Exploiting Independent State For Network Intrusion Detection

Robin Sommer
TU München

Vern Paxson
International Computer Science Institute and Lawrence Berkeley National Laboratory

Network intrusion detection systems (NIDSs) critically rely on processing a
great deal of state. Often much of this state resides solely
in the volatile processor memory accessible to a single user-level
process on a single machine. In this work we highlight the power of
independent state, i.e., internal
fine-grained state that can be propagated from one instance of a
NIDS to others running either concurrently or subsequently.
Independent state provides us with a wealth of possible applications
that hold promise for enhancing the capabilities of NIDSs. We discuss
an implementation of independent state for the Bro NIDS and examine how
we can then leverage independent state for distributed processing, load
parallelization, selective preservation of state across restarts and
crashes, dynamic reconfiguration, high-level policy maintenance, and support
for profiling and debugging. We have experimented with each of these
applications in several large environments and are now working
to integrate them into the sites' operational monitoring.
A performance evaluation shows that our implementation is suitable for use
even in large-scale environments.

Keywords: intrusion detection, distributed events, serialization

Read Paper Read Paper (in PDF)