Robin Sommer

Viable Network Intrusion Detection: Trade-offs in High-performance Environments Robin Sommer

Network intrusion detection systems (NIDS) continuously monitor network traffic for maliciousactivity, raising alerts when detecting attacks. However, high-performance Gbps networks posemajor challenges for these systems, and despitevendor promises they often fail to work reliably insuch environments. In this work, we set out tounderstand the trade-offs involved in networkintrusion detection, and we mitigate their impact onoperational security monitoring. We base our study onextensive experience with several large-scale networkenvironments where immense traffic diversityrequires any NIDS to deal robustly with unexpectedsituations. We devise new mechanisms for a popularopen-source NIDS that allow the operator to trade-offthe quality of the detection with thesystem's resource demands, and we enable the NIDS totransparently share its state across instances, thereby multiplying the available amount ofresources. We also improve the precision of theNIDS's detection by enabling it to incorporatedifferent kinds of network context into its analysis.