FIXIDS: A high-speed signature-based flow intrusion detection system

Abstract

Signature-based Network Intrusion Detection Systems (NIDS) are the state-of-the-art when it comes to precise attack detection and intrusion prevention. However, they experience critical performance problems in modern high-speed networks. At the same time, flow-based network monitoring has been investigated for high data rates. In the last years, such flow-monitoring went beyond collecting statistical information about network connections and more recent techniques are able to include selected samples of the payload of these flows. Most recently, we extended this concept to HTTP flows. We now go one step further and combine IPFIX-based flow monitoring with NIDS. We developed IPFIX-based Signature-based Intrusion Detection System (FIXIDS), a system that exploits the recently introduced HTTP related flow Information Elements (IEs) to do signature-based flow intrusion detection in high-speed networks on commodity hardware. FIXIDS makes use of HTTP intrusion signatures from the widely used Snort NIDS and applies them to incoming IPFIX Flows. In the experimental evaluation, we are able to show a performance gain of a factor of three compared to Snort while maintaining the same detection ratio.