Advancing Snort IPS to Achieve Line Rate Traffic Processing for Effective Network Security Monitoring

Muhammad Sheeraz; Muhammad Hanif Durad; Shahzaib Tahir; Hasan Tahir; Saqib Saeed; Abdullah M. Almuhaideb

doi:10.1109/ACCESS.2024.3395123

IEEE Access (Jan 2024)

Advancing Snort IPS to Achieve Line Rate Traffic Processing for Effective Network Security Monitoring

Muhammad Sheeraz,
Muhammad Hanif Durad,
Shahzaib Tahir,
Hasan Tahir,
Saqib Saeed,
Abdullah M. Almuhaideb

Affiliations

Muhammad Sheeraz: Department of Computer and Information Sciences, Pakistan Institute of Engineering and Applied Sciences, Islamabad, Pakistan
Muhammad Hanif Durad: ORCiD; Department of Computer and Information Sciences, Pakistan Institute of Engineering and Applied Sciences, Islamabad, Pakistan
Shahzaib Tahir: ORCiD; Department of Information Security, College of Signals, National University of Sciences and Technology (NUST), Islamabad, Pakistan
Hasan Tahir: ORCiD; Department of Information Security, School of Electrical Engineering and Computer Science, National University of Sciences and Technology (NUST), Islamabad, Pakistan
Saqib Saeed: ORCiD; Saudi Aramco Cybersecurity Chair, Department of Computer Information Systems, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, Dammam, Saudi Arabia
Abdullah M. Almuhaideb: ORCiD; Saudi Aramco Cybersecurity Chair, Department of Networks and Communications, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, Dammam, Saudi Arabia

DOI: https://doi.org/10.1109/ACCESS.2024.3395123
Journal volume & issue: Vol. 12
pp. 61848 – 61859

Abstract

Read online

Intrusion Prevention Systems (IPS), capable of preventing the organizational network from a cyber-attack in addition to detecting it, are widely adopted by organizations to protect their networks from unauthorized access, attacks, and malicious activities. Similarly, Snort an open-source IPS is extensively used for effective network security monitoring and analysis. When functioning as an IPS, Snort can be deployed in inline mode within an organizational network, so that all the organizational network traffic travels through it, hence actively blocking or preventing malicious traffic in real-time. This requires Snort to process the network traffic fast enough to match the network traffic line rate. But the Snort IPS default data acquisition module i.e. advanced packet filtering (AF_PACKET) cannot process network traffic at the line rate that causes packet loss and network services disturbance. This research work discusses the technologies available to make Snort IPS process network traffic at line rate. Packet filtering framework (PF_RING) and data plane development kit (DPDK) are the most effective and widely used software technologies, whereas the Napatech smart network interface card (smartNIC) is a very efficient hardware technology for achieving line rate traffic processing. A throughput comparison shows that PF_RING and DPDK achieve a throughput close to 1G with 100% CPU utilization whereas Napatech smartNIC achieves full 1G throughput with CPU utilization of less than 5%. Furthermore, the integration of Snort IPS with the security information and event management (SIEM) system has been discussed for better attack detection in an organizational network.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords