A high-performance network intrusion detection solution for S4A software

Alar Kvell
S4A is a distributed real-time network security monitoring system. The purpose of this thesis is to find ways to increase S4A system performance. S4A system consists of one center and several detectors. Detectors are computers that run specialized software and are installed into various government organization computer networks. All network traffic passing between the organization's internal network and public Internet needs to mirrored to detector machine's network interface in order network security monitoring to work. Detector software consists of OpenBSD operating system, Snort intrusion detection system (IDS) and S4A specific helper programs. One of the most important qualities of an IDS is its performance – the more traffic it can analyze, the higher are chances of detecting suspicious traffic. Main bottleneck of current S4A system is that Snort is a single-threaded application and thus can only utilize one CPU core at a time, even though there are two CPU cores available in a typical S4A installation. In this thesis we first give an overview of Snort's architecture and look at the properties that affect it's performance the most. For the most effective ways to increase its performance we consider the following: changing operating system to Linux; using an alternative network packet capture library on Linux to allow multiple simultaneous Snort processes so that all CPU cores would be utilized; using an alternative IDS Suricata instead of Snort. Then we measure each option's performance, replaying network traffic at different bandwidths. During these tests we observe CPU usage, memory usage, disk I/O usage, analyzed packet count and detected alert count. We draw some conclusions on how they behave. The main find is that using our configuration and detection rules, on Linux the latest version of Suricata has at least the same performance as multiple processes of the latest version of Snort, even slightly higher. On OpenBSD, Suricata performs much worse than Snort. We make two suggestions for increasing S4A performance: 1) switching to Linux and multiple Snort processes with PF_RING may provide up to 2,2 times better performance; 2) switching to Linux and Snort should provide the same increase in performance as the first suggestion. Both options have some positive and negative effects that need to be considered before applying them.
Graduation Thesis language
Graduation Thesis type
Master - Information Technology
Meelis Roos, Sven Heiberg
Defence year