The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

Authors:
Matthias Vallentin;Robin Sommer;Jason Lee;Craig Leres;Vern Paxson;Brian Tierney
Affiliations:
TU München;Lawrence Berkeley National Laboratory and International Computer Science Institute;Lawrence Berkeley National Laboratory;Lawrence Berkeley National Laboratory;International Computer Science Institute and Lawrence Berkeley National Laboratory;Lawrence Berkeley National Laboratory
Venue:
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Year:
2007

Citing 15
Cited 31

A Methodology for Testing Intrusion Detection Systems

IEEE Transactions on Software Engineering
Cluster-based scalable network services

Proceedings of the sixteenth ACM symposium on Operating systems principles
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
NetSTAT: a network-based intrusion detection system

Journal of Computer Security
The click modular router

ACM Transactions on Computer Systems (TOCS)
Designing a Web of Highly-Configurable Intrusion Detection Sensors

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Stateful Intrusion Detection for High-Speed Networks

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Operational experiences with high-volume network intrusion detection

Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
SPANIDS: a scalable network intrusion detection loadbalancer

Proceedings of the 2nd conference on Computing frontiers
Exploiting Independent State For Network Intrusion Detection

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
The shunt: an FPGA-based accelerator for network intrusion prevention

Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Dynamic application-layer protocol analysis for network intrusion detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Rethinking hardware support for network analysis and intrusion prevention

HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security

Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention

Proceedings of the 14th ACM conference on Computer and communications security
Stress testing cluster Bro

DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Enriching network security analysis with time travel

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Gnort: High Performance Network Intrusion Detection Using Graphics Processors

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Predicting the Resource Consumption of Network Intrusion Detection Systems

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Correlation-based load balancing for network intrusion detection and prevention systems

Proceedings of the 4th international conference on Security and privacy in communication netowrks
MultiLayer processing - an execution model for parallel stateful packet processing

Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
A Parallel Architecture for Stateful, High-Speed Intrusion Detection

ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Performance Improvement by Means of Collaboration between Network Intrusion Detection Systems

CNSR '09 Proceedings of the 2009 Seventh Annual Communication Networks and Services Research Conference
Improving the accuracy of network intrusion detection systems under load using selective packet discarding

Proceedings of the Third European Workshop on System Security
Distributed intrusion detection with intelligent network interfaces for future networks

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Exploiting heterogeneous multicore-processor systems for high-performance network processing

IBM Journal of Research and Development
Network-wide deployment of intrusion detection and prevention systems

Proceedings of the 6th International COnference
Enhancing Intrusion Detection System with proximity information

International Journal of Security and Networks
Telex: anticensorship in the network infrastructure

SEC'11 Proceedings of the 20th USENIX conference on Security
An efficient hash-based load balancing scheme to support parallel NIDS

ICCSA'11 Proceedings of the 2011 international conference on Computational science and its applications - Volume Part I
MIDeA: a multi-parallel intrusion detection architecture

Proceedings of the 18th ACM conference on Computer and communications security
Intrusion detection at 100G

State of the Practice Reports
Improving the performance of passive network monitoring applications with memory locality enhancements

Computer Communications
Design and implementation of a consolidated middlebox architecture

NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Kargus: a highly-scalable software-based intrusion detection system

Proceedings of the 2012 ACM conference on Computer and communications security
Deep packet inspection tools and techniques in commodity platforms: Challenges and trends

Journal of Network and Computer Applications
A decentralized clustering scheme for transparent mode devices

Cluster Computing
A lone wolf no more: supporting network intrusion detection with real-time intelligence

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
New opportunities for load balancing in network-wide intrusion detection systems

Proceedings of the 8th international conference on Emerging networking experiments and technologies
Toward scalable internet traffic measurement and analysis with Hadoop

ACM SIGCOMM Computer Communication Review
FireCol: a collaborative protection network for the detection of flooding DDoS attacks

IEEE/ACM Transactions on Networking (TON)
Wild-Inspired Intrusion Detection System Framework for High Speed Networks f|p IDS Framework

International Journal of Information Security and Privacy
Overcoming performance collapse for 100Gbps cyber security

Proceedings of the first workshop on Changing landscapes in HPC security
Split/merge: system support for elastic execution in virtual middleboxes

nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
Protocol misidentification made easy with format-transforming encryption

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this work we present a NIDS cluster as a scalable solution for realizing high-performance, stateful network intrusion detection on commodity hardware. The design addresses three challenges: (i) distributing traffic evenly across an extensible set of analysis nodes in a fashion that minimizes the communication required for coordination, (ii) adapting the NIDS's operation to support coordinating its low-level analysis rather than just aggregating alerts; and (iii) validating that the cluster produces sound results. Prototypes of our NIDS cluster now operate at the Lawrence Berkeley National Laboratory and the University of California at Berkeley. In both environments the clusters greatly enhance the power of the network security monitoring.