ABSTRACT
Traditional efforts for scaling network intrusion detection (NIDS) and intrusion prevention systems (NIPS) have largely focused on a single-vantage-point view. In this paper, we explore an alternative design that exploits spatial, network-wide opportunities for distributing NIDS and NIPS functions. For the NIDS case, we design a linear programming formulation to assign detection responsibilities to nodes while ensuring that no node is overloaded. We describe a prototype NIDS implementation adapted from the Bro system to analyze traffic per these assignments, and demonstrate the advantages that this approach achieves. For NIPS, we show how to maximally leverage specialized hardware (e.g., TCAMs) to reduce the footprint of unwanted traffic on the network. Such hardware constraints make the optimization problem NP-hard, and we provide practical approximation algorithms based on randomized rounding.
- S. Acharya, M. Abliz, B. Mills, T. F. Znati, J. Wang, Z. Ge, and A. Greenberg. OPTWALL: A Traffic-Aware Hierarchical Firewall Optimization. In Proc. NDSS, 2007.Google Scholar
- D. L. Applegate, G. Calinescu, D. S. Johnson, H. Karloff, K. Ligett, and J. Wang. Compressing Rectilinear Pictures and Minimizing Access Control Lists. In Proc. SODA, 2007. Google ScholarDigital Library
- Arbor networks. http://www.arbor.com.Google Scholar
- AT&T Enterprise Threat Management. http://www.business.att.com/enterprise/Family/business-continuity-enterprise/threat-management-enterprise/.Google Scholar
- H. Ballani and P. Francis. CONMan: A Step Towards Network Manageability. In Proc. ACM SIGCOMM, 2007. Google ScholarDigital Library
- C. Kruegel, F. Valeur, G. Vigna, and R. A. Kemmerer. Stateful Intrusion Detection for High-Speed Networks. In Proc. IEEE Symposium on Security and Privacy, 2002. Google ScholarDigital Library
- M. Caesar, D. Caldwell, N. Feamster, J. Rexford, A. Shaikh, and J. van der Merwe. Design and implementation of a Routing Control Platform. In Proc. NSDI, 2005. Google ScholarDigital Library
- G. R. Cantieni, G. Iannaccone, C. Barakat, C. Diot, and P. Thiran. Reformulating the Monitor Placement problem: Optimal Network-Wide Sampling. In Proc. CoNeXT, 2006. Google ScholarDigital Library
- N. Duffield and M. Grossglauser. Trajectory Sampling for Direct Traffic Observation. In Proc. ACM SIGCOMM, 2001. Google ScholarDigital Library
- E. W. Fulp. Optimization of network firewalls policies using directed acyclic graphs. In Proc. Internet Management Conference, 2005.Google Scholar
- F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proc. IEEE Symposium on Security and Privacy, 2002. Google ScholarDigital Library
- A. Feldmann, A. G. Greenberg, C. Lund, N. Reingold, J. Rexford, and F. True. Deriving Traffic Demands for Operational IP Networks: Methodology and Experience. In Proc. ACM SIGCOMM, 2000. Google ScholarDigital Library
- L. Foschini, A. V. Thapliyal, L. Cavallaro, C. Kruegel, and G. Vigna. A Parallel Architecture for Stateful, High-Speed Intrusion Detection. In Proc. ICISS, 2008. Google ScholarDigital Library
- A. Greenberg, G. Hjalmtysson, D. A. Maltz, A. Meyers, J. Rexford, G. Xie, H. Yan, J. Zhan, and H. Zhang. A Clean Slate 4D Approach to Network Control and Management. ACM SIGCOMM CCR, 35(5), Oct. 2005. Google ScholarDigital Library
- H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Operational Experiences with High-Volume Network Intrusion Detection. In Proc. ACM CCS, 2004. Google ScholarDigital Library
- H. Dreger, A. Feldmann, V. Paxson and R. Sommer. Predicting the Resource Consumption of Network Intrusion Detection Systems. In Proc. RAID, 2008. Google ScholarDigital Library
- J. Gonzalez, V. Paxson, and N. Weaver. Shunting: A Hardware/Software Architecture for Flexible, High-Performance Network Intrusion Prevention. In Proc. ACM CCS, 2007. Google ScholarDigital Library
- A. Kalai and S. Vempala. Efficient Algorithms for Online Decision Problems. Journal of Computer System Sciences, 71(3), Oct. 2005. Google ScholarDigital Library
- A. Lakhina, M. Crovella, and C. Diot. Mining anomalies using traffic feature distributions. In Proc. ACM SIGCOMM, 2005. Google ScholarDigital Library
