Efficiency and Performance Issues in Distributed Intrusion Detection Systems

Distribution and hierarchy are the ideal means for providing load balancing and implementing systems with high scalability. In this paper, we discuss and identify performance bottlenecks and issues that reduce the efficiency of distributed Intrusion Detection Systems (IDSs) deployed within large enterprise networks. To minimize these problems and based our recent experience in implementing distributed IDSs, we propose a hierarchical architecture that aims to decrease management traffic, support high levels of scalability and implement a distributed response ability spanning across different domains. The architecture consists of dual-role entities (manager/agent) that operate in multiple abstraction and hierarchy layers. We describe a top-level "domain IDS entity" structured to provide advanced functionality within the IDS organization and efficient communications with other such nodes outside it. We discuss how the proposed architecture can offer management and performance advantages during an attack. Further, we present work in progress on a pilot implementation of the architecture that is based on the Java Management Extensions API and the work of various groups (e.g. IDWG of the IETF [4]) on incident message exchange.