Optimization of a Generated Intrusion Detection System
As technology continues to evolve at a rapid pace, the opportunities for malicious attacks and vulnerabilities grows equally. Constant monitoring of networks is required to prevent attacks, even in networks without any external connections. We often use software known as Intrusion Detection Systems (IDS) to parse, analyze, and constrain data in a network to follow normal traffic patterns. Combined with specifications detailing the form of that traffic and real-time learning, they are effective at detecting attacks. Achieving near-perfect results in intrusion detection is not an easy task. Many of the current top IDS technologies have the analysis infrastructure required of such a task but fall short of the goal. Inefficient algorithms, communication, and architectures cause these systems to process data at a rate slower than their input. Improvements to the parsing and analysis components of any IDS is the key to improving their detection-rate. Current systems attempt to incorporate efficiency into their design such as dedicated parse routines or detect profiles to avoid duplicate traffic. However they are often not general, offering improvement only in certain scenarios, or not impactful enough. In this thesis, we propose several dynamic optimizations for Intrusion Detection Systems as a whole, implementing them in a state-of-the-art test system. We develop parser side optimizations capable of analyzing protocol specifications to decode them more efficiently. A deep grammar analysis investigates conglomerate data structures that should be separated and treated as individual entries. A lookahead process then follows to prevent inefficient backtracking parse algorithms. We additionally investigate the concept of parallelism through a decoupling of the parser and analysis components of the IDS. Using multi-threading synchronization, we are able to dispatch multiple instances of each process. This allows additional data to flow through the system to further reduce the chance of data overflow. Our parallel architecture itself includes multiple optimal algorithms and efficiencies, including memory pools, lock reduction, and intelligent threading. The entire parallel system, including optimizations is dynamically generated from an input set of network protocol descriptions. Therefore allowing parallelism access to any developer who implements the IDS, avoiding the traditional large development cost of parallel programming.