Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cezar_varlan1
Collaborator
Jump to solution

What are the performance numbers expected in IPS Pattern Matcher?

According to ATRG: IPS or sk95193 there is a statement about pattern matcher that is a bit ambiguous.

The Pattern Matcher is a fundamental engine within the new enforcement architecture.

  • Pattern Matcher quickly identifies harmless packets, common signatures in malicious packets, and does a second level analysis to reduce false positives.
  • Pattern Matcher engine provides the ability to find regular expressions on a stream of data using a two tiered inspection process:
    • The first tier quickly filters out the vast majority of traffic which is clearly harmless by looking for signatures that are simple to find at a low CPU cost.
    • If the first tier identifies a common attack signature it passes the connection to the second tier to do a second level analysis, thus increasing the confidence that there is indeed an attack.
    • The first tier will never decide on it’s own that a packet is malicious. It can only decide that a packet is clearly harmless.
    • The second tier can also be instructed to activate further inspection using INSPECTv2 technology when some patterns are matched.

In my understanding what Pattern Matcher should be doing is eliminate harmless or clean traffic and detect malicious packets. What would be the expected rate of malicious packets found by the first tier compared to the rate of packets that the first tier sends to the second tier in order to pass more complex inspection?

I am under the impression this number clearly estimated and measured. I would however expect this to depend on the type of traffic and be situational and not generic.###

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The performance you're going to experience is a function of:

  • Types of traffic flowing through the gateway (which may or may not be malicious)
  • The protection profile in place (what protections are enabled, etc)

If there is more (potentially) malicious traffic flowing and more complex protections are enabled, deeper inspection will need to be done, which will in turn reduce the overall throughput of the gateway.

As to what ratio of traffic goes from first tier to second tier or to even deeper inspection, it really depends on the traffic flow, as you said.

View solution in original post

1 Reply
PhoneBoy
Admin
Admin

The performance you're going to experience is a function of:

  • Types of traffic flowing through the gateway (which may or may not be malicious)
  • The protection profile in place (what protections are enabled, etc)

If there is more (potentially) malicious traffic flowing and more complex protections are enabled, deeper inspection will need to be done, which will in turn reduce the overall throughput of the gateway.

As to what ratio of traffic goes from first tier to second tier or to even deeper inspection, it really depends on the traffic flow, as you said.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events