Designing a high-speed NIDS (network intrusion detection system) has
attracted much attention over recent years due to ever-increasing amount
of network trac and ever-complicated attacks. Deeply studying the NIDS
performance is an important step toward a high-speed design. This work
studies how the NIDS performance can vary with input network traffic, in-
cluding malicious trac, and system configuration, based on detailed pro-
filing with two popular NIDSs, Snort and Bro. According to the profiling,
we find analyzing the payloads (primarily pattern matching in Snort and
executing the policy scripts in Bro) can dominate the execution time for
most of packet traces. Moreover, connection tracking and packet reassembly
can be also time-consuming if they are frequently invoked. Therefore, a ro-
bust high-speed NIDS design can focus on improving payload analysis and
preprocessing, particularly packet reassembly. We also demonstrated that
aggregating the profiling results can be used to predict the results for bulk
network traffic in a real environment. In other words, it is feasible to watch
the composing traffic types in the bulk traffic and individually analyzing the
sample of each type to extrapolate the performance for the total traffic.

1 Introduction . . . . . . . . . . . . . . . . . . . . 1
2 Background and Related Work . . . . . . . . . . . . . . . . 5
2.1 Processing Stages in Snort and Bro . . . . . . . . . . . . . . . 5
2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 NIDS Profiling in Snort . . . . . . . . . . . . . . . . . 11
3.1 Snort Stages in the Profiling . . . . . . . . . . . . . . . . . . . 12
3.2 Baseline Profiling with Normal Traffic . . . . . . . . . . . . . . 13
3.3 Profiling with Abnormal Network Traffic . . . . . . . . . . . . 16
3.3.1 Traffic with IP fragments and TCP segments . . . . . . 17
3.3.2 Profiling with various system configurations . . . . . . 20
3.4 Deep Observation and Testing with the Bulk Traffic . . . . . . 22
3.4.1 Analyzing the Factors in Pattern Matching . . . . . . . 22
3.4.2 Testing with the Bulk Traffic . . . . . . . . . . . . . . 24
ii4 NIDS Profiling in Bro . . . . . . . . . . . . . . . . . . . . 26
4.1 Bro Stages in the Profiling . . . . . . . . . . . . . . . . . . . . 26
4.2 Baseline Profiling in Bro . . . . . . . . . . . . . . . . . . . . . 27
4.2.1 Profiling the Execution of Policy Scripts . . . . . . . . 29
4.3 Abnormal Traffic . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.4 Testing with the Bulk Traffic . . . . . . . . . . . . . . . . . . . 33
5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

[1] M. Fisk and G. Varghese, \Applying Fast String Matching to Intrusion
Detection," Sept. 2002. [Online]. Available: http://public.lanl.gov/
mfisk/papers/setmatch-raid.pdf.
[2] S. Antonatos, K. G. Anagnostakis, E. P. Markatos and M. Polychron-
akis, \Performance Analysis of Content Matching Intrusion Detection
Systems," Intl. Symp. Applications and the Internet (SAINT04), Tokyo,
Japan, Jan. 2004.
[3] P. C. Lin, Y. D. Lin, Y. C. Lai and T. H. Lee, \Using String Matching
for Deep Packet Inspection," IEEE Computer, vol. 41, issue 4, pp. 23-28,
Apr. 2008.
[4] M. Norton, \Optimizing Pattern Matching for Intrusion
Detection," [Online]. Available: docs.idsresearch.org/
OptimizingPatternMatchingForIDS.pdf.
[5] K. G. Anagnostakis, E. P. Markatos, S. Antonatos and M. Polychronatis,
\EW2XB: A Domain Specic String Matching Algorithm for Intrusion
Detection," 18th IFIP International Information Security Conference
(SEC), Athens, Greece, May 2003.
[6] D. Luchaup, R. Smith, C. Estan and S. Jha, \Multi-byte Regular Ex-
pression Matching with Speculation," Intl. Symp. on Recent Advances In
Intrusion Detection (RAID), Saint-Malo, Brittany, France, Sept. 2009.
[7] S. Artan and H. J. Chao, \10-Gbps High-Speed Single-Chip Network In-
trusion Detection System," IEEE Globecom, Washington DC, Nov. 2007.
[8] T. H. Lee, \Hardware Architecture for High-performance Regular Ex-
pression Matching," IEEE Tran. Computers, vol. 58, no. 7, pp. 984-993,
July 2009.
[9] C. R. Meiners, J. Patel, E. Norige, E. Torng and A. X. Liu, \Fast Regu-
lar Expression Matching Using Small TCAMs for Network Intrusion De-
tection and Prevention Systems," Proc. USENIX Security Symposium,
Washington DC, Aug. 2010.
[10] R. Sommer, V. Paxson and N. Weaver, \An Architecture for Exploit-
ing Multi-core Processors to Parallelize Network Intrusion Prevention,"
Concurrency and Computation: Practice and Experience, Special Issue:
Multi-core Supported Network and System Security, 21(10), pp.1255-1279,
May 2009.
[11] D. L. Schu,Y. R. Choe and V. S. Pai, \Conservative vs. optimistic Par-
allelization of Stateful Network Intrusion Detection," IEEE Intl. Symp.
on Performance Analysis of Systems and Software (ISPASS), Austin, TX,
Apr. 2008.
[12] V. Paxson, K. Asanovic, S. Dharmapurikar, J. Lockwood, R. Pang, R.
