Article

SPANIDS: a scalable network intrusion detection loadbalancer

Authors:

Lambert Schaelicke,

Kyle Wheeler,

Curt FreelandAuthors Info & Claims

CF '05: Proceedings of the 2nd conference on Computing frontiers

Pages 315 - 322

https://doi.org/10.1145/1062261.1062314

Published: 04 May 2005 Publication History

Get Access

Abstract

Network intrusion detection systems (NIDS) are becoming an increasingly important security measure. With rapidly increasing network speeds, the capacity of the NIDS sensor can limit the ability of the system to detect intrusions. The SPANIDS parallel NIDS architecture overcomes this limitation by distributing network traffic load over an array of sensor nodes. Based on a custom hardware load balancer and cost-effective off-the-shelf sensors, the system employs novel stateless load balancing heuristics to thwart scalability limitations. It also uses dynamic feedback from the sensor nodes to adapt to changes in network traffic. This paper describes the overall system architecture, discusses some of the critical design decisions and presents experimental results that demonstrate the performance advantage of this approach

References

[1]

O. P. Damani, P. E. Chung, Y. Huang, C. Kintala, and Y.-M. Wang. ONE-IP: Techniques for Hosting a Service on a Cluster of Machines. Computer Networks and ISDN Systems, 29(8-13):1019 -- 1027, 1997.

Digital Library

Google Scholar

[2]

S. Edwards. Vulnerabilities of Network Intrusion Detection Systems: Realizing and Overcoming the Risks. The Case for Flow Mirroring, 2002.

Google Scholar

[3]

A. Fox, S. D. Gribble, Y. Chawathe, E. A. Brewer, and P. Gauthier. Cluster-Based Scalable Network Services. In ACM Symposium on Operating Systems Principles, pages 78--91. ACM Press, New York, N.Y., 1997.

Digital Library

Google Scholar

[4]

J. Haines, R. Lippmann, D. Fried, J. Korba, and K. Das. 1999 DARPA Intrusion Detection System Evaluation: Design and Procedures. Technical Report 1062, MIT Lincoln Laboratory, Boston, Mass., 2001.

Google Scholar

[5]

C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful Intrusion Detection for High-Speed Networks. In IEEE Symposium on Security and Privacy. IEEE CS Press, Los Alamitos, Calif., 2002.

Digital Library

Google Scholar

[6]

Network ICE Corp. Protocol Analysis vs. Pattern Matching, 2000.

Google Scholar

[7]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24):2435--2463, 1999.

Digital Library

Google Scholar

[8]

N. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. Olsson. A Methodology for Testing Intrusion Detection Systems. IEEE Transactions on Software Engineering, 22(10):719--729, 1996.

Digital Library

Google Scholar

[9]

M. Ranum. Experiences Benchmarking Intrusion Detection Systems. Network Flight Recorder Security, Inc.

Google Scholar

[10]

M. Roesch. Snort: Lightweight Intrusion Detection for Networks. In Usenix LISA '99 Conference. Usenix Society, Berkeley, Calif., 1999.

Digital Library

Google Scholar

[11]

L. Schaelicke, T. Slabach, B. Moore, and C. Freeland. Characterizing the Performance of Network Intrusion Detection Sensors. In Sixth International Symposium on Recent Advances in Intrusion Detection (RAID 2003), pages 155--172. Springer-Verlag, Berlin - Heidelberg - New York, 2003.

Google Scholar

[12]

Sourcefire Network Security Inc. Snort 2.0 - Detection Revisited, 2002.

Google Scholar

[13]

Xilinx Corporation. Virtex II Datasheet, 2001. DS-031-1.

Google Scholar

Cited By

View all

Radivilova TKirichenko LAlghawli AAgeyev DMulesa OBaranovskyi OIlkov AKulbachnyi VBondarenko O(2022)Statistical and Signature Analysis Methods of Intrusion DetectionInformation Security Technologies in the Decentralized Distributed Networks10.1007/978-3-030-95161-0_5(115-131)Online publication date: 4-Apr-2022
https://doi.org/10.1007/978-3-030-95161-0_5
Ageyev DKirichenko LRadivilova TTawalbeh MBaranovskyi O(2018)Method of self-similar load balancing in network intrusion detection system2018 28th International Conference Radioelektronika (RADIOELEKTRONIKA)10.1109/RADIOELEK.2018.8376406(1-4)Online publication date: Apr-2018
https://doi.org/10.1109/RADIOELEK.2018.8376406
Frishman GBen-Itzhak YMargalit O(2017)Cluster-Based Load Balancing for Better Network SecurityProceedings of the Workshop on Big Data Analytics and Machine Learning for Data Communication Networks10.1145/3098593.3098595(7-12)Online publication date: 7-Aug-2017
https://dl.acm.org/doi/10.1145/3098593.3098595
Show More Cited By

