A High-Performance Network Intrusion Prevention System (2003)

Designing and implementing a high-performance network intrusion prevention system (for my master’s thesis). Network intrusion prevention systems provide proactive defense against security threats by detecting and blocking attack-related traffic. This task can be highly complex, and therefore, software-based network intrusion prevention systems are not capable of handling high speed links. Our system, called Digenis, combines the use of software-based network intrusion prevention sensors and a network processor board. The network processor acts as a customized load balancing splitter that cooperates with a set of modified content-based network intrusion detection sensors in processing network traffic. We show that the components of such a system, if co-designed, can achieve high performance, while minimizing redundant processing and communication. We have implemented the system using low-cost, off-the-shelf technology: an IXP1200 network processor evaluation board and commodity PCs. Our evaluation shows that our enhancements can reduce sensor load considerably, resulting in a system that can handle a fully-loaded Gigabit Ethernet link using a small number of sensors.