new opportunities for load balancing in network-wide intrusion detection systems
DESCRIPTION
New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems. Victor Heorhiadi , Michael K. Reiter, Vyas Sekar. UNC Chapel Hill UNC Chapel Hill Stony Brook U. Network Intrusion Detection Systems. Popular way to detect attacks Bro & Snort are common software packages - PowerPoint PPT PresentationTRANSCRIPT
New Opportunities for Load Balancing in Network-Wide
Intrusion Detection Systems
Victor Heorhiadi, Michael K. Reiter, Vyas Sekar
UNC Chapel Hill UNC Chapel Hill Stony Brook U
2
Network Intrusion Detection Systems Popular way to detect attacks
Bro & Snort are common software packages Scan network packets for known attacks Types of analysis:
Deep packet inspection Signature matching Scan detection
3
NIDS Deployments Today
N1 N3N2
N5 N4
4
Prior Work: On Path Distribution
N1 N3N2
N5 N4
Does not go far enough
5
Asymmetric Routing Challenge
N2
N5 N4
Forward Flow
Reverse Flow
N1 N3
6
Our Work Generalized network-wide NIDS architecture
Solves the scaling challenge Solves the asymmetry problem
Leverages new load balancing opportunities Replication Aggregation
Backwards compatible, no changes to existing NIDS
7
Outline Introduction Design: New Opportunities
Replication Aggregation
Implementation Evaluation
8
Replication
N1
N3
N2
N5 N4
Replicate traffic to the cluster
9
Controlling Load via Process Fractionsf_local_1_4
f_offload_1_4
ignoreN1
N3
N2
N5 N4
flocal(n1n4) foffload(n1n4)
ignore
10
Traffic Coverage
N1
N3
N2
N5 N4
Flocal(n1n4)++ + =1
Flocal(n1n4)
Flocal(n1n4)Foffload(n1n4)
11
Node Capacity and Link Constraints
N1
N3
N2
N5 N4
100 Kpps 1Mpps40% utilization
40% utilization
100Kpps
100 Kpps
12
Global optimization
Minimize max-loaded nodeSubject to Coverage, Link Capacity
constraints
Traffic Matrix
NIDS CapacitiesRouting
Linearprogram
13
LP Output Translation Translate fractions into hash ranges Iterate & increment
Similarly, for offload responsibilities
N1N4, Node 1, ¼ process
N1N4, Node 1, [0,0.25), process
N1N4, Node 2, ½ process
N1N4, Node 2, [0.25,0.75), process
14
Per-Packet Decision Making Hash h of a 5-tuple
(protocol, srcip, dstip, srcport, dstport)
Flocal_n1(n1n4) Flocal_n2(n1n4) Flocal_n3(n1n4) Foffload_n2(n1n4)
h [0,1]
0 1
15
N2
N5 N4
N1 N3
Extension to Asymmetric Routing Old way doesn’t work Treat forward and reverse paths separately
Ffwd_off
Frev_off
Forward Flow
Reverse FlowFcommon_off
Fcommon_loc
Might not get full coverage
16
Outline Introduction Design: New Opportunities
Replication Aggregation
Evaluation
17
Aggregation
N1 N3N2
N5 N4
+5
+10
+7
Alert22>20
Scan all the things!
18
Outline Introduction Design: New Opportunities
Replication Aggregation
Implementation Evaluation
19
Implementation
Network
Shim (Click module)Snort/Bro
• Backwards compatible
• Logic is in the shim
• Low overhead
20
Outline Introduction Design: New Opportunities
Replication Aggregation
Implementation Evaluation
21
Comparison to AlternativesIngress Path, augmentedPath, no replicatePath, replicate
N1
N3
N2
N5 N410x
22
Reduction in Max Load
Load reduction by 50% Even compared to “Path,
augmented”
23
Emulab Deployment
We built it, runs with vanilla Snort Corresponds to our simulation results
24
Performance Under Traffic Variability
Our setup does not cross max capacity
25
Coverage with Asymmetric Routing
Randomized process for choosing path overlap Miss rates lower than any existing solution
26
Conclusion NIDS have problems
Scaling up Routing asymmetry
Generalized framework Replication Aggregation Enhanced detection
Realized with no changes to existing NIDS Significant performance and coverage benefits
27
Full LP Formulation (Replication)
28
Full LP Formulation (Aggregation)
29
LP Solver Run Times
30
Additional Results, Datacenter Placement
31
Additional Results, Datacenter Capacity
32
Additional Results, Aggregation Communication Cost
33
Future Work Combining replication and aggregation Extension to NIPS and active monitoring
Traffic re-routing Change to traffic patterns
Increased robustness to traffic dynamics