Improving the Performance Efficiency of an IDS by Exploiting Temporal Locality in Network Traffic

Govind Sreekar Shenoy, J. Tubella, A. Gonz'lez

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Network traffic has traditionally exhibited temporal locality in the header field of packets. Such locality is intuitive and is a consequence of the semantics of network protocols. However, in contrast, the locality in the packet payload has not been studied in significant detail. In this work we study temporal locality in the packet payload. Temporal locality can also be viewed as redundancy, and we observe significant redundancy in the packet payload. We investigate mechanisms to exploit it in a networking application. We choose Intrusion Detection Systems (IDS) as a case study. An IDS like the popular Snort operates by scanning packet payload for known attack strings. It first builds a Finite State Machine (FSM) from a database of attack strings, and traverses this FSM using bytes from the packet payload. So temporal locality in network traffic provides us an opportunity to accelerate this FSM traversal. Our mechanism dynamically identifies redundant bytes in the packet and skips their redundant FSM traversal. We further parallelize our mechanism by performing the redundancy identification concurrently with stages of Snort packet processing. IDS are commonly deployed in commodity processors, and we evaluate our mechanism on an Intel Core i3. Our performance study indicates that the length of the redundant chunk is a key factor in performance. We also observe important performance benefits in deploying our redundancy-aware mechanism in the Snort IDS[32].
Original languageEnglish
Title of host publicationModeling, Analysis Simulation of Computer and Telecommunication Systems (MASCOTS), 2012 IEEE 20th International Symposium on
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages10
ISBN (Print)978-1-4673-2453-3
Publication statusPublished - 1 Aug 2012


  • computer network performance evaluation
  • computer network security
  • finite state machines
  • protocols
  • telecommunication traffic
  • Intel Core i3
  • Snort IDS
  • Snort packet processing
  • attack strings
  • commodity processors
  • finite state machine
  • intrusion detection systems
  • network protocols
  • network traffic
  • packet payload
  • performance efficiency
  • redundancy-aware mechanism
  • redundant FSM traversal
  • temporal locality
  • Acceleration
  • Clocks
  • Instruction sets
  • Libraries
  • Pattern matching
  • Payloads
  • Redundancy
  • Intrusion Detection systems
  • deep packet inspection
  • software caches
  • system performance evaluation


Dive into the research topics of 'Improving the Performance Efficiency of an IDS by Exploiting Temporal Locality in Network Traffic'. Together they form a unique fingerprint.

Cite this