Optimization of a Generated Intrusion Detection System

Loading...
Thumbnail Image

Authors

Lavorato, Kyle

Date

Type

thesis

Language

eng

Keyword

Optimization , Intrusion Detection , Parallelism , Multi-Threading , Parsing , IDS Generator , Grammar Analysis , Synchronization , Lookahead , TXL , Network Protocols

Research Projects

Organizational Units

Journal Issue

Alternative Title

Abstract

As technology continues to evolve at a rapid pace, the opportunities for malicious attacks and vulnerabilities grows equally. Constant monitoring of networks is required to prevent attacks, even in networks without any external connections. We often use software known as Intrusion Detection Systems (IDS) to parse, analyze, and constrain data in a network to follow normal traffic patterns. Combined with specifications detailing the form of that traffic and real-time learning, they are effective at detecting attacks. Achieving near-perfect results in intrusion detection is not an easy task. Many of the current top IDS technologies have the analysis infrastructure required of such a task but fall short of the goal. Inefficient algorithms, communication, and architectures cause these systems to process data at a rate slower than their input. Improvements to the parsing and analysis components of any IDS is the key to improving their detection-rate. Current systems attempt to incorporate efficiency into their design such as dedicated parse routines or detect profiles to avoid duplicate traffic. However they are often not general, offering improvement only in certain scenarios, or not impactful enough. In this thesis, we propose several dynamic optimizations for Intrusion Detection Systems as a whole, implementing them in a state-of-the-art test system. We develop parser side optimizations capable of analyzing protocol specifications to decode them more efficiently. A deep grammar analysis investigates conglomerate data structures that should be separated and treated as individual entries. A lookahead process then follows to prevent inefficient backtracking parse algorithms. We additionally investigate the concept of parallelism through a decoupling of the parser and analysis components of the IDS. Using multi-threading synchronization, we are able to dispatch multiple instances of each process. This allows additional data to flow through the system to further reduce the chance of data overflow. Our parallel architecture itself includes multiple optimal algorithms and efficiencies, including memory pools, lock reduction, and intelligent threading. The entire parallel system, including optimizations is dynamically generated from an input set of network protocol descriptions. Therefore allowing parallelism access to any developer who implements the IDS, avoiding the traditional large development cost of parallel programming.

Description

Citation

Publisher

License

Queen's University's Thesis/Dissertation Non-Exclusive License for Deposit to QSpace and Library and Archives Canada
ProQuest PhD and Master's Theses International Dissemination Agreement
Intellectual Property Guidelines at Queen's University
Copying and Preserving Your Thesis
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.

Journal

Volume

Issue

PubMed ID

External DOI

ISSN

EISSN