Network Monitoring For Security: Intrusion Detection Systems

Nowadays, computer systems have become more vulnerable to intrusions than ever. Intrusion Detection is a security technology that allows not only the detection of attacks, but also attempts to provide notification of new attacks unforeseen by other components. Intrusion detection is an important component of a security system, and it complements other security technologies. IDS requires full packet inspection in order to identify attack attempts.

Our research targets the performance analysis and design of improved intrusion detection components. Our recent focus has been on the design of efficient string matching algorithms and the development of a performance analysis methodology, using Snort IDS.

Publications

• K. Xinidis, I. Charitakis, S. Antonatos, K. G. Anagnostakis, and E. P. Markatos, An Active Splitter Architecture for Intrusion Detection and Prevention. IEEE Transactions on Dependable and Secure Computing, vol.3, no.1, Jan-Mar 2006. (pdf)
• Panos Trimintzios, Michalis Polychronakis, Antonis Papadogiannakis, Michalis Foukarakis, Evangelos P. Markatos, and A. Øslebø. DiMAPI: An Application Programming Interface for Distributed Network Monitoring. In Proceedings of the 10th IEEE/IFIP Network Operations and Management Symposium (NOMS). April 2006, Vancouver, Canada. (pdf)
• Sergio Andreozzi, Demetres Antoniades, Augusto Ciuffoletti, Antonia Ghiselli, Evangelos P. Markatos, Michalis Polychronakis, and Panos Trimintzios. Issues about the Integration of Passive and Active Monitoring for Grid Networks. In Proceedings of the CoreGRID Integration Workshop, November 2005 (pdf)
• Kostas Xinidis, Kostas D. Anagnostakis, and Evangelos P. Markatos: Design and Implementation of a High-Performance Network Intrusion Prevention System. In Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005), May 2005. (pdf)
• S. Antonatos, M. Polychronakis, P. Akritidis, Kostas D. Anagnostakis, and Evangelos P. Markatos: Piranha: Fast and Memory-efficient Pattern Matching for Intrusion Detection. In Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005), May 2005. (pdf)
• M. Polychronakis, K. G. Anagnostakis, E. P. Markatos, Arne Øslebø. Design of an Application Programming Interface for IP Network Monitoring. Proceedings of the 9th IEEE/IFIP Network Operations and Management Symposium (NOMS2004), 19-23 April 2004, Seoul, Korea. (pdf)
• S. Antonatos, K. G. Anagnostakis, E. P. Markatos. Generating Realistic Workloads for Network Intrusion Detection Systems. Proceedings of the Fourth International Workshop on Software and Performance (WOSP2004), January 2004. (pdf)
• S. Antonatos, K. G. Anagnostakis, E. P. Markatos, M. Polychronakis. Performance Analysis of Content Matching Intrusion Detection Systems. Proceedings of the International Symposium on Applications and the Internet (SAINT2004), January 2004. (pdf)
• Jan Coppens, Steven Van den Berghe, Herbert Bos, Evangelos P. Markatos, Filip De Turck, Arne Oslebo, and Sven Ubik. SCAMPI: A Scalable and Programmable Architecture for Monitoring Gigabit Networks. Proceedings of the Workshop on End-to-End Monitoring Techniques and Services (E2EMON), September 2003. (pdf)
• Ioannis Sourdis and Dionisios Pnevmatikatos. Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System. Proceedings of the 13th International Conference on Field Programmable Logic and Applications (FPL2003), September 1-3, 2003, Lisbon - Portugal. (pdf)
• I.Charitakis, K.Anagnostakis,E.Markatos An Active Traffic Splitter Architecture for Intrusion Detection. Proceedings of the IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, October 2003, Orlando Florida (to appear). (pdf)
• I.Charitakis, K.Anagnostakis,E.Markatos An Active Traffic Splitter Architecture for Intrusion Detection. Technical Report 323, ICS-FORTH, July 2003. (pdf)
• K. G. Anagnostakis, E. P. Markatos, S. Antonatos, and M. Polychronakis. E2xB: A domain­specific string matching algorithm for intrusion detection. Proceedings of the 18th IFIP International Information Security Conference (SEC2003), May 2003. (pdf)
• E.P Markatos, S. Antonatos, M. Polychronakis and K.G Anagnostakis. ExB: Exclusion-based signature matching for intrusion detection. Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN), pp. 146-152, Cambridge, USA, November 2002 (pdf).

Tools

• E2xB algorithm implementation for Snort 2.2.0
• E2xB algorithm implementation for Snort 2.0.0
• Rule randomiser is a utility that takes as an input a snort ruleset file and its output is the rules read with their content field value replaced with random one.
• Rule permutator is a utility that replaces the content field value of a snort ruleset with a random permutation.
• Tcpdump randomiser is a utility that reads a tcpdump trace and replaces the packet payload with random one.

Members

• Evangelos P. Markatos
• Kostas Anagnostakis
• Michalis Polychronakis
• Spiros Antonatos

Links

Intrusion Detection Systems

• Snort, a lightweight intrusion detection system
• Bro intrusion detection system

References

• S.Wu and U.Manber. A fast algorithm for multi-pattern searching.
  
• An Analysis of Fast String Matching Applied to Content-Based Forwarding and Intrusion Detection. M. Fisk and G. Varghese.
• Boyer, R. S. and Moore, J. S., "A Fast String Searching Algorithm", Comm. ACM 20, 10, pp. 761-772, 1977.
• "Efficient String Matching: An Aid to Bibliographic Search". A. V. Aho and M. J. Corasick.
• Towards Faster String Matching for Intrusion Detection. C.J. Joit, S. Staniford and J. McAlerney.

 

---

This work is funded in part by the IST project SCAMPI (IST-2001-32404) funded by the European Union.

www.ist-scampi.org