Visible to the public Redundancy for Network Intrusion Prevention Systems (NIPS) - April 2015Conflict Detection Enabled

Submitted by drwright on Sun, 03/22/2015 - 1:08pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Mike Reiter

Researchers: Victor Heorhiadi

HARD PROBLEM(S) ADDRESSED

Primary:  Resilient Architectures

This work is developing an architecture for the scalable enforcement of network security policies that is resilient to traffic changes and traffic rerouting in response to failures.

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

 

ACCOMPLISHMENT HIGHLIGHTS

Growing traffic volumes and the increasing complexity of attacks pose a constant scaling challenge for network intrusion prevention systems (NIPS).  In this respect, offloading NIPS processing to compute clusters offers an immediately deployable alternative to expensive hardware upgrades. In practice, however, NIPS offloading is challenging on three fronts in contrast to passive network security functions: (1) NIPS offloading can impact other traffic engineering objectives; (2) NIPS offloading impacts user perceived latency; and (3) NIPS actively change traffic volumes by dropping unwanted traffic. To address these challenges, we present the SNIPS system. We designed a formal optimization framework that captures tradeoffs across scalability, network load, and latency.  We developed a practical implementation using recent advances in software-defined networking without requiring modifications to NIPS hardware. Our evaluations on realistic topologies show that SNIPS can reduce the maximum load by up to 10x while only increasing the latency by 2%.

Our work contributes to the science of security by developing a principled approach for adapting policy enforcement in networks to be responsive to changes in traffic demands and required policies, while making the best use of available hardware resources to do so.

Groups: