Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.

Published bySylvia Coby Modified over 9 years ago

Similar presentations

Presentation on theme: "New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel."— Presentation transcript:

1 New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel Hill Stony Brook U

2 Network Intrusion Detection Systems 2  Popular way to detect attacks  Bro & Snort are common software packages  Scan network packets for known attacks  Types of analysis:  Deep packet inspection  Signature matching  Scan detection

3 NIDS Deployments Today 3 N1 N3 N2 N5 N4

4 Prior Work: On Path Distribution 4 N1 N3 N2 N5 N4  Does not go far enough

5 Asymmetric Routing Challenge 5 N2 N5 N4 Forward Flow Reverse Flow N1N3

6 Our Work 6  Generalized network-wide NIDS architecture  Solves the scaling challenge  Solves the asymmetry problem  Leverages new load balancing opportunities  Replication  Aggregation  Backwards compatible, no changes to existing NIDS

7 Outline 7  Introduction  Design: New Opportunities  Replication  Aggregation  Implementation  Evaluation

8 Replication 8 N1 N3 N2 N5 N4 Replicate traffic to the cluster

9 Controlling Load via Process Fractions 9 f_local_1_4 f_offload_1_4 ignore N1 N3 N2 N5 N4 flocal(n1  n 4) foffload(n1  n 4) ignore

10 Traffic Coverage 10 N1 N3 N2 N5 N4 F local (n1  n4) + + + =1 F local (n1  n4) F offload (n1  n4)

11 Node Capacity and Link Constraints 11 N1 N3 N2 N5 N4 100 Kpps 1Mpps 40% utilization 100Kpps

12 Global optimization 12 Minimize max-loaded node Subject to Coverage, Link Capacity constraints Traffic MatrixNIDS CapacitiesRouting Linear program Linear program

13 LP Output Translation 13  Translate fractions into hash ranges  Iterate & increment  Similarly, for offload responsibilities N1  N4, Node 1, ¼ process N1  N4, Node 1, [0,0.25), process N1  N4, Node 2, ½ process N1  N4, Node 2, [0.25,0.75), process

14 Per-Packet Decision Making 14  Hash h of a 5-tuple (protocol, srcip, dstip, srcport, dstport) F local_n1 (n1  n4)F local_n2 (n1  n4) F local_n3 (n1  n4) F offload_n2 (n1  n4) 0 1

15 N2 N5 N4 N1N3 Extension to Asymmetric Routing 15  Old way doesn’t work  Treat forward and reverse paths separately F fwd_off F rev_off Forward Flow Reverse Flow F common_off F common_loc Might not get full coverage

16 Outline 16  Introduction  Design: New Opportunities  Replication  Aggregation  Evaluation

17 Aggregation 17 N1 N3 N2 N5 N4 +5 +10 +7 Alert 22>20 Scan all the things!

18 Outline 18  Introduction  Design: New Opportunities  Replication  Aggregation  Implementation  Evaluation

19 Implementation 19 Network Shim (Click module)Snort/Bro Backwards compatible Logic is in the shim Low overhead

20 Outline 20  Introduction  Design: New Opportunities  Replication  Aggregation  Implementation  Evaluation

21 Comparison to Alternatives 21 IngressPath, augmentedPath, no replicatePath, replicate N1 N3 N2 N5 N4 10x

22 Reduction in Max Load 22  Load reduction by 50%  Even compared to “Path, augmented”  Load reduction by 50%  Even compared to “Path, augmented”

23 Emulab Deployment 23  We built it, runs with vanilla Snort  Corresponds to our simulation results  We built it, runs with vanilla Snort  Corresponds to our simulation results

24 Performance Under Traffic Variability 24  Our setup does not cross max capacity

25 Coverage with Asymmetric Routing 25  Randomized process for choosing path overlap  Miss rates lower than any existing solution  Randomized process for choosing path overlap  Miss rates lower than any existing solution

26 Conclusion 26  NIDS have problems  Scaling up  Routing asymmetry  Generalized framework  Replication  Aggregation  Enhanced detection  Realized with no changes to existing NIDS  Significant performance and coverage benefits

27 Full LP Formulation (Replication) 27

28 Full LP Formulation (Aggregation) 28

29 LP Solver Run Times 29

30 Additional Results, Datacenter Placement 30

31 Additional Results, Datacenter Capacity 31

32 Additional Results, Aggregation Communication Cost 32

33 Future Work 33  Combining replication and aggregation  Extension to NIPS and active monitoring  Traffic re-routing  Change to traffic patterns  Increased robustness to traffic dynamics

Download ppt "New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
EE384y: Packet Switch Architectures

EE384y: Packet Switch Architectures
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
1

1
Greening Backbone Networks Shutting Off Cables in Bundled Links Will Fisher, Martin Suchara, and Jennifer Rexford Princeton University.

Greening Backbone Networks Shutting Off Cables in Bundled Links Will Fisher, Martin Suchara, and Jennifer Rexford Princeton University.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Multicriteria Decision-Making Models

Multicriteria Decision-Making Models
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 12 Cross-Layer.

Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 12 Cross-Layer.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Towards Automating the Configuration of a Distributed Storage System Lauro B. Costa Matei Ripeanu {lauroc, NetSysLab University of British.

Towards Automating the Configuration of a Distributed Storage System Lauro B. Costa Matei Ripeanu {lauroc, NetSysLab University of British.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination. Introduction to the Business.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
15.082 and 6.855J Spanning Tree Algorithms. 2 The Greedy Algorithm in Action 1 2 3 4 5 6 7 35 10 30 15 25 40 20 17 8 15 11 21 1 2 3 4 5 6 7.

and 6.855J Spanning Tree Algorithms. 2 The Greedy Algorithm in Action
Scalable Routing In Delay Tolerant Networks

Scalable Routing In Delay Tolerant Networks
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Similar presentations

Ads by Google