High-Speed Intrusion Detection System for Network Security

About the Client

Apple Inc. is a multinational technology company. They design, manufacture, and market a variety of electronic devices, software, and online services. Their product portfolio includes the iPhone, iPad, Mac, Apple Watch, and Apple TV, as well as a suite of professional and consumer software applications.
Software & Hi-Tech

Company’s Request

Apple Inc. needed expertise in developing internal solutions specifically designed to examine vast volumes of network traffic. The primary objective was to detect suspicious activity, improve their cybersecurity procedures, and assess the efficiency of various technologies in attaining these objectives.

Technology Set

A high-level, interpreted programming language known for its readability and versatility in various types of programming, from scripting to web development.
A general-purpose, procedural programming language that provides low-level access to memory and is widely used for system programming.
Also known as Golang, it's a statically typed, compiled language known for its simplicity and efficiency, often used in distributed systems and cloud services.
A multi-paradigm language focused on performance and safety, especially safe concurrency, often used for system-level programming.
A tool that allows applications to sniff packets directly from the network card, bypassing the kernel when capturing packets, which significantly increases the performance of the system.
An open-source network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing.
A Linux technology that enables efficient, user-defined kernel-level programs for monitoring and modifying system activities.
An open-source software library that provides deep packet inspection capabilities, allowing for the analysis and classification of network traffic based on application protocols.
A powerful network analysis framework that focuses on anomaly detection, rather than being rule-based.
Amazon Web Services, a comprehensive cloud services platform offering computing power, database storage, content delivery, and other functionalities to help businesses scale and grow.

Our team built a tool to look at a lot of network traffic data. Effective and consistent performance was guaranteed by testing and implementing the solution on dedicated servers, making fast big-data analysis possible. The tool optimizes resource usage by operating within the kernel space, allowing for more efficient packet filtering, which makes the system work better. It includes an alert method for spotting harmful network packets, thereby making the infrastructure safer. 

Throughout the project, our developers strategically switched between various packet inspection technologies, including Zeek, Suricata, Cosmos, and eBPF parsing, to achieve the most efficient and effective results.

Combined traffic (80% https(tls), 10% http, 3% dns, 3% ssh, 4% ftp) Result: Lower memory usage for nDPI (50 MB) and ~250MB for Zeek

We added a load balancing feature for Zeek and Suricata, doubling Testimony’s performance rates for quicker, safer packet transfer. The Suricata ssh protocol parser was also improved to spot harmful network traffic. As a result, this all-in-one tool met our client’s needs for fast big data analysis, network safety, and better system performance.

Testing setup

While the specifics of how our solution is utilized within the client’s infrastructure remain proprietary to Apple Inc, we maintain an ongoing feedback loop with them to make sure our software continues to meet their needs and can be adapted as required. Our team conducts rigorous testing of the solution on AWS, demonstrating its adaptability and scalability in a cloud environment.

Value Delivered

The solution handled enormous volumes of network traffic data with ease and showed consistent performance that complied with expectations.
By detecting and isolating harmful network packets, the solution significantly improves network security.
To make sure that the solution integrates seamlessly into existing infrastructure, the pre-packaged VMs have been customized to suit the client’s needs.
The technology makes massive data analysis possible at high speeds, helping to make data-driven decisions more swiftly.
The solution is scalable across numerous data centers, facilitating efficient big-data analysis on a significant hierarchy.