High-Speed Intrusion Detection System for Network Security
About the Client
Company’s Request
Technology Set
Python | A high-level, interpreted programming language known for its readability and versatility in various types of programming, from scripting to web development. |
C | A general-purpose, procedural programming language that provides low-level access to memory and is widely used for system programming. |
Go | Also known as Golang, it's a statically typed, compiled language known for its simplicity and efficiency, often used in distributed systems and cloud services. |
Rust | A multi-paradigm language focused on performance and safety, especially safe concurrency, often used for system-level programming. |
Testimony | A tool that allows applications to sniff packets directly from the network card, bypassing the kernel when capturing packets, which significantly increases the performance of the system. |
Suricata | An open-source network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing. |
eBPF | A Linux technology that enables efficient, user-defined kernel-level programs for monitoring and modifying system activities. |
nDPI | An open-source software library that provides deep packet inspection capabilities, allowing for the analysis and classification of network traffic based on application protocols. |
Zeek | A powerful network analysis framework that focuses on anomaly detection, rather than being rule-based. |
AWS | Amazon Web Services, a comprehensive cloud services platform offering computing power, database storage, content delivery, and other functionalities to help businesses scale and grow. |
Our team built a tool to look at a lot of network traffic data. Effective and consistent performance was guaranteed by testing and implementing the solution on dedicated servers, making fast big-data analysis possible. The tool optimizes resource usage by operating within the kernel space, allowing for more efficient packet filtering, which makes the system work better. It includes an alert method for spotting harmful network packets, thereby making the infrastructure safer.
Throughout the project, our developers strategically switched between various packet inspection technologies, including Zeek, Suricata, Cosmos, and eBPF parsing, to achieve the most efficient and effective results.
Combined traffic (80% https(tls), 10% http, 3% dns, 3% ssh, 4% ftp) Result: Lower memory usage for nDPI (50 MB) and ~250MB for Zeek
We added a load balancing feature for Zeek and Suricata, doubling Testimony’s performance rates for quicker, safer packet transfer. The Suricata ssh protocol parser was also improved to spot harmful network traffic. As a result, this all-in-one tool met our client’s needs for fast big data analysis, network safety, and better system performance.
Testing setup
While the specifics of how our solution is utilized within the client’s infrastructure remain proprietary to Apple Inc, we maintain an ongoing feedback loop with them to make sure our software continues to meet their needs and can be adapted as required. Our team conducts rigorous testing of the solution on AWS, demonstrating its adaptability and scalability in a cloud environment.
Value Delivered
