Abstract
Growing traffic volumes and the increasing complexity of attacks pose a constant scaling challenge for network intrusion prevention systems (NIPS). In this respect, offloading NIPS processing to compute clusters offers an immediately deployable alternative to expensive hardware upgrades. In practice, however, NIPS offloading is challenging on three fronts in contrast to passive network security functions: (1) NIPS offloading can impact other traffic engineering objectives; (2) NIPS offloading impacts user perceived latency; and (3) NIPS actively change traffic volumes by dropping unwanted traffic. To address these challenges, we present the SNIPS system. We design a formal optimization framework that captures tradeoffs across scalability, network load, and latency. We provide a practical implementation using recent advances in software-defined networking without requiring modifications to NIPS hardware. Our evaluations on realistic topologies show that SNIPS can reduce the maximum load by up to 10× while only increasing the latency by 2%.
Keywords
- Intrusion Detection
- Intrusion Detection System
- Drop Rate
- Network Intrusion Detection
- Linear Programming Solution
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Private communication with UNC administrators (2013)
Abraham, A., Jain, R., Thomas, J., Han, S.Y.: D-SCIDS: Distributed soft computing intrusion detection system. Journal of Network and Computer Applications 30 (2007)
Casado, M., et al.: Ethane: Taking control of the enterprise. ACM SIGCOMM (2007)
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the resource consumption of network intrusion detection systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008)
Feldmann, A., et al.: Deriving traffic demands for operational IP networks: methodology and experience. In: Proc. SIGCOMM (2000)
Fortz, B., Rexford, J., Thorup, M.: Traffic engineering with traditional IP routing protocols. IEEE Communications Magazine 40 (2002)
Gibb, G., Zeng, H., McKeown, N.: Outsourcing network functionality. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (2012)
Google Research: No Mobile Site = Lost Customers, http://goo.gl/f8lBbR
Heorhiadi, V., Reiter, M.K., Sekar, V.: New opportunities for load balancing in network-wide intrusion detection systems. ACM CoNEXT (2012)
Jamshed, M.A., Lee, J., Moon, S., Yun, I., Kim, D., Lee, S., Yi, Y., Park, K.: Kargus: a highly-scalable software-based intrusion detection system. In: ACM CCS (2012)
Jin, X., Li, L.E., Vanbever, L., Rexford, J.: SoftCell: Scalable and Flexible Cellular Core Network Architecture. In: Proc. CoNext (2013)
Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, M.F.: The Click modular router. TOCS 18, 263–297 (2000)
Kreibich, C., Sommer, R.: Policy-controlled event management for distributed intrusion detection. In: Distributed Computing Systems Workshops (2005)
Lee, J., et al.: A high performance NIDS using FPGA-based regular expression matching. In: ACM Symposium on Applied Computing (2007)
Meiners, C.R., et al.: Fast regular expression matching using small TCAMs for network intrusion detection and prevention systems. In: USENIX Security Symposium (2010)
Mininet, http://www.mininet.org
Network functions virtualisation – introductory white paper, http://portal.etsi.org/NFV/NFV_White_Paper.pdf
Openflow standard, http://www.openflow.org/
Papadogiannakis, A., Polychronakis, M., Markatos, E.P.: Tolerating Overload Attacks Against Packet Capturing Systems. In: USENIX Annual Technical Conference (2012)
Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proc. USENIX Security (1998)
Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling response to anomalous live disturbances. In: National Information Systems Security Conference (1997)
POX Controller, http://www.noxrepo.org/pox/about-pox/
Qazi, Z., Tu, C.-C., Chiang, L., Miao, R., Sekar, V., Yu, M.: Simple-fying middlebox policy enforcement using sdn. In: Proc. SIGCOMM (2013)
Wang, R., Butnariu, D., Rexford, J.: Openflow-based server load balancing gone wild. In: Proc. Hot-ICE (2011)
Reitblatt, M., Foster, N., Rexford, J., Schlesinger, C., Walker, D.: Abstractions for network update. In: ACM SIGCOMM (2012)
Roughan, M.: Simplifying the synthesis of internet traffic matrices. ACM CCR, 35 (2005)
Sekar, V., Krishnaswamy, R., Gupta, A., Reiter, M.K.: Network-wide deployment of intrusion detection and prevention systems. In: ACM CoNEXT (2010)
Sekar, V., Reiter, M.K., Willinger, W., Zhang, H., Kompella, R.R., Andersen, D.G.: CSAMP: a system for network-wide flow monitoring. In: Proc. NSDI (2008)
Sherry, J., et al.: Making middleboxes someone else’s problem: Network processing as a cloud service. In: ACM SIGCOMM (2012)
Shin, S., Gu, G.: Attacking Software-Defined Networks: A First Feasibility Study. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (2013)
Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., Tyson, M.: FRESCO: Modular composable security services for software-defined networks. In: Proc. NDSS (2013)
Smith, R., Estan, C., Jha, S.: XFA: Faster signature matching with extended automata. In: IEEE Symposium on Security and Privacy (2008)
Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with rocketfuel. In: ACM SIGCOMM (2002)
Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)
Vasiliadis, G., Polychronakis, M., Antonatos, S., Markatos, E.P., Ioannidis, S.: Regular expression matching on graphics hardware for intrusion detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 265–283. Springer, Heidelberg (2009)
Vasiliadis, G., Polychronakis, M., Ioannidis, S.: MIDeA: a multi-parallel intrusion detection architecture. In: ACM CCS (2011)
Wang, R., Butnariu, D., Rexford, J.: Openflow-based server load balancing gone wild. In: Proc. Hot-ICE (2011)
World intrusion detection and prevention markets, http://goo.gl/j3QPX3
Yu, F., et al.: SSA: a power and memory efficient scheme to multi-match packet classification. In: ACM ANCS (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Heorhiadi, V., Fayaz, S.K., Reiter, M.K., Sekar, V. (2014). SNIPS: A Software-Defined Approach for Scaling Intrusion Prevention Systems via Offloading. In: Prakash, A., Shyamasundar, R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham. https://doi.org/10.1007/978-3-319-13841-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-13841-1_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13840-4
Online ISBN: 978-3-319-13841-1
eBook Packages: Computer ScienceComputer Science (R0)