Design and Evaluation of a Complexity-Aware Intrusion Detection System on Multicore Platforms

Abstract

The phenomenal increase in the number and sophistication of network attacks along with the performance penalties incurred by uniprocessor IDSs has necessitated the development of complexity-aware IDSs. Such IDS should be capable of distributing its complexity evenly when deployed on multicore / multiprocessor architectures. This design of IDS can be achieved by two step scheme; including traffic slicing into independent tasks first and then executing these tasks in parallel on multiple cores using parallelization APIs can be followed. In this project, we propose a generic, modular and scalable architecture to parallelize Network Anomaly Detection Systems (NADSs) on multi-core platforms. On the network side of the proposed architecture, we evaluate three simple techniques to slice network traffic. For multi-core ADS execution, we evaluate the performance of two prominent parallelization APIs, namely OpenMP and Cilk++. The proposed traffic slicing techniques and parallelization APIs are used to implement three prominent and diverse network anomaly detectors on Intel and Sun multi-core hardware. The parallelized NADSs are compared with their serial counterparts using three real-world traffic datasets. We use ROC analysis to show that slicing traffic using its transport protocol semantics can provide considerably better accuracy than the serial implementations. Moreover, we show that Cilk++, although a new parallel programming model, can provide better speedups than the traditional OpenMP API. The impact of such complexity reduction and distribution schemes on IDS accuracy is evaluated using real-network traffic. Finally, we develop a front-end tool to visualize and display real time traffic characteristics.