Sommer and N. Weaver, \Rethinking Hardware Support for Network
Analysis and Intrusion Prevention," Proc. USENIX Hot Security, Van-
couver, B.C., Canada, Aug. 2006.
[13] V. Paxson, \Considerations and Pitfalls for Conducting Intrusion Detec-
tion Research," Invited talk in SIDAR Conf. on Detection of Intrusions
and Malware & Vulnerability Assessment (DIMVA), Lucerne, Switzer-
land, July 2007.
[14] M. Handley, C. Kreibich and V. Paxson, \Network Intrusion Detec-
tion: Evasion, Trac Normalization, and End-to-end Protocol Seman-
tics," Proc. USENIX Security Symposium, Washington D.C., Aug. 2001.
[15] R. Smith, C. Estan and S. Jha, \Backtracking algorithmic complexity
attacks against a NIDS," Proc. Annual Computer Security Applications
Conference (ACSAC), Miami Beach, FL, Dec. 2006.
[16] J. B. D. Cabrera, J. Gosar, W. Lee and R. K. Mehra, \On the Statistical
Distribution of Processing Times in Network Intrusion Detection," IEEE
Conf. on Decision and Control, Bahamas, Dec. 2004.
[17] A. V. Aho and M. J. Corasick, \Ecient String Matching: an Aid to
Bibliographic Search," Commu. of the ACM, vol. 18, issue 6, pp. 333-340,
Jun. 1975.
[18] Fang Yu, Zhifeng Chen, Yanlei Diao, T. V. Lakshman, Randy H. Katz,
\Proc. Symp. Architectures Networking and Comm. Systems" (ANCS
06), ACM Press, 2006.
[19] N. Tuck, T. Sherwood, B. Calder and G. Varghese, \Deterministic
Memory-ecient String Matching Algorithms for Intrusion Detection,"
IEEE INFOCOM, Hong Kong, Mar. 2004.
[20] S. Dharmapurikar and J. Lockwood, \Fast and Scalable Pattern Match-
ing for Content Filtering," Proc. Symp. on Architectures for Networking
and Communications Systems (ANCS), Princeton, NJ, Oct. 2005.
[21] S. Dharmapurikar, P. Krishnamurthy, T. S. Sproull and J. Lockwood,
\Deep Packet Inspection Using Parallel Bloom Filters," IEEE Micro, vol.
24, issue 1, pp. 52-61, Jan.-Feb. 2004.
[22] Intel, \Supra-linear Packet Processing Performance with Intel Multi-core
Processors," Intel White Paper, 2006.
[23] G. Vasiliadis, S. Antonatos, M. Polychronakis, E. P. Markatos and S.
Ioannidis, \Gnort: high performance network intrusion detection using
graphics processors," Proc. of the 11th International Symposium on Re-
cent Advances in Intrusion Detection (RAID), Cambridge, MA, Sept.
2008.
[24] H. Dreger, A. Feldmann, V. Paxson and R. Sommer, \Operational Ex-
periences with High-Volume Network Intrusion Detection," Proc. ACM
Computer and Communications Security (CCS), Washington DC, Oct.
2004.
[25] H. Dreger, A. Feldmann, V. Paxson and R. Sommer, \Predicting the
Resource Consumption of Network Intrusion Detection Systems," Proc.
ACM Computer and Communications Security (CCS), Washington DC,
Oct. 2008.
[26] Y. D. Lin, I. W. Chen, P. C. Lin, C. S. Chen, C. H. Hsu, On Campus Beta
Site: Architecture Designs, Operational Experience, and Top Product
Defects, IEEE Communications Magazine, to appear.
[27] W. Lee, W. F, M. Miller, S. J. Stolfo and E. Zodak, \Toward Cost-
Sensitive Modeling for Intrusion Detection and Response", Journal of
Computer Security, vol. 10, issue 1-2, pp. 5-22, 2002.
[28] W. Lee, J. B. D. Cabrera, A. Thomas, N. Balwalli, S. Saluja and Y.
Zhang, \Performance Adaptation in Real-Time Intrusion Detection Sys-
tems," Intl. Symp. on Recent Advances In Intrusion Detection (RAID),
Zurich, Switzerland, Oct. 2002.
[29] M. Rehak, E. Staab, V. Fusenig, M. Pechoucek, M. Grill, J. Stiborek, K.
Bartos and T. Engel, \Runtime Monitoring and Dynamic Reconguration
for Intrusion Detection Systems," Intl. Symp. on Recent Advances In
Intrusion Detection (RAID), Saint-Malo, Brittany, France, Sept. 2009.
[30] S. Dharmapurikar and V. Paxson, \Robust TCP Stream Reassembly in
the Presence of Adversaries," Proc. USENIX Security Symposium, Balti-
more, MD, Aug. 2005.
[31] G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson and F.
Schneider, \Enriching Network Security Analysis with Time Travel,"
Proc. ACM SIGCOMM, Seattle, WA, Aug. 2008.
[32] Y. D. Lin, T. H. Cheng, P. C. Lin, I. W. Chen and Y. C. Lai,\Low-
storage Capture and Loss-recovery Selective Replay of Real Flows," In
preparation.
[33] R. Pang and V. Paxson, \A High-level Programming Environment for
Packet Trace Anonymization and Transformation," ACM SIGCOMM,
Karlsruhe, Germany, Aug. 2003.