VniDS: Towards elastic security with safe and efficient virtualization of network intrusion detection systems

Hongda Li, Hongxin Hu, Guofei Gu, Gail-Joon Ahn, Fuqiang Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.

Original languageEnglish (US)
Title of host publicationCCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages17-34
Number of pages18
ISBN (Electronic)9781450356930
DOIs
StatePublished - Oct 15 2018
Event25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada
Duration: Oct 15 2018 → …

Other

Other25th ACM Conference on Computer and Communications Security, CCS 2018
CountryCanada
CityToronto
Period10/15/18 → …

Fingerprint

Intrusion detection
Virtualization
Elasticity

Keywords

  • Network Function Virtualization
  • Network Intrusion Detection Systems
  • Software-Defined Networking

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Li, H., Hu, H., Gu, G., Ahn, G-J., & Zhang, F. (2018). VniDS: Towards elastic security with safe and efficient virtualization of network intrusion detection systems. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (pp. 17-34). Association for Computing Machinery. https://doi.org/10.1145/3243734.3243862

VniDS : Towards elastic security with safe and efficient virtualization of network intrusion detection systems. / Li, Hongda; Hu, Hongxin; Gu, Guofei; Ahn, Gail-Joon; Zhang, Fuqiang.

CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2018. p. 17-34.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Li, H, Hu, H, Gu, G, Ahn, G-J & Zhang, F 2018, VniDS: Towards elastic security with safe and efficient virtualization of network intrusion detection systems. in CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, pp. 17-34, 25th ACM Conference on Computer and Communications Security, CCS 2018, Toronto, Canada, 10/15/18. https://doi.org/10.1145/3243734.3243862
Li H, Hu H, Gu G, Ahn G-J, Zhang F. VniDS: Towards elastic security with safe and efficient virtualization of network intrusion detection systems. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2018. p. 17-34 https://doi.org/10.1145/3243734.3243862
Li, Hongda ; Hu, Hongxin ; Gu, Guofei ; Ahn, Gail-Joon ; Zhang, Fuqiang. / VniDS : Towards elastic security with safe and efficient virtualization of network intrusion detection systems. CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2018. pp. 17-34
@inproceedings{d560b679d39b41e3a80fb3b4e65b4d9e,
title = "VniDS: Towards elastic security with safe and efficient virtualization of network intrusion detection systems",
abstract = "Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.",
keywords = "Network Function Virtualization, Network Intrusion Detection Systems, Software-Defined Networking",
author = "Hongda Li and Hongxin Hu and Guofei Gu and Gail-Joon Ahn and Fuqiang Zhang",
year = "2018",
month = "10",
day = "15",
doi = "10.1145/3243734.3243862",
language = "English (US)",
pages = "17--34",
booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - VniDS

T2 - Towards elastic security with safe and efficient virtualization of network intrusion detection systems

AU - Li, Hongda

AU - Hu, Hongxin

AU - Gu, Guofei

AU - Ahn, Gail-Joon

AU - Zhang, Fuqiang

PY - 2018/10/15

Y1 - 2018/10/15

N2 - Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.

AB - Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.

KW - Network Function Virtualization

KW - Network Intrusion Detection Systems

KW - Software-Defined Networking

UR - http://www.scopus.com/inward/record.url?scp=85056901479&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056901479&partnerID=8YFLogxK

U2 - 10.1145/3243734.3243862

DO - 10.1145/3243734.3243862

M3 - Conference contribution

AN - SCOPUS:85056901479

SP - 17

EP - 34

BT - CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -