A novel workload scheduling framework for intrusion detection system in NFV scenario

Abstract Compared with traditional Intrusion Detection System (IDS) solutions, deploying IDS in Network Function Virtualization (NFV) environment can have better scalability and flexibility. Existing research works in this area do not consider many IDS features to design IDS-specific workload scheduling approaches. Thus, there is space further to promote the performance of IDS deployment in the NFV scenario. In this paper, we find some critical IDS features by analyzing packet processing procedures, software implementation, and rulesets of typical IDS. Combining these features with the flexibility of NFV, we propose a novel workload scheduling framework for IDS deployment in the NFV scenario. Our framework contains two parts: 1) a novel protocol & destination port based traffic migration strategy which can promote the detection performance and reduce the memory usage compared with the traditional 5-tuple hash based strategy; 2) an auto-configuration algorithm to find a better-than-default configuration for each Virtual Network Function (VNF) instance. We evaluate our framework with real network traffic and benchmark traffic datasets for IDS. Experimental results show that our framework can always have better detection performance and lower memory usage than the 5-tuple hash based migration strategy and the default configuration.

[1]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[2]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[3]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[4]  Scott Shenker,et al.  Elastic Scaling of Stateful Network Functions , 2018, NSDI.

[5]  Tiejun J. Xia,et al.  How will optical transport deal with future network traffic growth? , 2014, 2014 The European Conference on Optical Communication (ECOC).

[6]  Rebecca Steinert,et al.  Metron: NFV Service Chains at the True Speed of the Underlying Hardware , 2018, NSDI.

[7]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[9]  Sonia Fahmy,et al.  NFV-VITAL: A framework for characterizing the performance of virtual network functions , 2015, 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN).

[10]  Anat Bremler-Barr,et al.  OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions , 2016, SIGCOMM.

[11]  Aditya Akella,et al.  OpenNF , 2014, SIGCOMM.

[12]  Jennifer Rexford,et al.  Scalable Network Virtualization in Software-Defined Networks , 2013, IEEE Internet Computing.

[13]  Kenji Toda,et al.  FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet , 2007, IEICE Trans. Inf. Syst..

[14]  Hong Xu,et al.  Demystifying the energy efficiency of Network Function Virtualization , 2016, 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS).

[15]  Gerald Q. Maguire,et al.  SNF: synthesizing high performance NFV service chains , 2016, PeerJ Comput. Sci..

[16]  Kuang-Ching Wang,et al.  Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control , 2017, SACMAT.

[17]  Cui Yong,et al.  An improved Wu-Manber multiple patterns matching algorithm , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[18]  Aditya Akella,et al.  Paving the Way for NFV: Simplifying Middlebox Modifications Using StateAlyzr , 2016, NSDI.

[19]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[20]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[21]  Lambert Schaelicke,et al.  SPANIDS: a scalable network intrusion detection loadbalancer , 2005, CF '05.

[22]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[23]  Kuang-Ching Wang,et al.  Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control , 2017, SACMAT.

[24]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[25]  Gabi Dreo Rodosek,et al.  Towards an SDN-enabled IDS environment , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[26]  Somesh Jha,et al.  Beyond Pattern Matching: A Concurrency Model for Stateful Deep Packet Inspection , 2014, CCS.

[27]  Dionisios N. Pnevmatikatos,et al.  A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems , 2007, 2007 International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation.

[28]  Gail-Joon Ahn,et al.  vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems , 2018, CCS.

[29]  Guo Li,et al.  A Lightweight Estimation Algorithm To Auto Configure Snort Fast Pattern Matcher , 2019, 2019 IEEE 44th LCN Symposium on Emerging Topics in Networking (LCN Symposium).

[30]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2007, 2007 IEEE Sarnoff Symposium.

[31]  Sungryoul Lee,et al.  Kargus: a highly-scalable software-based intrusion detection system , 2012, CCS.