2. Tech
  3. The performance of the intrusion detection system

The performance of the intrusion detection system

xiaoxiao2021-03-06  39

I. Overview

Performance indicators are issues that each user procurement security products must pay attention. However, if you don't know the true meaning of these indicators, you don't know how these indicators are measured, it will be blinded by the parameters of the surface, thus making mistakes.

This paper introduces the meaning, test method of the performance index of the network intrusion detection system, and analyzes the method of possible fake during the test process to provide users with the correct choice of network intrusion detection products.

Second, the performance indicator

Different security products, various performance indicators are different for customers. For example, a firewall, customers will pay more attention to throughput per second, concurrent connections per second, transmission delay, and the like. Network intrusion detection system, customers will pay more attention to network data traffic that can be processed per second, and the number of network connections that can be monitored per second.

In addition to the network intrusion detection system, in addition to the above indicators, some indicators that do not know the customer is also important, even more important, such as the number of bags per second, the number of events can be processed per second.

1. Data traffic per second (MBPS or GBPS)

Data traffic per second means the amount of data through a node per second. This indicator is an important indicator of the performance of the response network intrusion detection system, which is generally MBPS. For example, 10 Mbps, 100 Mbps, and 1Gbps.

The basic working principle of the network intrusion detection system is sniff, which is set to configure the network card to receive all the data on the network interface.

If the data traffic per second exceeds the processing power of the network sensor, NIDs may lose packets, so that attacks cannot be detected. But whether NIDS will lose packet, not mainly on data traffic per second, but mainly depending on the number of bags per second.

2. Catch number per second (PPS)

The number of bags per second is the most important indicator reflecting the performance of network intrusion detection system. Since the system keeps the package from the network, the data package is analyzed and processed, and the intrusion and misuse mode are found. Therefore, how much can be processed per second, reflects the performance of the system. The industry is not familiar with the invasion detection system, often uses network traffic per second as a decisive indicator of network intrusion detection system, which is wrong. Network traffic per second is equal to the number of grippers per second by the network packet. Since the average size of the network packet is very different, the difference in network traffic per second is great when the same grip rate is the same. For example, the average number of network packets is about 1024 bytes, and the performance of the system can support 10,000 pps of the number of bags per second, then the data traffic that can be processed per second can reach 78Mbps, and when the data traffic exceeds 78Mbps, it is because System processing is not there; if the average size of the network packet is about 512 bytes, the data traffic that can be processed per second can reach 40Mbps per second, the data traffic of the system can reach 40Mbps per second. When the data traffic exceeds 40 Mbps, the packet loss occurs because the system is handled.

In the same flow conditions, the smaller the data package, the greater the difficulty of processing. The small bag processing ability is also the main indicator reflecting the performance of the firewall.

3. Number of network connections per second

The network intrusion detection system not only has a single data package, but also combines the data packets of the same network connection. The trace ability of the network connection and the restructuring capabilities of the packet are the basis for the network intrusion detection system for protocol analysis, application layer intrusion analysis. This analysis extends many of the functions of many network intrusion detection systems, such as the detection of attacks, sensitive content detection, email detection, telnet sessions, and monitoring, etc., using the HTTP protocol.

4. The number of events that can be processed per second

After the network intrusion detection system detects a network attack and suspicious event, a security event or alarm event is generated, and the event is recorded in the event log. The number of events that can be processed per second reflects the rear end processing capability of the processing capability of the detection engine and event logging. Some vendors will reflect the index of these two processing capabilities, called the performance parameters of the event processing engine and the performance parameters of the alarm event record. Most network intrusion detection system alarm event records are less than the performance parameters of the event processing engine, mainly the network intrusion detection system for the Client / Server structure, because the performance bottleneck of network communication is introduced. This situation will lead to the loss of the event, or the console response is not. Third, which factors affecting performance indicators?

The internet

Intrusion detection system performance depends on soft

Factors of hardware.

1.

Software factor

Software factors are mainly:

● The efficiency of network capture;

● The efficiency of the packet reorganization and TCP stream reorganization. This is a factor that seriously affects the performance of network intrusion detection system, which is very large for the overhead of processors and memory. If the packet reorganization and TCP stream restructuring are done in the user layer of the operating system, the operating system will cause the operating system to switch between the core state and the user state in extreme frequencies, resulting in a large amount of additional system overhead;

● Efficiency of intrusion analysis. Intrusion detection is generally characterized based on feature matching, which matches the network packet with the intrusion rule library. Many products use protocol analysis technology to improve the efficiency of intrusion analysis, first using protocols to analyze redundant data, while delivering on the rule tree as soon as possible, accelerating depth traversing;

● Under the C / S structure, the delay of network communication. in

The server-side and clients are introduced into the network communication module to increase the delay of the event transmission. Most network intrusion detection systems use Client / Server structures, such as ISS Real Secure, Symantec IDS system, Queon's Tianzhu and Kido's KIDS. Like some

The network intrusion detection system of the browser / server (B / S) structure does not have this problem, such as Fang Tong Sniper's Fangxong Sniper, because its event is stored directly on the network sensor;

● The recording capability of the event log library. Some systems separate event collection, and the event collector and event log database have also formed a C / S structure and introduced a delay. If the EC and log databases are more introduced to network transmission delays on different hosts. ISS Real Secure, Qikin Chen's Tianzhu and Jinnuo's Kids, etc. also use this structure; there is no such problem based on the network intrusion detection system based on the browser / server structure;

● The event display efficiency of the console. Many consists of constructs will result in the console crash due to many incidents. Many C / S structures are completed too much, such as network communication, communication with the sensor, communication, and communication of event log databases, but also completed event display, event analysis, system management, configuration, etc. Wait. Many performance bottlenecks are introduced. If real-time monitoring cannot be reached, the value of the network intrusion detection system is greatly reduced.

