Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.

Similar presentations


Presentation on theme: "New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel."— Presentation transcript:

1 New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel Hill Stony Brook U

2 Network Intrusion Detection Systems 2  Popular way to detect attacks  Bro & Snort are common software packages  Scan network packets for known attacks  Types of analysis:  Deep packet inspection  Signature matching  Scan detection

3 NIDS Deployments Today 3 N1 N3 N2 N5 N4

4 Prior Work: On Path Distribution 4 N1 N3 N2 N5 N4  Does not go far enough

5 Asymmetric Routing Challenge 5 N2 N5 N4 Forward Flow Reverse Flow N1N3

6 Our Work 6  Generalized network-wide NIDS architecture  Solves the scaling challenge  Solves the asymmetry problem  Leverages new load balancing opportunities  Replication  Aggregation  Backwards compatible, no changes to existing NIDS

7 Outline 7  Introduction  Design: New Opportunities  Replication  Aggregation  Implementation  Evaluation

8 Replication 8 N1 N3 N2 N5 N4 Replicate traffic to the cluster

9 Controlling Load via Process Fractions 9 f_local_1_4 f_offload_1_4 ignore N1 N3 N2 N5 N4 flocal(n1  n 4) foffload(n1  n 4) ignore

10 Traffic Coverage 10 N1 N3 N2 N5 N4 F local (n1  n4) =1 F local (n1  n4) F offload (n1  n4)

11 Node Capacity and Link Constraints 11 N1 N3 N2 N5 N4 100 Kpps 1Mpps 40% utilization 100Kpps

12 Global optimization 12 Minimize max-loaded node Subject to Coverage, Link Capacity constraints Traffic MatrixNIDS CapacitiesRouting Linear program Linear program

13 LP Output Translation 13  Translate fractions into hash ranges  Iterate & increment  Similarly, for offload responsibilities N1  N4, Node 1, ¼ process N1  N4, Node 1, [0,0.25), process N1  N4, Node 2, ½ process N1  N4, Node 2, [0.25,0.75), process

14 Per-Packet Decision Making 14  Hash h of a 5-tuple (protocol, srcip, dstip, srcport, dstport) F local_n1 (n1  n4)F local_n2 (n1  n4) F local_n3 (n1  n4) F offload_n2 (n1  n4) 0 1

15 N2 N5 N4 N1N3 Extension to Asymmetric Routing 15  Old way doesn’t work  Treat forward and reverse paths separately F fwd_off F rev_off Forward Flow Reverse Flow F common_off F common_loc Might not get full coverage

16 Outline 16  Introduction  Design: New Opportunities  Replication  Aggregation  Evaluation

17 Aggregation 17 N1 N3 N2 N5 N Alert 22>20 Scan all the things!

18 Outline 18  Introduction  Design: New Opportunities  Replication  Aggregation  Implementation  Evaluation

19 Implementation 19 Network Shim (Click module)Snort/Bro Backwards compatible Logic is in the shim Low overhead

20 Outline 20  Introduction  Design: New Opportunities  Replication  Aggregation  Implementation  Evaluation

21 Comparison to Alternatives 21 IngressPath, augmentedPath, no replicatePath, replicate N1 N3 N2 N5 N4 10x

22 Reduction in Max Load 22  Load reduction by 50%  Even compared to “Path, augmented”  Load reduction by 50%  Even compared to “Path, augmented”

23 Emulab Deployment 23  We built it, runs with vanilla Snort  Corresponds to our simulation results  We built it, runs with vanilla Snort  Corresponds to our simulation results

24 Performance Under Traffic Variability 24  Our setup does not cross max capacity

25 Coverage with Asymmetric Routing 25  Randomized process for choosing path overlap  Miss rates lower than any existing solution  Randomized process for choosing path overlap  Miss rates lower than any existing solution

26 Conclusion 26  NIDS have problems  Scaling up  Routing asymmetry  Generalized framework  Replication  Aggregation  Enhanced detection  Realized with no changes to existing NIDS  Significant performance and coverage benefits

27 Full LP Formulation (Replication) 27

28 Full LP Formulation (Aggregation) 28

29 LP Solver Run Times 29

30 Additional Results, Datacenter Placement 30

31 Additional Results, Datacenter Capacity 31

32 Additional Results, Aggregation Communication Cost 32

33 Future Work 33  Combining replication and aggregation  Extension to NIPS and active monitoring  Traffic re-routing  Change to traffic patterns  Increased robustness to traffic dynamics


Download ppt "New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel."

Similar presentations


Ads by Google