High-Speed Network Traffic Acquisition for Agent Systems

This paper presents a design of high-speed network traffic acquisition subsystem suitable for agent-based intrusion detection systems. To match the performance requirements and to improve network traffic measurement, wire-speed data acquisition layer is based on hardware-accelerated probes, which provide real-time network traffic statistics. The network traffic is stored in collector servers and preprocessed data is then sent to detection agents that use heterogenous anomaly detection methods. These methods are correlated by means of trust and reputation models, and the conclusions regarding the maliciousness of the traffic is presented to the operator. Presented system is designed to improve the performance of agent-based intrusion detection systems and allow them to efficiently identify malicious traffic. The main contribution of presented system is its ability to aggregate real-time network-wide statistics from geographically dispersed probes. Traffic acquisition system is designed for deployment on high-speed backbone networks.