Article

The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

Authors:

Matthias Vallentin,

Brian TierneyAuthors Info & Claims

RAID'07: Proceedings of the 10th international conference on Recent advances in intrusion detection

Pages 107 - 126

Published: 05 September 2007 Publication History

Abstract

In this work we present a NIDS cluster as a scalable solution for realizing high-performance, stateful network intrusion detection on commodity hardware. The design addresses three challenges: (i) distributing traffic evenly across an extensible set of analysis nodes in a fashion that minimizes the communication required for coordination, (ii) adapting the NIDS's operation to support coordinating its low-level analysis rather than just aggregating alerts; and (iii) validating that the cluster produces sound results. Prototypes of our NIDS cluster now operate at the Lawrence Berkeley National Laboratory and the University of California at Berkeley. In both environments the clusters greatly enhance the power of the network security monitoring.

References

[1]

Blanc, M., Oudot, L., Glaume, V.: Global Intrusion Detection: Prelude Hybrid IDS. Technical report (2003).

[2]

Dreger, H.: Operational Network Intrusion Detection: Resource-Analysis Tradeoffs. PhD thesis, TU Müunchen (2007).

[3]

Dreger, H., Feldmann, A., Mai, M., Paxson, V., Sommer, R.: Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. In: Proc. USENIX Security Symposium (2006).

Digital Library

[4]

Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proc. ACM Conference on Computer and Communications Security, ACM Press, New York (2004).

Digital Library

[5]

Fox, A., Gribble, S.D., Chawathe, Y., Brewer, E.A., Gauthier, P.: Cluster-Based Scalable Network Services. In: Proc. Symposium on Operating Systems Principles (1997).

Digital Library

[6]

Intrusion Detection Message Exchange Format, http://www.ietf.org/html.charters/idwg-charter.html

[7]

Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, F.: The Click Modular Router. ACM Transactions on Computer Systems 18(3) (August 2000).

Digital Library

[8]

Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.A.: Stateful Intrusion Detection for High-Speed Networks. In: Proc. IEEE Symposium on Research on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2002).

Digital Library

[9]

Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435-2463 (1999).

Digital Library

[10]

Paxson, V., Asanovic, K., Dharmapurikar, S., Lockwood, J., Pang, R., Sommer, R., Weaver, N.: Rethinking Hardware Support for Network Analysis and Intrusion Prevention. In: Proc. USENIX Hot Security (2006).

Digital Library

[11]

Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proc. National Information Systems Security Conference (1997).

[12]

Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A Methodology for Testing Intrusion Detection Systems. IEEE Transactions on Software Engineering 22(10), 719-729 (1996).

Digital Library

[13]

Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. Systems Administration Conference (1999).

Digital Library

[14]

Schaelicke, L., Freeland, C.: Characterizing Sources and Remedies for Packet Loss in Network Intrusion Detection. In: Proc. IEEE Symposium on Workload Characterization, IEEE Computer Society Press, Los Alamitos (2005).

[15]

Schaelicke, L., Slabach, T., Moore, B., Freeland, C.: Characterizing the Performance of Network Intrusion Detection Sensors. In: Proc. Symposium on Recent Advances in Intrusion Detection (2003).

[16]

Schaelicke, L., Wheeler, K., Freeland, C.: SPANIDS: A Scalable Network Intrusion Detection Loadbalancer. In: Proc. Computing Frontiers Conference (2005).

Digital Library

[17]

Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. In: Proc. Computer Security Applications Conference (2005).

Digital Library

[18]

Vallentin, M.: Transparent Load-Balancing for Network Intrusion Detection Systems. Bachelor's Thesis, TU München (2006).

[19]

Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proc. DARPA Information Survivability Conference and Exposition (2000).

[20]

Vigna, G., Kemmerer, R.A.: NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security 7(1), 37-71 (1999).

Digital Library

[21]

Vigna, G., Kemmerer, R.A., Blix, P.: Designing a Web of Highly-Configurable Intrusion Detection Sensors. In: Proc. Symposium on Recent Advances in Intrusion Detection (2001).

Digital Library

[22]

Weaver, N., Paxson, V., Gonzalez, J.M.: The Shunt: An FPGA-Based Accelerator for Network Intrusion Prevention. In: Proc. ACM Symposium on Field Programmable Gate Arrays, February 2007, ACM Press, New York (2007).

Digital Library

[23]

Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. USENIX Security Symposium (2000).

Digital Library

Cited By

Letavay VPluskal JRyšavý O(2019)Network Forensic Analysis for Lawful Enforcement on Steroids, Distributed and ScalableProceedings of the 6th Conference on the Engineering of Computer Based Systems10.1145/3352700.3352720(1-9)Online publication date: 2-Sep-2019
https://dl.acm.org/doi/10.1145/3352700.3352720
Sadok HCampista MCosta L(2018)A Case for Spraying Packets in Software MiddleboxesProceedings of the 17th ACM Workshop on Hot Topics in Networks10.1145/3286062.3286081(127-133)Online publication date: 15-Nov-2018
https://dl.acm.org/doi/10.1145/3286062.3286081
Li HHu HGu GAhn GZhang FLie DMannan MBackes MWang X(2018)vNIDSProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243862(17-34)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243862
Show More Cited By

Index Terms

The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware
1. Networks
  1. Network services
    1. Network monitoring

Index terms have been assigned to the content through auto-classification.

