Work Balancing vs. Load Balancing in Network Ids Parallelization

Abstract

Signature-based Network Intrusion Detection Systems (NIDS) is considered the state-of-the-art for precise attack detection. However,available systems are very resource demanding and often not able to cope with the increasing data rates in modern communicationnetworks. Parallelization using multiple instances of NIDS in parallel is considered the most promising solution. This can berealized by (1) distributing the network tra c between multiple NIDS to reduce the network load per system or (2) distributing thesignatures (rules) between mutliple NIDS to reduce the work load per packet. Conceptually, rule and tra c distribution are wellstudied, however, often not in direct comparison and in a thorough and exhaustive way. In this paper, we study distribution strategiestargeting application, transport, and network layer for both tra c and rule distribution approaches. We compare the performance ofrule distribution with tra c distribution for each strategy. In addition, we investigate the importance of considering the processingspeed optimization in the rule development phase. For our experiments, we rely on the very popular open source system Snort. Ourexperiments show that in general tra c distribution performs better in terms of packet drop and alert detection compared to ruledistribution. The network layer distribution strategy shows the contrast between the two distributions at its highest level, detecting34.9% more alerts and dropping 26.5% less packets. We also show that optimizing the rules sets further improves the processingspeed significantly.