KIT | KIT-Bibliothek | Impressum | Datenschutz

Advancing Protocol Diversity in Network Security Monitoring

Grashöfer, Jan; Oettig, Peter; Sommer, Robin; Wojtulewicz, Tim; Hartenstein, Hannes

Abstract:
With information technology entering new fields and levels of deployment, e.g., in areas of energy, mobility, and production, network security monitoring needs to be able to cope with those environments and their evolution. However, state-of-the-art Network Security Monitors (NSMs) typically lack the necessary flexibility to handle the diversity of the packet-oriented layers below the abstraction of TCP/IP connections. In this work, we advance the software architecture of a network security monitor to facilitate the flexible integration of lower-layer protocol dissectors while maintaining required performance levels. We proceed in three steps: First, we identify the challenges for modular packet-level analysis, present a refined NSM architecture to address them and specify requirements for its implementation. Second, we evaluate the performance of data structures to be used for protocol dispatching, implement the proposed design into the popular open-source NSM Zeek and assess its impact on the monitor performance. Our experiments show that hash-based data structures for dispatching introduce a significant overhead while array-based approaches qualify for practical application. ... mehr


Volltext §
DOI: 10.5445/IR/1000134446
Veröffentlicht am 25.06.2021
Cover der Publikation
Zugehörige Institution(en) am KIT Kompetenzzentrum für angewandte Sicherheitstechnologie (KASTEL)
Publikationstyp Forschungsbericht/Preprint
Publikationsdatum 23.06.2021
Sprache Englisch
Identifikator KITopen-ID: 1000134446
Schlagwörter Network Security Monitoring, Industrial Control Systems, Software Architecture, non-IP Protocol Stacks, GOOSE, Profinet
Nachgewiesen in arXiv
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page