- V. T. Lam, M. Mitzenmacher, and G. Varghese. Carousel: Scalable Logging for Intrusion Prevention Systems. In Proc. NSDI, 2010. Google ScholarDigital Library
- A. Le, E. Al-Shaer, and R. Batouba. Correlation-Based Load Balancing for Intrusion Detection and Prevention Systems. In Proc. SECURECOMM, 2008. Google ScholarDigital Library
- X. Li, F. Bian, H. Zhang, C. Diot, R. Govindan, W. Hong, and G. Iannaccone. MIND: A Distributed Multidimensional Indexing for Network Diagnosis. In Proc. IEEE INFOCOM, 2006.Google Scholar
- K. Ligett, S. Kakade, and A. T. Kalai. Playing Games with Approximation Algorithms. In Proc. STOC, 2007. Google ScholarDigital Library
- M. Kodialam, T. V. Lakshman, and Sudipta Sengupta. Configuring Networks with Content Filtering Nodes with Applications to Network Security. In Proc. INFOCOM, 2005.Google ScholarCross Ref
- R. Mahajan, N. Spring, D. Wetherall, and T. Anderson. Inferring Link Weights using End-to-End Measurements. In Proc. IMW, 2002. Google ScholarDigital Library
- M. Molina, S. Niccolini, and N. Duffield. A Comparative Experimental Study of Hash Functions Applied to Packet Sampling. In Proc. International Teletraffic Congress (ITC), 2005.Google Scholar
- S. Narain, G. Levin, S. Malik, and V. Kaul. Declarative infrastructure configuration synthesis and debugging. Journal of Network and Systems Management, 16(3), 2008. Google ScholarDigital Library
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23--24):2435--2463, 1999. Google ScholarDigital Library
- P. Raghavan and C. D. Thompson. Randomized rounding: A technique for provably good algorithms and algorithmic proofs. Combinatorica, 7(4), Dec. 1987. Google ScholarDigital Library
- M. Roughan, M. Thorup, and Y. Zhang. Performance of estimated traffic matrices in traffic engineering. In SIGMETRICS, 2003. Google ScholarDigital Library
- V. Sekar, R. Krishnaswamy, A. Gupta, and M. K. Reiter. Network-Wide Deployment of Intrusion Detection and Prevention Systems. Technical Report, CMU-CS-10-124, Comp. Sci. Dept., CMU, 2010.Google ScholarDigital Library
- V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. Kompella, and D. G. Andersen. cSamp: A System for Network-Wide Flow Monitoring. In Proc. NSDI, 2008. Google ScholarDigital Library
- M. R. Sharma and J. W. Byers. Scalable Coordination Techniques for Distributed Network Monitoring. In Proc. PAM, 2005. Google ScholarDigital Library
- R. Sommer and V. Paxson. Exploiting Independent State for Network Intrusion Detection. In Proc. ACSAC, 2005. Google ScholarDigital Library
- R. Sommer, V. Paxson, and N. Weaver. An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention. Concurrency and Computation: Practice and Experience, Wiley, 21(10):1255--1279, 2009. Google ScholarDigital Library
- N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP Topologies with Rocketfuel. In Proc. ACM SIGCOMM, 2002. Google ScholarDigital Library
- K. Suh, Y. Guo, J. Kurose, and D. Towsley. Locating Network Monitors: Complexity, heuristics and coverage. In Proc. IEEE INFOCOM, 2005.Google Scholar
- M. Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, and B. Tierney. The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In Proc. RAID, 2007. Google ScholarDigital Library
- F. Yu, R. H. Katz, and T. V. Lakshman. Gigabit Rate Packet Pattern-Matching Using TCAM. In Proc. ICNP, 2004. Google ScholarDigital Library
- F. Yu, T. V. Lakshman, M. A. Motoyama, and R. H. Katz. SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification. In Proc. ANCS, 2005. Google ScholarDigital Library
- Y. Zhang, N. Duffield, V. Paxson, and S. Shenker. On the Constancy of Internet Path Properties. In Proc. IMW, 2001. Google ScholarDigital Library
- Y. Zhang, M. Roughan, N. Duffield, and A. Greenberg. Fast Accurate Computation of Large-scale IP Traffic Matrices from Link Loads. In Proc. ACM SIGMETRICS, 2003. Google ScholarDigital Library
Index Terms
- Network-wide deployment of intrusion detection and prevention systems
Recommendations
Overview of intrusion detection and intrusion prevention
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum developmentThis report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Comments