Heavy tails and temporal correlations of processing times in network intrusion detection: characterization and consequences

This paper examines two aspects of network intrusion detection which have critical relevance for the configuration (understood as allocation of memory and CPU) of intrusion detection systems (IDSs) hosts and for their operational performance: the presence of heavy tails in the service times for the preprocessing stage, and the presence of substantial temporal correlations in the service times for the content matching stage. Concerning heavy tails in preprocessing, our study reveals that snort preprocessing times give rise to a cumulative distribution function which is extremely heavy-tailed. Concerning temporal correlations, our analysis reveals that payload processing times evolve in two time scales: a fast time scale and a slow time scale. The fast, packet-to-packet time scale corresponds to 40-100 contiguous packets (a packet group), within which the content matching times are independent. In the slow, packet group-to-packet group time scale the mean values of the successive packet groups are heavily correlated and can be predicted. The consequences of the two phenomena are examined in the paper.