Literature Database Entry


Tobias Limmer and Falko Dressler, "Improving the Performance of Intrusion Detection using Dialog-based Payload Aggregation," Proceedings of 30th IEEE Conference on Computer Communications (INFOCOM 2011), 14th IEEE Global Internet Symposium (GI 2011), Shanghai, China, April 2011, pp. 833–838.


We propose Dialog-based Payload Aggregation (DPA) that extracts relevant payload data from TCP/IP packet streams based on sequence numbers in the TCP header for improved intrusion detection performance. Typical network-based Intrusion Detection Systems (IDSs) like Snort, which use rules for matching payload data, show severe performance problems in high-speed networks. Our detailed analysis based on live network traffic reveals that most of the signature matches either occur at the beginning of TCP connections or directly after direction changes in the data streams. Our DPA approach exploits protocol semantics intrinsic to bidirectional communication, i.e., most application layer protocols rely on requests and associated responses with a direction change in the data stream in between. DPA forwards the next N bytes of payload whenever a connection starts, or when the direction of the data transmission changes. All data transferred after this window is discarded. According to experimental results, our method reduces the amount of data to be analyzed at the IDS to around 3.7% for typical network traffic. At the same time, more than 89% of all potential events can be detected. Assuming a linear relationship between data rate and processing time of an IDS, this results in a speedup of more than one order of magnitude in the best case. Our performance analysis that combines DPA with Snort shows a 400% increase in packet processing throughput on commodity hardware.

Quick access

Original Version DOI (at publishers web site)
Authors' Version PDF (PDF on this web site)
BibTeX BibTeX


Tobias Limmer
Falko Dressler

BibTeX reference

    author = {Limmer, Tobias and Dressler, Falko},
    doi = {10.1109/INFCOMW.2011.5928926},
    title = {{Improving the Performance of Intrusion Detection using Dialog-based Payload Aggregation}},
    pages = {833--838},
    publisher = {IEEE},
    issn = {0743-166X},
    isbn = {978-1-4244-9920-5},
    address = {Shanghai, China},
    booktitle = {30th IEEE Conference on Computer Communications (INFOCOM 2011), 14th IEEE Global Internet Symposium (GI 2011)},
    month = {4},
    year = {2011},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at

This page was automatically generated using BibDB and bib2web.

Last modified: 2024-07-21