VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.

Slides:



Advertisements
Similar presentations
All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.
Advertisements

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Towards Software Defined Cellular Networks
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
NATIONAL & KAPODISTRIAN UNIVERSITY OF ATHENS INTERDEPARTMENTAL GRADUATE PROGRAM IN MANAGEMENT AND ECONOMICS OF TELECOMMUNICATION NETWORKS Master Thesis.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.
Cloud Computing Myths and Realities Towards a policy Framework for Arab countries.
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.
Software-Defined Networks Jennifer Rexford Princeton University.
N. GSU Slide 1 Chapter 02 Cloud Computing Systems N. Xiong Georgia State University.
Improving Network I/O Virtualization for Cloud Computing.
Cloud Computing & Amazon Web Services – EC2 Arpita Patel Software Engineer.
FUTURE OF NETWORKING SAJAN PAUL JUNIPER NETWORKS.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Software Defined Networks for Dynamic Datacenter and Cloud Environments.
RIVERBED INTRODUCES NEW PLATFORM FOR ADC-AS-A-SERVICE New Stingray Services Controller Delivers Hyper-Elastic ADC Platform EXTREME ELASTICITY INSTANTLY.
Next Generation Operating Systems Zeljko Susnjar, Cisco CTG June 2015.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
VMware vSphere Configuration and Management v6
SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.
Leveraging SDN for The 5G Networks: Trends, Prospects and Challenges ADVISOR: 林甫俊教授 Presenter: Jimmy DATE: 2016/3/21 1.
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
SEMINAR ON.  OVERVIEW -  What is Cloud Computing???  Amazon Elastic Cloud Computing (Amazon EC2)  Amazon EC2 Core Concept  How to use Amazon EC2.
SDN & NFV Driving Additional Value into Managed Services.
Ready-to-Deploy Service Function Chaining for Mobile Networks
OpenDaylight Based Machine Learning for Networks
SDN and Security Security as a service in the cloud
Xin Li, Chen Qian University of Kentucky
Snort – IDS / IPS.
Yotam Harchol The Hebrew University of Jerusalem
Chapter 6: Securing the Cloud
Yotam Harchol The Hebrew University of Jerusalem
CIS 700-5: The Design and Implementation of Cloud Networks
Organizations Are Embracing New Opportunities
Software defined networking: Experimental research on QoS
draft-bernini-nfvrg-vnf-orchestration
Progress of Network Architecture Work in FG IMT-2020
Architectural Overview Of Cloud Computing
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Computing models, facilities, distributed computing
Dispersing Asymmetric DDoS Attacks with SplitStack
15-744: Computer Networking
Yotam Harchol The Hebrew University of Jerusalem
Overlay Network Based Optimization of Data Flows in Large Scale Client-Server-based Game Architectures for Deployment on Cloud Platforms Peter Quax, Robin.
Cloud Computing By P.Mahesh
A Novel Framework for Software Defined Wireless Body Area Network
Managing Clouds with VMM
Towards A Secure Controller Platform for OpenFlow Applications
NFV Update Vienna, February 2018
Cloud Computing and Cloud Networking
AKAMAI INTELLIGENT PLATFORM™
GEN: A GPU-Accelerated Elastic Framework for NFV
Management and Orchestration in Complex and Dynamic Environment
Networking Specialization Overview
Specialized Cloud Mechanisms
Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos 
Cloud Computing Architecture
Specialized Cloud Architectures
Memento: Making Sliding Windows Efficient for Heavy Hitters
Yotam Harchol The Hebrew University of Jerusalem
Cloud Computing What is it ? Why use it ? Enablers Pros and Cons
Security in Cloud Computing
Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN
NFV and SD-WAN Multi vendor deployment
Presentation transcript:

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon Ahn3, and Fuqiang Zhang1 2 1 3 3 CCS 2018

Traditional NIDSes

Traditional NIDSes Multi-thread Clustered Multi-thread GPU Acceleration Multi-thread GPU Acceleration

Traditional NIDSes Address scalability issue: Limited in flexibility: Multi-thread Clustered Address scalability issue: Multi-core/thread Cluster Multi-thread GPU Acceleration Limited in flexibility: Fixed location Constant capacity Multi-thread GPU Acceleration

Requirement 1: Virtualized Environments Blur & Fluid Perimeters Virtualized Network Zones Zone1 Zone2 Zone3 Service Migration Datacenter2 Datacenter1 Datacenter3 Infrastructure

Requirement 2: Traffic Volume Variation Expensive option: capacity ≥ peak traffic load DDoS attack on Feb. 2016 Gbps 400 320 240 160 80 Significant Variation 2/19 2/22 2/25 Time Source: https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks/

Virtualization Platform New Trends Network Function Virtualization (NFV) Software instances Software-Define Networking (SDN) Dynamic traffic steering Virtualization Platform SDN Switch Elastic Security SDN NFV

network security functions Elastic Security NIDS Virtualization: flexible location & capacity Scalable and Flexible network security functions Existing Work VFW Controller (NDSS’17) PSI (NDSS’17) Bohatei (USENIX Sec’15)

vNIDS enables safe and efficient NIDS virtualization Safe Virtualization: does not miss attacks Efficient Virtualization: provisioned optimally

Ch. 1: Effective Intrusion Detection Missing Malicious Activities Instance1 Instance2 SIP=10.1.1.1 SDN Switch Scanner Detector

Ch. 1: Effective Intrusion Detection How to distinguish per-flow and multi-flow states? Multi-flow State Per-flow State Shared Data Store Instance1 Instance2

Ch. 2: Non-monolithic NIDS Provisioning Inefficient Resource Allocation Cloud 2 Can’t fit Monolithic NIDS Instance 3 Virtualized NIDSes: Allocate and deallocate more frequently

Ch. 2: Non-monolithic NIDS Provisioning Inefficient Scaling Detector1 NIDS Engine Detector2 Scale slow Over-provisioned Overloaded Detector1 NIDS Engine Detector2 Monolithic NIDS Instance Virtualized NIDSes: Scale more frequently

Ch. 2: Non-monolithic NIDS Provisioning Non-monolithic Provisioning Monolithic Provisioning General How to decompose? How to enforce detection logics? Fine-grained

vNIDS Architecture Overview Detection Logic Programs vNIDS Controller 1. program analysis Effective Intrusion Detection Detection State Classification State Management vNIDS Microservice Instances 2. detection state sharing Shared Data Store

vNIDS Architecture Overview Detection Logic Programs 4. program slicing Detection Logic Program Partitioning Non-Monolithic NIDS Provisioning Provision Control vNIDS Controller Effective Intrusion Detection Detection State Classification State Management vNIDS Microservice Instances 3. microservices Header-based Detection Instances Protocol Parse Instances Payload-based Detection Instances Shared Data Store Header-based Detection Microservice Protocol Parse Microservice Payload-based Detection Microservice

Scope of Detection States Flow record Essential data structure of NFs Lifetime Determines scope of detection states “Always” freed before a flow record is freed Dedicated to a certain flow Not “always” freed before a flow record is freed Must be freed by other flows

Inferring the Scope of Detection States Compute the CFG of the detector

Inferring the Scope of Detection States Compute the CFG of the detector Compute dominator of statement T Flow record is freed here (Statement T)

Inferring the Scope of Detection States Compute the CFG of the detector Compute dominator of statement T Entry point Dominator of T Statement T

Inferring the Scope of Detection States Compute the CFG of the detector Compute dominator of statement T Entry point Multi-flow detection state Dominator of T Statement T Per-flow detection state

Logic Structure of NIDSes Detection Logics Various detection tasks Application Protocol Parsers Payload parsing Network Traffic Network Protocol Stack Network layer processing Monolithic NIDS

Types of Detection Logics Type-I Type-II Only inspect header Not rely on APPs Inspect header & payload Need APPs Application Protocol Parsers Network Traffic Network Protocol Stack Monolithic NIDS

NIDS Decomposed as Microservices Decomposing NIDSes Network Protocol Stack Application Protocol Parsers Detection Logics Monolithic NIDS Type-I Type-II NIDS Decomposed as Microservices Type-I Detection Logics Network Protocol Stack Header-based Detection Microservice Application Protocol Parsers Network Protocol Stack Protocol Parse Microservice Type-II Detection Logics Network Protocol Stack Payload-based Detection Microservice

Detection Logic Program Partitioning 1 Detection Logic Program 2 4 3 Partitioned DLPs

Implementation & Evaluation Xen hypervisor Frama-C framework for program analysis Click for microservices and DLPs RAMCloud for detection states sharing Evaluation CloudLab Real-world dataset + generated attack traffic

Effectiveness of vNIDS Malicious Activity Detection Rate (%) Malicious Activity Detection Rate (%) Malicious Activity Detection Rate (%) CAIDA+Attack.trace LBNL+Attack.trace Campus+Attack.trace * Detect all malicious activity: Bro, Share All, and vNIDS * Miss malicious activities: No Share

Performance Improvements by Detection State Classification > 50% Packet Processing Time (microsecond) Packet Processing Time Reduced (%) * Reduced processing time: for all six detection logics * Reduced rate: more than 50%

Efficiency of Microservices Launch Time (millisec) * Monolithic NIDS: launch slower * Microservice: scale faster

Flexibility of vNIDS Internet Site-1 Site-2 Traditional NIDS Instances Rerouted Traffic Site-1 (Clemson) Site-2 (Wisconsin) A B B

Flexibility of vNIDS Internet Site-1 Site-2 Virtualized NIDS Instances Rerouted Traffic Site-1 (Clemson) Site-2 (Wisconsin) A B

Communication Traffic Flexibility of vNIDS Internet Virtualized NIDS Instance-A Virtualized NIDS Instance-B Communication Traffic Site-1 (Clemson) Site-2 (Wisconsin) A B

Flexibility of vNIDS Reduce by 99.9% in the best case Reduce by 58.3% in the worst case

Flexibility of vNIDS Adjustable Capacity Runtime throughput of vNIDS and Bro Cluster Adjustable Resource Consumption Number of instances of vNIDS and Bro Cluster

Conclusion and Future Work Make a further step towards elastic security Safe and efficient NIDS virtualization Effective intrusion detection Non-monolithic NIDS provisioning Implementation and Evaluation 3 microservices & 6 detection logic programs Extensive Evaluation of vNIDS Future work More fine-grained microservices Generalize our approach for other security and non- security NFs

Q & A hongdal@clemson.edu Clemson University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.