TY - GEN
T1 - VniDS
T2 - 25th ACM Conference on Computer and Communications Security, CCS 2018
AU - Li, Hongda
AU - Hu, Hongxin
AU - Gu, Guofei
AU - Ahn, Gail-Joon
AU - Zhang, Fuqiang
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/10/15
Y1 - 2018/10/15
N2 - Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.
AB - Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.
KW - Network Function Virtualization
KW - Network Intrusion Detection Systems
KW - Software-Defined Networking
UR - http://www.scopus.com/inward/record.url?scp=85056901479&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85056901479&partnerID=8YFLogxK
U2 - 10.1145/3243734.3243862
DO - 10.1145/3243734.3243862
M3 - Conference contribution
AN - SCOPUS:85056901479
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 17
EP - 34
BT - CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 15 October 2018
ER -