CMU-CS-10-124 Computer Science Department School of Computer Science, Carnegie Mellon University
Network-Wide Deployment of Intrusion
Vyas Sekar, Ravishankar Krishnaswamy, May 2010
CMU-CS-10-124.ps
Traditional research efforts for scaling NIDS and NIPS systems using parallelization and hardware-assisted acceleration have largely focused on a single-vantage-point view. In this paper, we explore a different design alternative that exploits spatial, network-wide opportunities for distributing NIDS and NIPS functions throughout a network. We present systematic models that capture the operational constraints and requirements in deploying network-wide NIDS and NIPS capabilities. These formulations enable network administrators to optimally leverage their infrastructure toward their security objectives. For the NIDS case, we design a linear programming formulation for partitioning NIDS functions across a network to ensure that no node is overloaded. We also describe and evaluate a prototype implementation using Bro. For NIPS, we show how to maximally reduce unwanted traffic using special hardware-assisted capabilities. In this case, the hardware constraints make the optimization problem NP-hard, and we design and implement practical approximation algorithms based on randomized rounding. These results have immediate practical implications as: (1) enterprise networks become larger and their traffic volumes increase; and (2) ISPs increasingly deploy NIDS/NIPS capabilities as in-network defenses. By leveraging network-wide opportunities for distributing NIDS/NIPS responsibilities, our work effectively complements efforts to scale single-vantage-point NIDS and NIPS. 34 pages *University of North Carolina, Chapel Hill
| |
Return to:
SCS Technical Report Collection This page maintained by [email protected] |