Correlation-based load balancing for network intrusion detection and prevention systems

Anh   Le; Raouf  Boutaba; Ehab   Al-Shaer

4th International ICST Conference on Security and Privacy in Communication Networks

Research Article

Correlation-based load balancing for network intrusion detection and prevention systems

Cite: BibTeX Plain Text

@INPROCEEDINGS{10.1145/1460877.1460880,
    author={Anh   Le and Raouf  Boutaba and Ehab   Al-Shaer},
    title={Correlation-based load balancing for network intrusion detection and prevention systems},
    proceedings={4th International ICST Conference on Security and Privacy in Communication Networks},
    publisher={ACM},
    proceedings_a={SECURECOMM},
    year={2008},
    month={9},
    keywords={Intrusion detection intrusion prevention load balancing.},
    doi={10.1145/1460877.1460880}
}

Anh Le
Raouf Boutaba
Ehab Al-Shaer
Year: 2008
Correlation-based load balancing for network intrusion detection and prevention systems
SECURECOMM
ACM
DOI: 10.1145/1460877.1460880

Anh Le¹^,*, Raouf Boutaba²^,*, Ehab Al-Shaer³^,*

1: David R. Cheriton School of Computer Science, University of Waterloo, Waterloo, ON, N2L 3G1, Canada
2: David R. Cheriton School of Computer Sciencem, University of Waterloo, Waterloo, ON, N2L 3G1, Canada
3: School of Computer Science, Telecommunications and Information Systems DePaul, University Chicago, IL 60604, USA

*Contact email: a4le@uwaterloo.ca, rboutaba@uwaterloo.ca, ehab@cs.depaul.edu

Abstract

In large-scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protections. In this context, keeping load evenly distributed among the systems is crucial. This is because even load distributions provide protection to the networks and improve the networks' quality of service.

A challenging problem, however, is to maintain the load balancing of the systems while minimizing the loss of correlation information due to distributing traffic. Since anomaly- based detection and prevention of some intrusions, such as distributed denial of service (DDoS) attacks and port scans, require a single system to analyze correlated flows of the attacks, this loss of correlation information might severely affect the accuracy of the detections and preventions.

In this paper, we address this challenging problem by first formalizing the load balancing problem as an optimization problem, considering both the systems' load variance and the correlation information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the optimization problem.

We have implemented a prototype load-balancer which uses the BLB algorithm. We evaluated the load-balancer against various port scans and DDoS attacks. The evaluation results show that our load-balancer significantly improves the detection accuracy of these attacks while keeping the systems' load close within a desired bound.

Keywords: Intrusion detection intrusion prevention load balancing.

Published: 2008-09-25
Publisher: ACM

: http://dx.doi.org/10.1145/1460877.1460880