Traditional research efforts for scaling NIDS and NIPS systems using parallelization and hardware-assisted acceleration have largely focused on a single-vantage-point view. In this paper, we explore a different design alternative that exploits spatial, network-wide opportunities for distributing NIDS and NIPS functions throughout a network. We present systematic models that capture the operational constraints and requirements in deploying network-wide NIDS and NIPS capabilities. These formulations enable network administrators to optimally leverage their infrastructure toward their security objectives. For the NIDS case, we design a linear programming formulation for partitioning NIDS functions across a network to ensure that no node is overloaded. We also describe and evaluate a prototype implementation using Bro. For NIPS, we show how to maximally reduce unwanted traffic using special hardware-assisted capabilities. In this case, the hardware constraints make the optimization problem NP-hard, and we design and implement practical approximation algorithms based on randomized rounding. These results have immediate practical implications as: (1) enterprise networks become larger and their traffic volumes increase; and (2) ISPs increasingly deploy NIDS/NIPS capabilities as in-network defenses. By leveraging network-wide opportunities for distributing NIDS/NIPS responsibilities, our work effectively complements efforts to scale single-vantage-point NIDS and NIPS.

34 pages

*University of North Carolina, Chapel Hill

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by reports@cs.cmu.edu