Scalable Programmable Appliance-based Network Intrusion Detection Architecture

基于可扩展可编程设备的网络入侵检测架构

• 批准号: 0231535
• 负责人: Aaron Striegel
• 金额: $ 40万
• 依托单位: University of Notre Dame
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2003
• 资助国家: 美国
• 起止时间: 2003-01-01 至 2006-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0231535&HistoricalAwards=false
• 关键词: Scalable; Programmable; Appliance; based; Network

Network Intrusion Detection Systems (IDS) are one of several tools used by security professionals to detect and respond to security breaches. Typically an IDS is implemented by tapping a network and diverting a copy of every network message to a sensor. Usually, the sensor is a general-purpose computer running software that examines every packet that it receives. This approach to IDS is easy to implement as it relies on off-the-shelf hardware and software. However, the overhead incurred by the general-purpose operating system and the limited I/O throughput of most PC and workstation architectures restrict such IDS to low and medium bandwidth networks. Special-purpose IDS platforms, on the other hand, can be optimized to handle high-bandwidth traffic, but the lack of flexibility and the high cost of custom hardware and software make this approach not viable in practice.Recently, parallel and distributed IDS architectures exist that operate on high bandwidth traffic by distributing network packets over a number of general-purpose machines. This approach combines the flexibility of off-the-shelf hardware and software with the high performance of parallel processing. A systematic study of the scalability of this approach as well as an analysis of suitable packet distribution strategies has not been done. Because such clustered architectures pay a potential penalty in terms of space and power required as they are essentially a set of complete computer systems that occupy shelf or rack space, consume power, and require time consuming management and configuration they have space and power costs that are high.The goal of this project is to develop a scalable parallel appliance-based architecture for network intrusion detection systems that is able to reliably monitor high-bandwidth network segments, yet is cost-efficient and retains the flexibility of general-purpose based IDS. High performance is achieved by distributing network traffic among an array of low-cost sensors in a way that does not impact the quality of intrusion detection, while maximizing the available concurrency and minimizing required communication among sensors. Utilizing off-the-shelf single-board computers leads to an inexpensive and compact design that requires less power than a comparable number of complete workstations or PCs.The key component of a parallel intrusion detection platform architecture is the approach by which network packets are distributed across the sensors. As a result, the system design will by guided by a systematic analysis of network traffic characteristics which will provide input into high-level models and simulations. To verify and evaluate the performance and scalability of the resulting architecture, a prototype system will be implemented based primarily on low-cost off-the-shelf hardware and software. By addressing IDS issues using off the shelf components, a product to assist in security breaches may be quickly developed. This could have large, immediate impact on an important network topic.

网络入侵检测系统 (IDS) 是安全专业人员用来检测和响应安全漏洞的多种工具之一。 通常，IDS 是通过窃听网络并将每条网络消息的副本转移到传感器来实现的。通常，传感器是运行软件的通用计算机，用于检查它收到的每个数据包。这种 IDS 方法很容易实现，因为它依赖于现成的硬件和软件。然而，通用操作系统产生的开销以及大多数 PC 和工作站架构的有限 I/O 吞吐量将此类 IDS 限制在中低带宽网络中。另一方面，专用 IDS 平台可以进行优化以处理高带宽流量，但缺乏灵活性以及定制硬件和软件的高成本使得这种方法在实践中不可行。最近，存在并行和分布式 IDS 架构，它们通过将网络数据包分布在许多通用机器上来操作高带宽流量。这种方法将现成硬件和软件的灵活性与并行处理的高性能结合起来。尚未对这种方法的可扩展性进行系统研究，也没有对合适的数据包分发策略进行分析。由于这种集群架构本质上是一组完整的计算机系统，占用货架或机架空间、消耗电力，并且需要耗时的管理和配置，因此在空间和电力方面存在潜在的损失，因此它们的空间和电力成本很高。该项目的目标是为网络入侵检测系统开发一种可扩展的基于并行设备的架构，能够可靠地监控高带宽网段，同时具有成本效益并保留 基于通用目的的 IDS 的灵活性。通过以不影响入侵检测质量的方式在一系列低成本传感器之间分配网络流量，同时最大化可用并发性并最小化传感器之间所需的通信来实现高性能。利用现成的单板计算机可以实现廉价且紧凑的设计，与相当数量的完整工作站或 PC 相比，其所需的功耗更少。并行入侵检测平台架构的关键组成部分是跨传感器分发网络数据包的方法。因此，系统设计将以网络流量特征的系统分析为指导，这将为高级模型和模拟提供输入。为了验证和评估最终架构的性能和可扩展性，将主要基于低成本现成硬件和软件来实现原型系统。通过使用现成的组件解决 IDS 问题，可以快速开发出有助于解决安全漏洞的产品。 这可能会对重要的网络主题产生巨大且直接的影响。