Date of Award
Master of Science (MS)
David J. Coe
Computer networks--Security measures., Fault-tolerant computing., Computer architecture., Genetic algorithms.
Reducing the time required to keep an anomaly-based network intrusion detection system (NIDS) up-to-date with the continuously changing web server features is of the utmost importance to keep intrusion detection as accurate as possible. Web applications and content changes frequently on web servers to keep their users interested and returning. This frequent updating poses an interesting problem with regards to anomaly-based network intrusion detection systems (NIDS) as they rely on knowing what normal traffic patterns look like. Retraining and reconfiguration to adapt to new applications or features of a website is highly advised to maintain accurate detection performance. Training an anomaly-based NIDS can be a major strain on computational resources and a time sink. Through the use of cost efficient, off-the-shelf hardware, the training of an anomaly-based NIDS may be offloaded from a web server's central processing unit (CPU) onto a single instruction, multiple data (SIMD) architecture device and completed hundreds of time faster. Some anomaly-based NIDS algorithms lend themselves to other approaches like a genetic algorithm for accelerated training. An automated search through the input parameter solution space may completed in an efficient manner to reduce the time required for choosing the appropriate input parameters. In this thesis, the use of graphics processing units (GPU) and a genetic algorithm search heuristic are studied to accelerate the reconfiguration time of two different anomaly and payload-based NIDS. A demonstration of a SIMD implementation is shown on the Payload-based Dispersion (PBD) algorithm, highlighting the data parallel computational design and how to distribute workloads to be processed by individual threads. The SIMD implementation of the PBD algorithm achieves comparable results to other related works, speeding up certain portions of the algorithm from approximately 28 to 55 times. The Lightweight Stateless Payload Inspection (LiSPI) algorithm is selected to show a different use of data parallel computation and a genetic algorithm to achieve fast reconfiguration times. The LiSPI algorithm requires appropriate input parameters to achieve accurate detection performance. The default parameters required to run the algorithm results in a solution space of approximately 43 million combinations, which may grow depending on the parameters provided. A brute force search using the GPU yields optimal results in minutes, where as a serial implementation would require weeks of computation. The genetic algorithm approach also results in acceleration performance similar to the GPU brute force.
Edmonds, William C. Jr., "Accelerating reconfiguration of network anomaly detection systems" (2015). Theses. 125.