, string matching algorithms and processor architecture. The analysis presented in this paper shows that nIDS performance is very sensitive to these factors. Evaluating a nIDS therefore requires careful consideration of a fairly extensive set of scenarios. Our results also highlight potential dangers with the use of workloads based on combining widely-available packet header traces with synthetic packet content as well as with the use of synthetic rulesets.",

keywords = "Intrusion detection, Security, Workload characterization and generation",

author = "S. Antonatos and Anagnostakis, \{K. G.\} and Markatos, \{E. P.\} and M. Polychronakis",

year = "2004",

doi = "10.1109/SAINT.2004.1266118",

language = "English",

isbn = "0769520685",

series = "Proceedings - International Symposium on Applications and the Internet",

pages = "208--215",

booktitle = "Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)",

note = "Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004) ; Conference date: 26-01-2004 Through 30-01-2004",

}

Antonatos, S, Anagnostakis, KG, Markatos, EP & Polychronakis, M 2004, Performance analysis of content matching intrusion detection systems. in Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004). Proceedings - International Symposium on Applications and the Internet, pp. 208-215, Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004), Tokyo, Japan, 01/26/04. https://doi.org/10.1109/SAINT.2004.1266118

Performance analysis of content matching intrusion detection systems. / Antonatos, S.; Anagnostakis, K. G.; Markatos, E. P. et al.
Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004). 2004. p. 208-215 (Proceedings - International Symposium on Applications and the Internet).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Performance analysis of content matching intrusion detection systems

AU - Antonatos, S.

AU - Anagnostakis, K. G.

AU - Markatos, E. P.

AU - Polychronakis, M.

PY - 2004

Y1 - 2004

N2 - Although Network Intrusion Detection Systems (nIDS) are widely used, there is limited understanding of how these systems perform in different settings and how they should be evaluated. This paper examines how nIDS performance is affected by traffic characteristics, rulesets, string matching algorithms and processor architecture. The analysis presented in this paper shows that nIDS performance is very sensitive to these factors. Evaluating a nIDS therefore requires careful consideration of a fairly extensive set of scenarios. Our results also highlight potential dangers with the use of workloads based on combining widely-available packet header traces with synthetic packet content as well as with the use of synthetic rulesets.

AB - Although Network Intrusion Detection Systems (nIDS) are widely used, there is limited understanding of how these systems perform in different settings and how they should be evaluated. This paper examines how nIDS performance is affected by traffic characteristics, rulesets, string matching algorithms and processor architecture. The analysis presented in this paper shows that nIDS performance is very sensitive to these factors. Evaluating a nIDS therefore requires careful consideration of a fairly extensive set of scenarios. Our results also highlight potential dangers with the use of workloads based on combining widely-available packet header traces with synthetic packet content as well as with the use of synthetic rulesets.

KW - Intrusion detection

KW - Security

KW - Workload characterization and generation

UR - https://www.scopus.com/pages/publications/2642555499

U2 - 10.1109/SAINT.2004.1266118

DO - 10.1109/SAINT.2004.1266118

M3 - Conference contribution

AN - SCOPUS:2642555499

SN - 0769520685

SN - 9780769520681

T3 - Proceedings - International Symposium on Applications and the Internet

SP - 208

EP - 215

BT - Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)

T2 - Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)

Y2 - 26 January 2004 through 30 January 2004

ER -

Performance analysis of content matching intrusion detection systems

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this