High-Performance Intrusion Detection with the Open-Source Bro NIDS

More documents

Recommendations

Info

Need for Performance • Keep needing to do more analysis on more data at higher speeds • NIDS used to run successfully on commodity hardware • In particular important for open-source NIDS (e.g., Snort, Bro) • Not any more! • Moore’s law doesn’t hold for single-core performance anymore • Unfortunately, today’s NIDS implementations are single-threaded and thus limited • To overcome, we can • Significantly restrict the amount of analysis, or • Turn to expensive & inflexible custom hardware, or • Parallelize processing to leverage commodity multi-core architectures • Parallelizing an application is inherently domain-specific • There’s no generic approach to concurrency • Need examine carefully where the concurrency potential is that we can exploit Guest Lecture, RWTH Aachen 26 Thursday, December 16, 2010
Outline 1. Overview of the Bro Network Intrusion Detection System • Philosophy • Deployment • Architecture and Usage • Specific Capability: Dynamic Protocol Detection 2. High Performance with Concurrent Traffic Analysis • Concurrency Potential • Coarse-grained Parallelism: A cluster for load-balancing • Fine-grained Parallelism: Designing a multi-threaded NIDS 3. Future Directions Guest Lecture, RWTH Aachen 27 Thursday, December 16, 2010
Page 1 and 2: High-Performance Intrusion Detectio
Page 3 and 4: System Philosophy • Bro has been
Page 5 and 6: Target Environments • Bro is spec
Page 7 and 8: Lawrence Berkeley National Lab •
Page 9 and 10: LBNL’s Bro Setup External 10G Tap
Page 11 and 12: LBNL’s Bro Setup External (ESNet)
Page 13 and 14: Activity Logs: Connections • One-
Page 15 and 16: Architecture Packets Network Guest
Page 17 and 18: Architecture Notification Detection
Page 19 and 20: Communication Architecture Bro A Br
Page 21 and 22: Event Model Web Client 1.2.3.4/4321
Page 27 and 28: Event-Engine • Event-engine is wr
Page 29 and 30: Script Example: Tracking SSH Hosts
Page 31 and 32: Port-based Analysis • Bro has lot
Page 33 and 34: Dynamic Protocol Detection Web Clie
Page 41 and 42: Analyzer Trees IP TCP SMTP Interact
Page 43 and 44: High Performance with Concurrent Tr
Page 45 and 46: Internet Traffic: Connections #conn
Page 47: Internet Traffic: Connections #conn
Page 51 and 52: Traffic Analysis Pipeline Packet An
Page 57 and 58: Building a Concurrent NIDS • Can
Page 59 and 60: Load-Balancer Approach NIDS 10Gbps
Page 61 and 62: External Packet Demultiplexer Demux
Page 63 and 64: The Bro Cluster There are a number
Page 65 and 66: Simulation of Packet Dispatcher !"#
Page 67 and 68: cFlow: A Production Load-Balancer
Page 69 and 70: UC Berkeley Cluster Monitored/gener
Page 71 and 72: UC Berkeley Cluster Monitored/gener
Page 73 and 74: Extensions 100GE(!) version is in p
Page 75 and 76: “Real” Multi-Core NIDS • Clus
Page 77 and 78: Bro’s Architecture Notification S
Page 79 and 80: Bro’s Architecture Notification D
Page 81 and 82: Script Example: Matching URLs Task:
Page 83 and 84: Script Example 3: Aggregated Task:
Page 85 and 86: Parallel Event Scheduling Threaded
Page 93 and 94: Implementation of Multi-Core Bro
Page 95 and 96: Script-Engine Performance So Far ..
Page 97 and 98: Outline 1. Overview of the Bro Netw
Page 99 and 100:
Automating the Scoping • Scopes a
Page 101 and 102:
Software Development Support • Br
Page 103 and 104:
Conclusion Guest Lecture, RWTH Aach
Page 105 and 106:
Thanks for your attention. Robin So
Page 107 and 108:
Going Back in Time with the Time Ma
Page 109 and 110:
The Time Machine • The Time Machi
Page 111 and 112:
Query Interface • Interactive con
Page 113 and 114:
Augmenting Bro Alerts with Traffic
Page 115:
Multi-Core Bro Data Flow Main Threa
show all

High-Performance Intrusion Detection with the Open-Source Bro NIDS

Create successful ePaper yourself

Delete template?

Save as template?