new opportunities for load balancing in network-wide intrusion detection systems
DESCRIPTION
New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems. Victor Heorhiadi , Michael K. Reiter, Vyas Sekar. UNC Chapel Hill UNC Chapel Hill Stony Brook U. Network Intrusion Detection Systems. Popular way to detect attacks Bro & Snort are common software packages - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/1.jpg)
New Opportunities for Load Balancing in Network-Wide
Intrusion Detection Systems
Victor Heorhiadi, Michael K. Reiter, Vyas Sekar
UNC Chapel Hill UNC Chapel Hill Stony Brook U
![Page 2: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/2.jpg)
2
Network Intrusion Detection Systems Popular way to detect attacks
Bro & Snort are common software packages Scan network packets for known attacks Types of analysis:
Deep packet inspection Signature matching Scan detection
![Page 3: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/3.jpg)
3
NIDS Deployments Today
N1 N3N2
N5 N4
![Page 4: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/4.jpg)
4
Prior Work: On Path Distribution
N1 N3N2
N5 N4
Does not go far enough
![Page 5: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/5.jpg)
5
Asymmetric Routing Challenge
N2
N5 N4
Forward Flow
Reverse Flow
N1 N3
![Page 6: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/6.jpg)
6
Our Work Generalized network-wide NIDS architecture
Solves the scaling challenge Solves the asymmetry problem
Leverages new load balancing opportunities Replication Aggregation
Backwards compatible, no changes to existing NIDS
![Page 7: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/7.jpg)
7
Outline Introduction Design: New Opportunities
Replication Aggregation
Implementation Evaluation
![Page 8: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/8.jpg)
8
Replication
N1
N3
N2
N5 N4
Replicate traffic to the cluster
![Page 9: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/9.jpg)
9
Controlling Load via Process Fractionsf_local_1_4
f_offload_1_4
ignoreN1
N3
N2
N5 N4
flocal(n1n4) foffload(n1n4)
ignore
![Page 10: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/10.jpg)
10
Traffic Coverage
N1
N3
N2
N5 N4
Flocal(n1n4)++ + =1
Flocal(n1n4)
Flocal(n1n4)Foffload(n1n4)
![Page 11: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/11.jpg)
11
Node Capacity and Link Constraints
N1
N3
N2
N5 N4
100 Kpps 1Mpps40% utilization
40% utilization
100Kpps
100 Kpps
![Page 12: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/12.jpg)
12
Global optimization
Minimize max-loaded nodeSubject to Coverage, Link Capacity
constraints
Traffic Matrix
NIDS CapacitiesRouting
Linearprogram
![Page 13: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/13.jpg)
13
LP Output Translation Translate fractions into hash ranges Iterate & increment
Similarly, for offload responsibilities
N1N4, Node 1, ¼ process
N1N4, Node 1, [0,0.25), process
N1N4, Node 2, ½ process
N1N4, Node 2, [0.25,0.75), process
![Page 14: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/14.jpg)
14
Per-Packet Decision Making Hash h of a 5-tuple
(protocol, srcip, dstip, srcport, dstport)
Flocal_n1(n1n4) Flocal_n2(n1n4) Flocal_n3(n1n4) Foffload_n2(n1n4)
h [0,1]
0 1
![Page 15: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/15.jpg)
15
N2
N5 N4
N1 N3
Extension to Asymmetric Routing Old way doesn’t work Treat forward and reverse paths separately
Ffwd_off
Frev_off
Forward Flow
Reverse FlowFcommon_off
Fcommon_loc
Might not get full coverage
![Page 16: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/16.jpg)
16
Outline Introduction Design: New Opportunities
Replication Aggregation
Evaluation
![Page 17: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/17.jpg)
17
Aggregation
N1 N3N2
N5 N4
+5
+10
+7
Alert22>20
Scan all the things!
![Page 18: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/18.jpg)
18
Outline Introduction Design: New Opportunities
Replication Aggregation
Implementation Evaluation
![Page 19: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/19.jpg)
19
Implementation
Network
Shim (Click module)Snort/Bro
• Backwards compatible
• Logic is in the shim
• Low overhead
![Page 20: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/20.jpg)
20
Outline Introduction Design: New Opportunities
Replication Aggregation
Implementation Evaluation
![Page 21: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/21.jpg)
21
Comparison to AlternativesIngress Path, augmentedPath, no replicatePath, replicate
N1
N3
N2
N5 N410x
![Page 22: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/22.jpg)
22
Reduction in Max Load
Load reduction by 50% Even compared to “Path,
augmented”
![Page 23: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/23.jpg)
23
Emulab Deployment
We built it, runs with vanilla Snort Corresponds to our simulation results
![Page 24: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/24.jpg)
24
Performance Under Traffic Variability
Our setup does not cross max capacity
![Page 25: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/25.jpg)
25
Coverage with Asymmetric Routing
Randomized process for choosing path overlap Miss rates lower than any existing solution
![Page 26: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/26.jpg)
26
Conclusion NIDS have problems
Scaling up Routing asymmetry
Generalized framework Replication Aggregation Enhanced detection
Realized with no changes to existing NIDS Significant performance and coverage benefits
![Page 27: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/27.jpg)
27
Full LP Formulation (Replication)
![Page 28: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/28.jpg)
28
Full LP Formulation (Aggregation)
![Page 29: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/29.jpg)
29
LP Solver Run Times
![Page 30: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/30.jpg)
30
Additional Results, Datacenter Placement
![Page 31: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/31.jpg)
31
Additional Results, Datacenter Capacity
![Page 32: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/32.jpg)
32
Additional Results, Aggregation Communication Cost
![Page 33: New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems](https://reader035.vdocuments.net/reader035/viewer/2022062812/56816384550346895dd4673e/html5/thumbnails/33.jpg)
33
Future Work Combining replication and aggregation Extension to NIPS and active monitoring
Traffic re-routing Change to traffic patterns
Increased robustness to traffic dynamics