New Opportunities for Load Balancing in Network-Wide

Intrusion Detection Systems

Victor Heorhiadi, Michael K. Reiter, Vyas Sekar

UNC Chapel Hill UNC Chapel Hill Stony Brook U

2

Network Intrusion Detection Systems Popular way to detect attacks

Bro & Snort are common software packages Scan network packets for known attacks Types of analysis:

Deep packet inspection Signature matching Scan detection

3

NIDS Deployments Today

N1 N3N2

N5 N4

4

Prior Work: On Path Distribution

N1 N3N2

N5 N4

Does not go far enough

5

Asymmetric Routing Challenge

N2

N5 N4

Forward Flow

Reverse Flow

N1 N3

6

Our Work Generalized network-wide NIDS architecture

Solves the scaling challenge Solves the asymmetry problem

Leverages new load balancing opportunities Replication Aggregation

Backwards compatible, no changes to existing NIDS

7

Outline Introduction Design: New Opportunities

Replication Aggregation

Implementation Evaluation

8

Replication

N1

N3

N2

N5 N4

Replicate traffic to the cluster

9

Controlling Load via Process Fractionsf_local_1_4

f_offload_1_4

ignoreN1

N3

N2

N5 N4

flocal(n1n4) foffload(n1n4)

ignore

10

Traffic Coverage

N1

N3

N2

N5 N4

Flocal(n1n4)++ + =1

Flocal(n1n4)

Flocal(n1n4)Foffload(n1n4)

11

Node Capacity and Link Constraints

N1

N3

N2

N5 N4

100 Kpps 1Mpps40% utilization

40% utilization

100Kpps

100 Kpps

12

Global optimization

Minimize max-loaded nodeSubject to Coverage, Link Capacity

constraints

Traffic Matrix

NIDS CapacitiesRouting

Linearprogram

13

LP Output Translation Translate fractions into hash ranges Iterate & increment

Similarly, for offload responsibilities

N1N4, Node 1, ¼ process

N1N4, Node 1, [0,0.25), process

N1N4, Node 2, ½ process

N1N4, Node 2, [0.25,0.75), process

14

Per-Packet Decision Making Hash h of a 5-tuple

(protocol, srcip, dstip, srcport, dstport)

Flocal_n1(n1n4) Flocal_n2(n1n4) Flocal_n3(n1n4) Foffload_n2(n1n4)

h [0,1]

0 1

15

N2

N5 N4

N1 N3

Extension to Asymmetric Routing Old way doesn’t work Treat forward and reverse paths separately

Ffwd_off

Frev_off

Forward Flow

Reverse FlowFcommon_off

Fcommon_loc

Might not get full coverage

16

Outline Introduction Design: New Opportunities

Replication Aggregation

Evaluation

17

Aggregation

N1 N3N2

N5 N4

+5

+10

+7

Alert22>20

Scan all the things!

18

Outline Introduction Design: New Opportunities

Replication Aggregation

Implementation Evaluation

19

Implementation

Network

Shim (Click module)Snort/Bro

• Backwards compatible

• Logic is in the shim

• Low overhead

20

Outline Introduction Design: New Opportunities

Replication Aggregation

Implementation Evaluation

21

Comparison to AlternativesIngress Path, augmentedPath, no replicatePath, replicate

N1

N3

N2

N5 N410x

22

Reduction in Max Load

Load reduction by 50% Even compared to “Path,

augmented”

23

Emulab Deployment

We built it, runs with vanilla Snort Corresponds to our simulation results

24

Performance Under Traffic Variability

Our setup does not cross max capacity

25

Coverage with Asymmetric Routing

Randomized process for choosing path overlap Miss rates lower than any existing solution

26

Conclusion NIDS have problems

Scaling up Routing asymmetry

Generalized framework Replication Aggregation Enhanced detection

Realized with no changes to existing NIDS Significant performance and coverage benefits

27

Full LP Formulation (Replication)

28

Full LP Formulation (Aggregation)

29

LP Solver Run Times

30

Additional Results, Datacenter Placement

31

Additional Results, Datacenter Capacity

32

Additional Results, Aggregation Communication Cost

33

Future Work Combining replication and aggregation Extension to NIPS and active monitoring

Traffic re-routing Change to traffic patterns

Increased robustness to traffic dynamics