Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
ACM Transactions on Information and System Security (TISSEC)
Stateful Intrusion Detection for High-Speed Networks
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Proceedings of the 2003 ACM workshop on Rapid malcode
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
Operational experiences with high-volume network intrusion detection
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
SPANIDS: a scalable network intrusion detection loadbalancer
Proceedings of the 2nd conference on Computing frontiers
An Active Splitter Architecture for Intrusion Detection and Prevention
IEEE Transactions on Dependable and Secure Computing
A taxonomy of parallel techniques for intrusion detection
ACM-SE 45 Proceedings of the 45th annual southeast regional conference
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Proceedings of the 14th ACM conference on Computer and communications security
A framework for clustering evolving data streams
VLDB '03 Proceedings of the 29th international conference on Very large data bases - Volume 29
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Network-wide deployment of intrusion detection and prevention systems
Proceedings of the 6th International COnference
| Hi-index | 0.00 |
In large-scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protections. In this context, keeping load evenly distributed among the systems is crucial. This is because even load distributions provide protection to the networks and improve the networks' quality of service. A challenging problem, however, is to maintain the load balancing of the systems while minimizing the loss of correlation information due to distributing traffic. Since anomaly- based detection and prevention of some intrusions, such as distributed denial of service (DDoS) attacks and port scans, require a single system to analyze correlated flows of the attacks, this loss of correlation information might severely affect the accuracy of the detections and preventions. In this paper, we address this challenging problem by first formalizing the load balancing problem as an optimization problem, considering both the systems' load variance and the correlation information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the optimization problem. We have implemented a prototype load-balancer which uses the BLB algorithm. We evaluated the load-balancer against various port scans and DDoS attacks. The evaluation results show that our load-balancer significantly improves the detection accuracy of these attacks while keeping the systems' load close within a desired bound.