2. Hardware factor

Hardware is mainly CPU processing capabilities, memory, network cards and

Hard disk IO, etc.

● CPU processing power

CPU processing capabilities are an important factor affecting network sensor performance of network intrusion detection system. The CPU processing capability affects the system from three aspects: the number of CPU frequency and CPUs are called the longitudinal and lateral expansion capabilities of the CPU. In general, with the improvement of the CPU's frequency, the higher the processing capacity of the network sensor, which is obvious.

But is this increasing the performance of the NPU's number of network sensors? This depends on whether the system is a multi-process or multi-threaded architecture. Many network intrusion detection systems are doing multiprocessor optimization.

The utilization of CPU processing capacity also greatly affects the performance of the network sensor, so how does the utilization of CPU processing capabilities? One of the very important methods is the optimization of the CPU instruction set for the network sensor. For example, on the P4 processor, use the P4 processor's instruction set as much as possible. Intel's C & C compiler provides optimization for instruction sets, and Intel Labs also provides this optimization service. At present, Intel's new to strong processor uses ultra-thread technology, but if the network sensor is to optimize the ultra-thread. Ultra-threading technology is not supported by the latest core of Linux.

● Memory

The impact of memory on network sensors is remarkable. Because the network intrusion detection system requires a large amount of memory to capture, package restructuring, stream reorganization, protocol analysis, rule matching and other calculations.

The use of memory is also critical because it will affect the utilization of the CPU. How to use includes: memory allocation, release, copy, match, etc. Inappropriate use, memory will cause memory and disclosure, and on the other hand, the CPU overhead will be occupied.

The partial process of the network sensor is running at the core state, and the other part of the process runs in the user state. If the shared data is shared, memory replication must be made, then switch between the core state and the user state, switch between the two The CPU overhead is very large. If the switch is very frequent, the CPU overhead will be very large.

● Secondary cache

The number of L2 cache also has a positive impact on the performance of the network sensor. Therefore, use large L2 Cache as much as possible.

● NIC

The network card on the performance of network sensors is mainly to capture the efficiency. When the network card arrives at the performance peak, it is easy to lose. So the network card of the network sensor cannot use a general network card. Currently, more use is Intel series, 3com series of network cards. For example, 82559, 82543, 82544, etc. in Gigabit NICs in the INTEL BMA card.

If the network intrusion detection system supports multiple network card monitoring, each network card is best allocated in different bus segments.

The network card on the network invasion detection system is also reflected in the data transfer of the network sensor and the console.

The impact of network card driver on network sensors is also important, some network intrusion detection systems, do special optimizations for NIC.

● PCI bus bandwidth

Another very important hardware factor is the PCI bus bandwidth. Especially on the Gigabit Network Intrusion Detection system, in order to achieve a few G's grip rate, multiple 66MHz / 64-Bit PCI or 133MHz / 64-Bit PCI-X bus expansion slot must be used. If you use the PCI-X bus, you must use the PCI-X-compatible NIC to give full play to the PCI-X 133MHz standard. In order to provide better bandwidth, multiple network cards must be reasonably distributed on the PCI / PCI-X bus segment.

● Hard disk IO

Because the sensor of the network intrusion detection system needs to store many log information on the hard disk, the IO of the hard disk will also affect the performance of the network sensor.

Current location: Network Security Home> Other IDS is now registered now, you can participate in the Juniper Network Security Forum for free

A.Article: Link {font-size: 13px; color: # 0000ff; Text-Decoration: underline;

A.Article: visited {font-size: 13px; color: # ff0000; text-decoration: underline;}

A.Article: hover {font-size: 13px; color: # ff0000; text-decoration: underline;

Performance of intrusion detection system to identify 2004-10-15 18:24 Author: Source: chinaunix

A.Red18: Link {font-size: 14.7px; color: # ff0000; line-height: 150%; text-decoration: underline} a.red18: active {font-size: 14.7px; color: # ff0000; line -Height: 150%; Text-Decoration: underline}

A.red18: visited {font-size: 14.7px; color: # ff0000; line-height: 150%; text-Decoration: underline}

A.Red18: Hover {font-size: 14.7px; color: # ff0000; line-height: 150%; text-decoration: underline}

A.Red14: Link {font-size: 12px; color: # ff0000; line-height: 150%; Text-Decoration: none}

A.Red14: Active {font-size: 12px; color: # ff0000; line-height: 150%; Text-Decoration: none}

A.Red14: visited {font-size: 12px; color: # ff0000; line-height: 150%; Text-Decoration: none}

A.Red14: Hover {font-size: 12px; color: # ff0000; line-height: 150%; Text-Decoration: none}

A. Blue14: Link {font-size: 12px; color: # 4c4c4c; line-height: 150%; Text-Decoration: none}

A. Blue14: Active {font-size: 12px; color: # 4c4c4c; line-height: 150%; Text-Decoration: none}

A. Blue14: Visited {font-size: 12px; color: # 4c4c4c; line-height: 150%; Text-Decoration: none}

A.Blue14: Hover {font-size: 12px; color: # ff0000; line-height: 150%; text-decoration: underline}

[Simple Due] Performance Index is a question that each user purchases security products must pay attention. However, if you don't know the true meaning of these indicators, you don't know how these indicators are measured, it will be blinded by the parameters of the surface, thus making mistakes.