|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stuart Staniford (stuart
silicondefense.com)Date: Mon Aug 06 2001 - 21:32:21 CDT
robert_david_graham wrote:
> The second bottleneck is NIDS analysis at high rates. Most NIDS use
> "pattern-match", which has the property that the more signatures you add,
> the slower it becomes. Network ICE uses "state-based protocol-analysis",
> which means that it does't slow down as you add signatures because it
> follows a decision tree.
Mmmm. Pattern matching need not degrade linearly with the number of signatures - the
pattern match can be organized into a tree also. See
http://www.silicondefense.com/software/acbm/speed_of_snort_03_16_2001.pdf
and
http://public.lanl.gov/mfisk/papers/ucsd-tr-cs2001-0670.pdf
And protocol analysis approaches such as you describe must degrade somewhat with more
signatures, because the depth of the decision tree is increasing (presumably that
degradation is linear).
[This is not intended as a general comment on pattern-matching versus protocol analysis,
just a clarification that this particular argument Rob makes is much less clear-cut than
he suggests].
Stuart.
--
Stuart Staniford --- President --- Silicon Defense
** Silicon Defense: Technical Support for Snort **
mailto:stuartsilicondefense.com http://www.silicondefense.com/
(707) 445-4355 x 16 (707) 445-4222 (FAX)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]