7/29/2019 New Trend of IDS
1/18
Southeast University
School of Cs. & Eng.2007.1
Wei WeiSchool of Computer Science and Engineering
East China (North) Regional Network Center (NENC) of CERNET
Southeast University, Nanjing, J iangsu, China [email protected]
New Trend of Intrusion Detection Systemfor High-speed Networks
7/29/2019 New Trend of IDS
2/18
Southeast University
School of Cs. & Eng.2
Outline
Introduction
Related work
Our Work
Conclusion
7/29/2019 New Trend of IDS
3/18
Southeast University
School of Cs. & Eng.3
Introduction
The recent trend of high-speed networks
2004 Dataquest Stat.
14% of the links between core routers
OC-768(40 Gbps)21% of edge links OC-192(10 Gbps)
Increasingly complex intrusion detection methods
Challenging the capability of a single NIDS
7/29/2019 New Trend of IDS
4/18
Southeast University
School of Cs. & Eng.4
Introduction
Distributed architecture as an alterativeBasic idea
Components
Traffic splitting
Parallel process
Reducing load on a single node
Network tap
Traffic scatter
Traffic slicer
Switch
Stream reassembler
Channel
IDS sensor
7/29/2019 New Trend of IDS
5/18
Southeast University
School of Cs. & Eng.5
Introduction
7/29/2019 New Trend of IDS
6/18
Southeast University
School of Cs. & Eng.6
Introduction
Evaluation
Good scalability and flexibility
The back end processing system can be managed in a formof a computer cluster, whose capability highly exceeds asingle node
7/29/2019 New Trend of IDS
7/18
Southeast University
School of Cs. & Eng.7
Related Work
Two key technologies
Traffic splitting
Load balancing
7/29/2019 New Trend of IDS
8/18
Southeast University
School of Cs. & Eng.8
Related Work
Traffic Splitting principles
To distribute packets of the same attack to the same sensor
Efficient enough to keep up with the network speed
To distribute the traffic among sensors as evenly an possible
Adaptive to the variety of the network traffic
7/29/2019 New Trend of IDS
9/18
Southeast University
School of Cs. & Eng.9
Related Work
Recent traffic Splitting approaches
Mainly based on flows
Hashing the triple of a flow to a specific sensor
Some based on security policies and IDS characteristics
7/29/2019 New Trend of IDS
10/18
Southeast University
School of Cs. & Eng.10
Related Work
Load balancing
Unlike in other environments such as web servers or clustersMainly concerned with the guarantee of appropriate sensor load
much more than fairness of work distribution Assignment of load balancing in NIDS
Traffic splitterTo keep the detecting capability of sensors and easily manage the
overall systemEach senor
Choosing packets to detect based on the load balancing approach
7/29/2019 New Trend of IDS
11/18
Southeast University
School of Cs. & Eng.11
Related Work
Load balancing algorithm
How to predict overloading on nodes precisely
How to reduce the load smoothly to get a smallest packet loss rate
7/29/2019 New Trend of IDS
12/18
Southeast University
School of Cs. & Eng.12
Related Work
Improvement of the architecture
Early filtering
Locality buffering
Multiple levels of hashing
Adding an analyzing node
7/29/2019 New Trend of IDS
13/18
Southeast University
School of Cs. & Eng.13
Our work
Past workA misuse intrusion detection system-Monster 3.0
Supporting Gigabit Ethernet links traffic processing
Applied to the construction of CERNET high-speed regionalnetworks successfully
7/29/2019 New Trend of IDS
14/18
Southeast University
School of Cs. & Eng.14
Regional Backbone7609
Regional Backbone
6503
National BackboneCRS1
Wuhan Node
Shanghai Node
Beijing Node
2.5G Channel
1G Channel
100M Channel
10G Channel
7/29/2019 New Trend of IDS
15/18
Southeast University
School of Cs. & Eng.15
Our work
Our goal
A parallel IDS for high-speed networks based on thedistributed architecture
Features of the system Using common PC servers without requiring special hardware Running on high-speed networks steadily and assuring a low packet loss rate A simple and efficient splitting design to meet the demand of high speed, assign
the traffic across nodes as evenly as possible and adapt itself to the variety of thenetwork traffic
A practical dynamic load balancing scheme to achieve a proper balance betweenthe packet loss rate and the algorithm complexity
Integrating the node-issued alert messages to detect multi-object attacks on thewhole network
Providing the high level report on objective networks macroscopic security trendanalysis, response suggestions, and reactions at the same time
7/29/2019 New Trend of IDS
16/18
Southeast University
School of Cs. & Eng.16
Our work
Scatter
Reassembler
Sensor Sensor
Sensor
Analyzer
Load balancer Load balancer Load balancer Load balancer
Switch
Reassembler ReassemblerReassembler Reassembler
SensorSensor
7/29/2019 New Trend of IDS
17/18
Southeast University
School of Cs. & Eng.17
Conclusion
The parallel IDS architecture effectively resolves thecapability of process and analysis of network security forhigh-speed networks.
It has a better scalability and flexibility with ahierarchical structure.
Based on this architecture, the IDS will effectively
monitor our backbone network for security and helps usin the evaluation and forecast of network securitysituations.
7/29/2019 New Trend of IDS
18/18
Southeast University
School of Cs. & Eng.18
Questions?
Thank You