On Optimizing Load Balancing of Intrusion Detection and Prevention Systems
In large scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protection. A challenging problem is to maintain load balancing of the systems, while minimizing the loss of information due to distributing trafﬁc. Because anomaly-based detection and prevention of some intrusions require a single system to analyze attackcorrelated ﬂows, this loss of information might severely reduce the accuracy of the detection and prevention. In this paper, we address this problem by ﬁrst formalizing the load balancing problem as an optimization problem, considering both the load variance and the information loss. We then present our Beneﬁt-based Load Balancing (BLB) algorithm as a solution to the problem. We have implemented a prototype load-balancer with BLB algorithm and evaluated it against a DDoS attack. Our results show that the load-balancer signiﬁcantly improves the detection accuracy, while being able to keep the load of the systems close within a desired bound.
Nowadays, as people rely heavily on computer systems to conduct businesses and operate mission critical devices, effects of viruses and worms are much more disastrous. One way to combat the spread of viruses and worms is by using network intrusion detection and prevention systems (NIDPSs). An NIDPS is usually placed at an edge of a network, between its internal and external networks. The NIDPS monitors all packets coming in from the external network and going out of the internal network to detect and prevent intrusions. Since network trafﬁc speed and volume are increasing with an exponential rate , and NIDPSs are becoming more complex, a critical problem with using a single NIDPS is that it could be easily overloaded. When overloaded, the NIDPS eventually has to drop packets. Dropping packets compromises the security offered by the NIDPS, because some intrusions can not be detected if their related packets are dropped. Using clusters of NIDPSs offers the most affordable and scalable solution to the above problem . When a cluster of NIDPSs is used in a network, keeping load evenly distributed among the NIDPSs is crucial because even load distribution, most importantly, provides protection: there will be less likely an overloaded system. Additionally, it allows for better trafﬁc engineering which improves the network’s quality of service. A challenging problem, however, is to maintain load balancing of the systems while minimizing the loss of information due to distributing trafﬁc. Since anomalybased detection and prevention of some intrusions, such as distributed denial of service (DDoS) attacks and port scans, require a single system to analyze correlated ﬂows of the attacks, this loss of information might severely affect the accuracy of the detection and prevention. In this paper, we propose a novel approach to distribute trafﬁc to the NIDPSs. First, we formalize the load balancing problem as an optimization problem, considering both the load variance and the information loss. We then present our Beneﬁt-based Load Balancing (BLB) algorithm as a solution to the problem. This algorithm uses on-line clustering technique to distribute ﬂows in real-time such that: (1) Correlated ﬂows are grouped together at a single NIDPS to minimize the information loss, and (2) load of NIDPSs are kept close within a speciﬁed bound.
Free download research paper