Improving the performance of intrusion detection using Dialog-based Payload Aggregation

We propose Dialog-based Payload Aggregation (DPA) that extracts relevant payload data from TCP/IP packet streams based on sequence numbers in the TCP header for improved intrusion detection performance. Typical network-based Intrusion Detection Systems (IDSs) like Snort, which use rules for matching payload data, show severe performance problems in high-speed networks. Our detailed analysis based on live network traffic reveals that most of the signature matches either occur at the beginning of TCP connections or directly after direction changes in the data streams. Our DPA approach exploits protocol semantics intrinsic to bidirectional communication, i.e., most application layer protocols rely on requests and associated responses with a direction change in the data stream in between. DPA forwards the next N bytes of payload whenever a connection starts, or when the direction of the data transmission changes. All data transferred after this window is discarded. According to experimental results, our method reduces the amount of data to be analyzed at the IDS to around 3:7% for typical network traffic. At the same time, more than 89% of all potential events can be detected. Assuming a linear relationship between data rate and processing time of an IDS, this results in a speedup of more than one order of magnitude in the best case. Our performance analysis that combines DPA with Snort shows a 400% increase in packet processing throughput on commodity hardware.