1 / 33

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems. Victor Heorhiadi , Michael K. Reiter, Vyas Sekar. UNC Chapel Hill UNC Chapel Hill Stony Brook U. Network Intrusion Detection Systems. Popular way to detect attacks Bro & Snort are common software packages

rufina
Download Presentation

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, VyasSekar UNC Chapel Hill UNC Chapel Hill Stony Brook U

  2. Network Intrusion Detection Systems • Popular way to detect attacks • Bro & Snort are common software packages • Scan network packets for known attacks • Types of analysis: • Deep packet inspection • Signature matching • Scan detection

  3. NIDS Deployments Today N1 N2 N3 N5 N4

  4. Prior Work: On Path Distribution N1 N2 N3 N5 N4 Does not go far enough

  5. Asymmetric Routing Challenge N3 N1 Forward Flow N2 N4 N5 Reverse Flow

  6. Our Work • Generalized network-wide NIDS architecture • Solves the scaling challenge • Solves the asymmetry problem • Leverages new load balancing opportunities • Replication • Aggregation • Backwards compatible, no changes to existing NIDS

  7. Outline • Introduction • Design: New Opportunities • Replication • Aggregation • Implementation • Evaluation

  8. Replication N3 N2 N1 N4 N5 Replicate traffic to the cluster

  9. Controlling Load via Process Fractions N3 N1 N2 N5 N4

  10. Traffic Coverage =1 + + + Flocal(n1n4) N3 Flocal(n1n4) N1 N2 Foffload(n1n4) N5 N4 Flocal(n1n4)

  11. Node Capacity and Link Constraints 100 Kpps 1Mpps N3 40% utilization 100 Kpps N1 N2 N5 N4 40% utilization 100Kpps

  12. Global optimization Routing Traffic Matrix NIDS Capacities Linear program Minimize max-loaded node Subject to Coverage, Link Capacity constraints

  13. LP Output Translation N1N4, Node 1, ¼ process N1N4, Node 1, [0,0.25), process N1N4, Node 2, ½ process N1N4, Node 2, [0.25,0.75), process Translate fractions into hash ranges Iterate & increment Similarly, for offload responsibilities

  14. Per-Packet Decision Making h [0,1] 0 1 Flocal_n1(n1n4) Flocal_n2(n1n4) Flocal_n3(n1n4) Foffload_n2(n1n4) • Hash h of a 5-tuple (protocol, srcip, dstip, srcport, dstport)

  15. Extension to Asymmetric Routing Might not get full coverage • Ffwd_off N3 N1 Forward Flow • Fcommon_loc N2 • Fcommon_off N4 N5 Reverse Flow • Frev_off Old way doesn’t work Treat forward and reverse paths separately

  16. Outline • Introduction • Design: New Opportunities • Replication • Aggregation • Evaluation

  17. Aggregation Scan all the things! +10 Alert 22>20 +5 N2 N1 N3 N5 N4 +7

  18. Outline • Introduction • Design: New Opportunities • Replication • Aggregation • Implementation • Evaluation

  19. Implementation • Backwards compatible • Logic is in the shim • Low overhead

  20. Outline • Introduction • Design: New Opportunities • Replication • Aggregation • Implementation • Evaluation

  21. Comparison to Alternatives Ingress Path, no replicate Path, replicate Path, augmented N3 N1 N2 10x N5 N4

  22. Load reduction by 50% Even compared to “Path, augmented” Reduction in Max Load

  23. We built it, runs with vanilla Snort Corresponds to our simulation results Emulab Deployment

  24. Performance Under Traffic Variability Our setup does not cross max capacity

  25. Coverage with Asymmetric Routing Randomized process for choosing path overlap Miss rates lower than any existing solution

  26. Conclusion • NIDS have problems • Scaling up • Routing asymmetry • Generalized framework • Replication • Aggregation • Enhanced detection • Realized with no changes to existing NIDS • Significant performance and coverage benefits

  27. Full LP Formulation (Replication)

  28. Full LP Formulation (Aggregation)

  29. LP Solver Run Times

  30. Additional Results, Datacenter Placement

  31. Additional Results, Datacenter Capacity

  32. Additional Results, Aggregation Communication Cost

  33. Future Work • Combining replication and aggregation • Extension to NIPS and active monitoring • Traffic re-routing • Change to traffic patterns • Increased robustness to traffic dynamics

More Related