On the deployment strategy of distributed network security sensors

Current centralized network intrusion detection systems (NIDS) typically position their sensors at the network access aggregation points and have several limitations on performance and effectiveness. We propose the deployment of "distributed network security sensors (DNSS)" distributed among the nodes of the internal network to monitor traffic of the internal network. We study the tradeoff between deployment cost and monitoring coverage to determine the locations and processing rates of security sensors. Because of the uncertain nature of flow rates, we build a fuzzy optimization model and develop a hybrid intelligent algorithm to solve the problem. Using an actual network topology, we check the relationships among the deployment cost, sensors deployment, and the monitoring coverage. The results demonstrate that a small number of low-speed sensors are sufficient to maintain high monitoring coverage in a high-speed network.

[1]  Yian-Kui Liu,et al.  Expected value of fuzzy variable and fuzzy expected value models , 2002, IEEE Trans. Fuzzy Syst..

[2]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[3]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Lixia Zhang,et al.  On the placement of Internet instrumentation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[5]  Dana S. Richards,et al.  Punctuated Equilibria: A Parallel Genetic Algorithm , 1987, ICGA.

[6]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[7]  Lawrence G. Roberts,et al.  Beyond Moore's Law: Internet Growth Trends , 2000, Computer.

[8]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[10]  Jianliang Xu,et al.  On replica placement for QoS-aware content distribution , 2004, IEEE INFOCOM 2004.

[11]  Christophe Diot,et al.  Geographical and temporal characteristics of inter-POP flows: View from a single pop , 2002, Eur. Trans. Telecommun..

[12]  David Coley,et al.  Introduction to Genetic Algorithms for Scientists and Engineers , 1999 .

[13]  Donald F. Towsley,et al.  Locating network monitors: complexity, heuristics, and coverage , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..