Presentation is loading. Please wait.

Presentation is loading. Please wait.

VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.

Published byOsborne Moore Modified over 5 years ago

Similar presentations

Presentation on theme: "VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon."— Presentation transcript:

1 vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon Ahn3, and Fuqiang Zhang1 2 1 3 3 CCS 2018

2 Traditional NIDSes

3 Traditional NIDSes Multi-thread Clustered Multi-thread
GPU Acceleration Multi-thread GPU Acceleration

4 Traditional NIDSes Address scalability issue: Limited in flexibility:
Multi-thread Clustered Address scalability issue: Multi-core/thread Cluster Multi-thread GPU Acceleration Limited in flexibility: Fixed location Constant capacity Multi-thread GPU Acceleration

5 Requirement 1: Virtualized Environments
Blur & Fluid Perimeters Virtualized Network Zones Zone1 Zone2 Zone3 Service Migration Datacenter2 Datacenter1 Datacenter3 Infrastructure

6 Requirement 2: Traffic Volume Variation
Expensive option: capacity ≥ peak traffic load DDoS attack on Feb. 2016 Gbps 400 320 240 160 80 Significant Variation 2/19 2/22 2/25 Time Source:

7 Virtualization Platform
New Trends Network Function Virtualization (NFV) Software instances Software-Define Networking (SDN) Dynamic traffic steering Virtualization Platform SDN Switch Elastic Security SDN NFV

8 network security functions
Elastic Security NIDS Virtualization: flexible location & capacity Scalable and Flexible network security functions Existing Work VFW Controller (NDSS’17) PSI (NDSS’17) Bohatei (USENIX Sec’15)

9 vNIDS enables safe and efficient NIDS virtualization
Safe Virtualization: does not miss attacks Efficient Virtualization: provisioned optimally

10 Ch. 1: Effective Intrusion Detection
Missing Malicious Activities Instance1 Instance2 SIP= SDN Switch Scanner Detector

11 Ch. 1: Effective Intrusion Detection
How to distinguish per-flow and multi-flow states? Multi-flow State Per-flow State Shared Data Store Instance1 Instance2

12 Ch. 2: Non-monolithic NIDS Provisioning
Inefficient Resource Allocation Cloud 2 Can’t fit Monolithic NIDS Instance 3 Virtualized NIDSes: Allocate and deallocate more frequently

13 Ch. 2: Non-monolithic NIDS Provisioning
Inefficient Scaling Detector1 NIDS Engine Detector2 Scale slow Over-provisioned Overloaded Detector1 NIDS Engine Detector2 Monolithic NIDS Instance Virtualized NIDSes: Scale more frequently

14 Ch. 2: Non-monolithic NIDS Provisioning
Non-monolithic Provisioning Monolithic Provisioning General How to decompose? How to enforce detection logics? Fine-grained

15 vNIDS Architecture Overview
Detection Logic Programs vNIDS Controller 1. program analysis Effective Intrusion Detection Detection State Classification State Management vNIDS Microservice Instances 2. detection state sharing Shared Data Store

16 vNIDS Architecture Overview
Detection Logic Programs 4. program slicing Detection Logic Program Partitioning Non-Monolithic NIDS Provisioning Provision Control vNIDS Controller Effective Intrusion Detection Detection State Classification State Management vNIDS Microservice Instances 3. microservices Header-based Detection Instances Protocol Parse Instances Payload-based Detection Instances Shared Data Store Header-based Detection Microservice Protocol Parse Microservice Payload-based Detection Microservice

17 Scope of Detection States
Flow record Essential data structure of NFs Lifetime Determines scope of detection states “Always” freed before a flow record is freed Dedicated to a certain flow Not “always” freed before a flow record is freed Must be freed by other flows

18 Inferring the Scope of Detection States
Compute the CFG of the detector

19 Inferring the Scope of Detection States
Compute the CFG of the detector Compute dominator of statement T Flow record is freed here (Statement T)

20 Inferring the Scope of Detection States
Compute the CFG of the detector Compute dominator of statement T Entry point Dominator of T Statement T

21 Inferring the Scope of Detection States
Compute the CFG of the detector Compute dominator of statement T Entry point Multi-flow detection state Dominator of T Statement T Per-flow detection state

22 Logic Structure of NIDSes
Detection Logics Various detection tasks Application Protocol Parsers Payload parsing Network Traffic Network Protocol Stack Network layer processing Monolithic NIDS

23 Types of Detection Logics
Type-I Type-II Only inspect header Not rely on APPs Inspect header & payload Need APPs Application Protocol Parsers Network Traffic Network Protocol Stack Monolithic NIDS

