Re-examining the performance bottleneck in a NIDS with detailed profiling

Designing a high-speed network intrusion detection system (NIDS) has attracted much attention in recent years due to ever-increasing amount of network traffic and ever-complicated attacks. Numerous studies have been focusing on accelerating pattern matching for a high-speed design because some early studies observed that pattern matching is a performance bottleneck. However, the effectiveness of such acceleration has been challenged recently. This work therefore re-examines the performance bottleneck by profiling two popular NIDSs, Snort and Bro, with various types of network traffic in detail. In the profiling, we find pattern matching can be dominant in the Snort execution if the entire packet payloads in the connections are scanned, while executing the policy scripts is an obvious bottleneck in the Bro execution. This work suggests three promising directions towards a high-speed NIDS design for future research: a method to precisely specify the possible locations of the signatures in long connections, a compiler to transform the policy scripts to efficient binary codes for execution, and an efficient design of connection tracking and packet reassembly.