Design and analysis of heartbeat protocol in NIDS cluster

Heartbeat mechanism is widely used in designing high availability distributed system, while publish-subscribe architectural style has recently emerged as a promising approach to build a NIDS cluster with high dynamism and plenty of computational resources. In comparison with the requirements of general distributed computing, frontend in NIDS cluster cannot redistribute tasks on nodes failure and parallel stateful intrusion detection additionally requires the integrity of received session packets on analyzers. Therefore, the contradictory requirements of immediate node failure notification and infrequent analyzer status variation should be both considered. In this contribution, we designed one heartbeat protocol with four variations in publish-subscribe framework. By applying probabilistic model checking on the proposed heartbeat protocol, uptime ratio of one node in different variations is computed and compared under different setups. Suggestions on how to choose a suitable heartbeat for a NIDS cluster is described as well.

[1]  Anne-Marie Kermarrec,et al.  The many faces of publish/subscribe , 2003, CSUR.

[2]  Bengt Jonsson,et al.  A logic for reasoning about time and reliability , 1990, Formal Aspects of Computing.

[3]  Marta Z. Kwiatkowska,et al.  PRISM: probabilistic model checking for performance and reliability analysis , 2009, PERV.

[4]  Thomas Magedanz,et al.  VoIP defender: highly scalable SIP-based security architecture , 2007, IPTComm '07.

[5]  Saurabh Bagchi,et al.  Intrusion detection in voice over IP environments , 2009, International Journal of Information Security.

[6]  Miroslav Popovic,et al.  Use of Publisher-Subscriber Design Pattern in Infrastructure of Distributed IDS Systems , 2007, International Conference on Networking and Services (ICNS '07).

[7]  Zhanjie Wang,et al.  A New Real-Time Heartbeat Failure Detector , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[8]  Joni da Silva Fraga,et al.  A New Approach for IDS Composition , 2006, 2006 IEEE International Conference on Communications.

[9]  Gang Wu,et al.  Design and Implementation of High Availability Distributed System Based on Multi-level Heartbeat Protocol , 2009, 2009 IITA International Conference on Control, Automation and Systems Engineering (case 2009).

[10]  Richard E. Schantz,et al.  Scalable, Adaptive, Time-Bounded Node Failure Detection , 2007, 10th IEEE High Assurance Systems Engineering Symposium (HASE'07).

[11]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[12]  Marcos K. Aguilera,et al.  On the quality of service of failure detectors , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[13]  Marcos K. Aguilera,et al.  On the quality of service of failure detectors , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[14]  Xiaoshe Dong,et al.  Design and implementation of heartbeat in multi-machine environment , 2003, 17th International Conference on Advanced Information Networking and Applications, 2003. AINA 2003..

[15]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[16]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[17]  Mohamed G. Gouda,et al.  Accelerated heartbeat protocols , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[18]  E. Kamanu,et al.  A new architecture for single-event detection & reconfiguration of SRAM-based FPGAs , 2007 .

[19]  Matthew Gillen,et al.  Scalable, Adaptive, Time-Bounded Node Failure Detection , 2007 .