24 NIDS Decomposed as Microservices
Decomposing NIDSes Network Protocol Stack Application Protocol Parsers Detection Logics Monolithic NIDS Type-I Type-II NIDS Decomposed as Microservices Type-I Detection Logics Network Protocol Stack Header-based Detection Microservice Application Protocol Parsers Network Protocol Stack Protocol Parse Microservice Type-II Detection Logics Network Protocol Stack Payload-based Detection Microservice

25 Detection Logic Program Partitioning
1 Detection Logic Program 2 4 3 Partitioned DLPs

26 Implementation & Evaluation
Xen hypervisor Frama-C framework for program analysis Click for microservices and DLPs RAMCloud for detection states sharing Evaluation CloudLab Real-world dataset + generated attack traffic

27 Effectiveness of vNIDS
Malicious Activity Detection Rate (%) Malicious Activity Detection Rate (%) Malicious Activity Detection Rate (%) CAIDA+Attack.trace LBNL+Attack.trace Campus+Attack.trace * Detect all malicious activity: Bro, Share All, and vNIDS * Miss malicious activities: No Share

28 Performance Improvements by Detection State Classification
> 50% Packet Processing Time (microsecond) Packet Processing Time Reduced (%) * Reduced processing time: for all six detection logics * Reduced rate: more than 50%

29 Efficiency of Microservices
Launch Time (millisec) * Monolithic NIDS: launch slower * Microservice: scale faster

30 Flexibility of vNIDS Internet Site-1 Site-2 Traditional NIDS Instances
Rerouted Traffic Site-1 (Clemson) Site-2 (Wisconsin) A B B

31 Flexibility of vNIDS Internet Site-1 Site-2 Virtualized NIDS Instances
Rerouted Traffic Site-1 (Clemson) Site-2 (Wisconsin) A B

32 Communication Traffic
Flexibility of vNIDS Internet Virtualized NIDS Instance-A Virtualized NIDS Instance-B Communication Traffic Site-1 (Clemson) Site-2 (Wisconsin) A B

33 Flexibility of vNIDS Reduce by 99.9% in the best case
Reduce by 58.3% in the worst case

34 Flexibility of vNIDS Adjustable Capacity
Runtime throughput of vNIDS and Bro Cluster Adjustable Resource Consumption Number of instances of vNIDS and Bro Cluster

35 Conclusion and Future Work
Make a further step towards elastic security Safe and efficient NIDS virtualization Effective intrusion detection Non-monolithic NIDS provisioning Implementation and Evaluation 3 microservices & 6 detection logic programs Extensive Evaluation of vNIDS Future work More fine-grained microservices Generalize our approach for other security and non- security NFs

36 Q & A Clemson University

Download ppt "VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon."

Similar presentations

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.

Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
NATIONAL & KAPODISTRIAN UNIVERSITY OF ATHENS INTERDEPARTMENTAL GRADUATE PROGRAM IN MANAGEMENT AND ECONOMICS OF TELECOMMUNICATION NETWORKS Master Thesis.

NATIONAL & KAPODISTRIAN UNIVERSITY OF ATHENS INTERDEPARTMENTAL GRADUATE PROGRAM IN MANAGEMENT AND ECONOMICS OF TELECOMMUNICATION NETWORKS Master Thesis.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.

N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.
Cloud Computing Myths and Realities Towards a policy Framework for Arab countries.

Cloud Computing Myths and Realities Towards a policy Framework for Arab countries.
Enabling Innovation Inside the Network Jennifer Rexford Princeton University

Enabling Innovation Inside the Network Jennifer Rexford Princeton University
A Brief Overview by Aditya Dutt March 18 th ’ 2014 1Aditya Inc.

A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
N. GSU Slide 1 Chapter 02 Cloud Computing Systems N. Xiong Georgia State University.

N. GSU Slide 1 Chapter 02 Cloud Computing Systems N. Xiong Georgia State University.
Improving Network I/O Virtualization for Cloud Computing.

Improving Network I/O Virtualization for Cloud Computing.
Cloud Computing & Amazon Web Services – EC2 Arpita Patel Software Engineer.

Cloud Computing & Amazon Web Services – EC2 Arpita Patel Software Engineer.
FUTURE OF NETWORKING SAJAN PAUL JUNIPER NETWORKS.

FUTURE OF NETWORKING SAJAN PAUL JUNIPER NETWORKS.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Software Defined Networks for Dynamic Datacenter and Cloud Environments.

Software Defined Networks for Dynamic Datacenter and Cloud Environments.
RIVERBED INTRODUCES NEW PLATFORM FOR ADC-AS-A-SERVICE New Stingray Services Controller Delivers Hyper-Elastic ADC Platform EXTREME ELASTICITY INSTANTLY.

RIVERBED INTRODUCES NEW PLATFORM FOR ADC-AS-A-SERVICE New Stingray Services Controller Delivers Hyper-Elastic ADC Platform EXTREME ELASTICITY INSTANTLY.

Similar presentations

Ads by Google