TY - GEN
T1 - Correlation-based load balancing for network intrusion detection and prevention systems
AU - Le, Anh
AU - Boutaba, Raouf
AU - Al-Shaer, Ehab
PY - 2008
Y1 - 2008
N2 - In large-scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protections. In this context, keeping load evenly distributed among the systems is crucial. This is because even load distributions provide protection to the networks and improve the networks' quality of service. A challenging problem, however, is to maintain the load balancing of the systems while minimizing the loss of correlation information due to distributing traffic. Since anomaly-based detection and prevention of some intrusions, such as distributed denial of service (DDoS) attacks and port scans, require a single system to analyze correlated flows of the attacks, this loss of correlation information might severely affect the accuracy of the detections and preventions. In this paper, we address this challenging problem by first formalizing the load balancing problem as an optimization problem, considering both the systems' load variance and the correlation information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the optimization problem. We have implemented a prototype load-balancer which uses the BLB algorithm. We evaluated the load-balancer against various port scans and DDoS attacks. The evaluation results show that our load-balancer significantly improves the detection accuracy of these attacks while keeping the systems' load close within a desired bound.
AB - In large-scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protections. In this context, keeping load evenly distributed among the systems is crucial. This is because even load distributions provide protection to the networks and improve the networks' quality of service. A challenging problem, however, is to maintain the load balancing of the systems while minimizing the loss of correlation information due to distributing traffic. Since anomaly-based detection and prevention of some intrusions, such as distributed denial of service (DDoS) attacks and port scans, require a single system to analyze correlated flows of the attacks, this loss of correlation information might severely affect the accuracy of the detections and preventions. In this paper, we address this challenging problem by first formalizing the load balancing problem as an optimization problem, considering both the systems' load variance and the correlation information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the optimization problem. We have implemented a prototype load-balancer which uses the BLB algorithm. We evaluated the load-balancer against various port scans and DDoS attacks. The evaluation results show that our load-balancer significantly improves the detection accuracy of these attacks while keeping the systems' load close within a desired bound.
KW - Intrusion detection
KW - Intrusion prevention
KW - Load balancing
UR - http://www.scopus.com/inward/record.url?scp=70249096351&partnerID=8YFLogxK
U2 - 10.1145/1460877.1460880
DO - 10.1145/1460877.1460880
M3 - Conference contribution
AN - SCOPUS:70249096351
SN - 9781605582412
T3 - Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, SecureComm'08
BT - Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, SecureComm'08
T2 - 4th International Conference on Security and Privacy in Communication Networks, SecureComm'08
Y2 - 22 September 2008 through 25 September 2008
ER -