An Investigation on Packet Sampling between Kernel and User Space for NIDS

Extended Berkeley Packet Filter technology has been successfully used to accelerate several data-plane algorithms. An application area of growing interest is Intrusion Detection, where timely packet processing at high speed is critical. In this paper, we focus on anomaly detection, which uses machine learning to identify packets belonging to a malicious flow with the intervention of a packet sampling policy to keep up with the traffic network pace in a kernel-to-user-space pipeline, to investigate the deployment feasibility of the designed anomaly-based kernel-enhanced intrusion detection system. The performance tests related to the packet sampling policy have been carried out taking into account the same dataset used to test the inference algorithm, establishing a packet sampling rate threshold maintaining a high accuracy. The throughput measurements have been tried out on our testbed composed by two back-to-back connected programmable middlebox leveraging on the iperf3 tool to employ the stress test, validating that our designed network intrusion detection system is suitable for deployment.

Recommended citation: L. Giacometti, D. Crippa, S. Miano and G. Verticale, "An Investigation on Packet Sampling between Kernel and User Space for NIDS," 2025 International Symposium on Networks, Computers and Communications (ISNCC), Paris, France, 2025, pp. 1-6, doi: 10.1109/ISNCC66965.2025.11250446.
Download Paper | Download Bibtex