On Optimizing Load Balancing of Intrusion Detection and Prevention Systems



In large scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protection. A challenging problem is to maintain load balancing of the systems, while minimizing the loss of information due to distributing traffic. Because anomaly-based detection and prevention of some intrusions require a single system to analyze attackcorrelated flows, this loss of information might severely reduce the accuracy of the detection and prevention. In this paper, we address this problem by first formalizing the load balancing problem as an optimization problem, considering both the load variance and the information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the problem. We have implemented a prototype load-balancer with BLB algorithm and evaluated it against a DDoS attack. Our results show that the load-balancer significantly improves the detection accuracy, while being able to keep the load of the systems close within a desired bound.

Nowadays, as people rely heavily on computer systems to conduct businesses and operate mission critical devices, effects of viruses and worms are much more disastrous. One way to combat the spread of viruses and worms is by using network intrusion detection and prevention systems (NIDPSs). An NIDPS is usually placed at an edge of a network, between its internal and external networks. The NIDPS monitors all packets coming in from the external network and going out of the internal network to detect and prevent intrusions. Since network traffic speed and volume are increasing with an exponential rate , and NIDPSs are becoming more complex, a critical problem with using a single NIDPS is that it could be easily overloaded. When overloaded, the NIDPS eventually has to drop packets. Dropping packets compromises the security offered by the NIDPS, because some intrusions can not be detected if their related packets are dropped. Using clusters of NIDPSs offers the most affordable and scalable solution to the above problem . When a cluster of NIDPSs is used in a network, keeping load evenly distributed among the NIDPSs is crucial because even load distribution, most importantly, provides protection: there will be less likely an overloaded system. Additionally, it allows for better traffic engineering which improves the network’s quality of service. A challenging problem, however, is to maintain load balancing of the systems while minimizing the loss of information due to distributing traffic. Since anomalybased detection and prevention of some intrusions, such as distributed denial of service (DDoS) attacks and port scans, require a single system to analyze correlated flows of the attacks, this loss of information might severely affect the accuracy of the detection and prevention. In this paper, we propose a novel approach to distribute traffic to the NIDPSs. First, we formalize the load balancing problem as an optimization problem, considering both the load variance and the information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the problem. This algorithm uses on-line clustering technique to distribute flows in real-time such that: (1) Correlated flows are grouped together at a single NIDPS to minimize the information loss, and (2) load of NIDPSs are kept close within a specified bound.

Free download research paper


CSE PROJECTS

FREE IEEE PAPER AND PROJECTS

FREE IEEE PAPER