Index Terms

SPANIDS: a scalable network intrusion detection loadbalancer

Recommendations

Filtering False Positives Based on Server-Side Behaviors

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a ...
Intrusion detection system using honeypots and swarm intelligence
ACAI '11: Proceedings of the International Conference on Advances in Computing and Artificial Intelligence

As the number and size of the Network and Internet traffic increase and the need for the intrusion detection grows in step to reduce the overhead required for the intrusion detection and diagnosis, it has made public servers increasingly vulnerable to ...
McPAD: A multiple classifier system for accurate payload-based anomaly detection

Anomaly-based network intrusion detection systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CF '05: Proceedings of the 2nd conference on Computing frontiers

May 2005

467 pages

ISBN:1595930191

DOI:10.1145/1062261

General Chair:
Nader Bagherzadeh,
Program Chairs:
Mateo Valero,
Alex Ramirez

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 May 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CF05

Sponsor:

CF05: Computing Frontiers Conference

May 4 - 6, 2005

Ischia, Italy

Acceptance Rates

Overall Acceptance Rate 273 of 785 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
590
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)2

Reflects downloads up to 28 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Radivilova TKirichenko LAlghawli AAgeyev DMulesa OBaranovskyi OIlkov AKulbachnyi VBondarenko O(2022)Statistical and Signature Analysis Methods of Intrusion DetectionInformation Security Technologies in the Decentralized Distributed Networks10.1007/978-3-030-95161-0_5(115-131)Online publication date: 4-Apr-2022
https://doi.org/10.1007/978-3-030-95161-0_5
Ageyev DKirichenko LRadivilova TTawalbeh MBaranovskyi O(2018)Method of self-similar load balancing in network intrusion detection system2018 28th International Conference Radioelektronika (RADIOELEKTRONIKA)10.1109/RADIOELEK.2018.8376406(1-4)Online publication date: Apr-2018
https://doi.org/10.1109/RADIOELEK.2018.8376406
Frishman GBen-Itzhak YMargalit O(2017)Cluster-Based Load Balancing for Better Network SecurityProceedings of the Workshop on Big Data Analytics and Machine Learning for Data Communication Networks10.1145/3098593.3098595(7-12)Online publication date: 7-Aug-2017
https://dl.acm.org/doi/10.1145/3098593.3098595
Banaie FYaghmaee MHosseini S(2016)SDN-based scheduling strategy on load balancing of virtual sensor resources in sensor-cloud2016 8th International Symposium on Telecommunications (IST)10.1109/ISTEL.2016.7881905(666-671)Online publication date: Sep-2016
https://doi.org/10.1109/ISTEL.2016.7881905
Folino GSabatino P(2016)Ensemble based collaborative and distributed intrusion detection systemsJournal of Network and Computer Applications10.1016/j.jnca.2016.03.01166:C(1-16)Online publication date: 1-May-2016
https://dl.acm.org/doi/10.1016/j.jnca.2016.03.011
De Carli LSommer RJha SAhn GYung MLi N(2014)Beyond Pattern MatchingProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660361(1378-1390)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660361
Jadidi ZMuthukkumarasamy VSithirasenan EPathan A(2013)Artificial Intelligence-Based Intrusion Detection TechniquesThe State of the Art in Intrusion Prevention and Detection10.1201/b16390-16(285-310)Online publication date: 18-Dec-2013
https://doi.org/10.1201/b16390-16
Jamshed MLee JMoon SYun IKim DLee SYi YPark KYu TDanezis GGligor V(2012)KargusProceedings of the 2012 ACM conference on Computer and communications security10.1145/2382196.2382232(317-328)Online publication date: 16-Oct-2012
https://dl.acm.org/doi/10.1145/2382196.2382232
Wang Han Yin Jianping Cai Zhiping (2012)Real-time Processing Speed based traffic slicing algorithm for parallel intrusion detection2012 IEEE International Conference on Oxide Materials for Electronic Engineering (OMEE)10.1109/OMEE.2012.6343552(256-259)Online publication date: Sep-2012
https://doi.org/10.1109/OMEE.2012.6343552
Vogel MSchmerl SKönig H(2011)Efficient distributed signature analysisProceedings of the 5th international conference on Autonomous infrastructure, management, and security: managing the dynamics of networks and services10.5555/2022216.2022219(13-25)Online publication date: 13-Jun-2011
https://dl.acm.org/doi/10.5555/2022216.2022219
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Filtering False Positives Based on Server-Side Behaviors

Intrusion detection system using honeypots and swarm intelligence

McPAD: A multiple classifier system for accurate payload-based anomaly detection