Recommendations

NIDS: A Network Based Approach to Intrusion Detection and Prevention
IACSIT-SC '09: Proceedings of the 2009 International Association of Computer Science and Information Technology - Spring Conference

Computer networks have added new dimensions to the global communication. But intrusions and misuses have always threatened the secured data communication over networks. Consequently, network security has come into issue. Now-a-days intrusion detection ...
Backtracking Algorithmic Complexity Attacks against a NIDS
ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference

Network Intrusion Detection Systems (NIDS) have become crucial to securing modern networks. To be effective, a NIDS must be able to counter evasion attempts and operate at or near wire-speed. Failure to do so allows malicious packets to slip through a ...
Stream clustering guided supervised learning for classifying NIDS alerts
Abstract
A Network Intrusion Detection System (NIDS) is a network monitoring technology for identifying cyber attacks, botnet command and control traffic, and other unwanted network activity. Unfortunately, organizational NIDS solutions can often generate ...
Highlights
- Novel NIDS alert processing framework.
- The pipeline of low-cost unsupervised stream clustering and supervised machine learning.
- Method for the creation of labeled NIDS alert training data sets.
- Large publicly available NIDS ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

RAID'07: Proceedings of the 10th international conference on Recent advances in intrusion detection

September 2007

337 pages

ISBN:3540743197

Editors:
Christopher Kruegel
Secure Systems Lab, Technical University of Vienna, Vienna, Austria
,
Richard Lippmann
Lincoln Laboratory, Massachusetts Institute of Technology, Lexington, MA
,
Andrew Clark
Information Security Institute, Queensland University of Technology, Brisbane, QLD, Australia

Sponsors

CERT: Computer Emergency Response Team
Northwest Security Institute
SAP

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 05 September 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
5
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Letavay VPluskal JRyšavý O(2019)Network Forensic Analysis for Lawful Enforcement on Steroids, Distributed and ScalableProceedings of the 6th Conference on the Engineering of Computer Based Systems10.1145/3352700.3352720(1-9)Online publication date: 2-Sep-2019
https://dl.acm.org/doi/10.1145/3352700.3352720
Sadok HCampista MCosta L(2018)A Case for Spraying Packets in Software MiddleboxesProceedings of the 17th ACM Workshop on Hot Topics in Networks10.1145/3286062.3286081(127-133)Online publication date: 15-Nov-2018
https://dl.acm.org/doi/10.1145/3286062.3286081
Li HHu HGu GAhn GZhang FLie DMannan MBackes MWang X(2018)vNIDSProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243862(17-34)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243862
Miura RTakano YMiwa SInoue TThang HHu ZBui MSikdar BIDE IBinh HEngchuan WSang DOanh N(2017)GINTATEProceedings of the 8th International Symposium on Information and Communication Technology10.1145/3155133.3155152(234-241)Online publication date: 7-Dec-2017
https://dl.acm.org/doi/10.1145/3155133.3155152
Frishman GBen-Itzhak YMargalit O(2017)Cluster-Based Load Balancing for Better Network SecurityProceedings of the Workshop on Big Data Analytics and Machine Learning for Data Communication Networks10.1145/3098593.3098595(7-12)Online publication date: 7-Aug-2017
https://dl.acm.org/doi/10.1145/3098593.3098595
Zhang NLi HHu HPark YAhn GGu GHu HShin S(2017)Towards Effective Virtualization of Intrusion Detection SystemsProceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization10.1145/3040992.3041004(47-50)Online publication date: 24-Mar-2017
https://dl.acm.org/doi/10.1145/3040992.3041004
Amann JSommer RAhn GGu GHu HShin S(2017)Viable Protection of High-Performance Networks through Hardware/Software Co-DesignProceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization10.1145/3040992.3041003(19-24)Online publication date: 24-Mar-2017
https://dl.acm.org/doi/10.1145/3040992.3041003
Lin YLee CChen Y(2016)Length-bounded Hybrid CPU/GPU Pattern Matching Algorithm for Deep Packet InspectionProceedings of the Fifth International Conference on Network, Communication and Computing10.1145/3033288.3033346(63-67)Online publication date: 17-Dec-2016
https://dl.acm.org/doi/10.1145/3033288.3033346
Dyer KCoull SShrimpton T(2015)MarionetteProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831167(367-382)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831167
Kablan MCaldwell BHan RJamjoom HKeller EBenson TRaiciu C(2015)Stateless Network FunctionsProceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization10.1145/2785989.2785993(49-54)Online publication date: 21-Aug-2015
https://dl.acm.org/doi/10.1145/2785989.2785993
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents