vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

Authors:
Hongda Li

Clemson University, Clemson, SC, USA

Clemson University, Clemson, SC, USA
View Profile

,
Hongxin Hu

Clemson University, Clemson, SC, USA

Clemson University, Clemson, SC, USA
View Profile

,
Guofei Gu

Texas A&M University, College Station, TX, USA

Texas A&M University, College Station, TX, USA
View Profile

,
Gail-Joon Ahn

Arizona State University, Tempe, AZ, USA

Arizona State University, Tempe, AZ, USA
View Profile

,
Fuqiang Zhang

Clemson University, Clemson, SC, USA

Clemson University, Clemson, SC, USA
View Profile

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2018Pages 17–34https://doi.org/10.1145/3243734.3243862

Published:15 October 2018Publication History

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 17–34

ABSTRACT

Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.

References

Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Proceedings of the 18th Network and Distributed System Security Symposium (NDSS 2011) .Google Scholar
Flavio Bonomi, Rodolfo Milito, Jiang Zhu, and Sateesh Addepalli. 2012. Fog computing and its role in the internet of things. In Proceedings of the first edition of the MCC workshop on Mobile cloud computing. ACM, 13--16. Google ScholarDigital Library
Kevin Borders, Jonathan Springer, and Matthew Burnside. 2012. Chimera: a declarative language for streaming network traffic analysis. In Proceedings of the 21st USENIX conference on Security symposium (USENIX Security 2012). USENIX Association, 19--19. Google ScholarDigital Library
Anat Bremler-Barr, Yotam Harchol, and David Hay. 2016. OpenBox: a software-defined framework for developing, deploying, and managing network functions. In Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 511--524. Google ScholarDigital Library
P Busschbach. 2013. Network functions virtualisation-challenges and solutions. Alcatel-Lucent Corp., France, Strategic White Paper (2013).Google Scholar
Patrick Butler, Kui Xu, and Danfeng Yao. 2011. Quantitatively analyzing stealthy communication channels. In Applied Cryptography and Network Security. Springer, 238--254. Google ScholarDigital Library
Stephen Chong, Jed Liu, Andrew C Myers, Xin Qi, Krishnaprasad Vikram, Lantian Zheng, and Xin Zheng. 2007. Secure web applications via automatic partitioning. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 31--44. Google ScholarDigital Library
Byung-Gon Chun, Sunghwan Ihm, Petros Maniatis, Mayur Naik, and Ashwin Patti. 2011. Clonecloud: elastic execution between mobile device and cloud. In Proceedings of the sixth conference on Computer systems. ACM, 301--314. Google ScholarDigital Library
Lorenzo De Carli, Robin Sommer, and Somesh Jha. 2014. Beyond pattern matching: A concurrency model for stateful deep packet inspection. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014). ACM, 1378--1390. Google ScholarDigital Library
Juan Deng, Hongda Li, Hongxin Hu, Kuang-Ching Wang, Gail-Joon Ahn, Ziming Zhao, and Wonkyu Han. 2017. On the Safety and Efficiency of Virtual Firewall Elasticity Control. In Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017) .Google ScholarCross Ref
Aleksandar Dragojević, Dushyanth Narayanan, Orion Hodson, and Miguel Castro. 2014. FaRM: Fast remote memory. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI 2014). 401--414. Google ScholarDigital Library
Nicola Dragoni, Saverio Giallorenzo, Alberto Lluch Lafuente, Manuel Mazzara, Fabrizio Montesi, Ruslan Mustafin, and Larisa Safina. 2017. Microservices: yesterday, today, and tomorrow. Present and Ulterior Software Engineering. Springer, 195--216.Google Scholar
Holger Dreger, Anja Feldmann, Vern Paxson, and Robin Sommer. 2008. Predicting the resource consumption of network intrusion detection systems. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 2008). Springer, 135--154. Google ScholarDigital Library
Wendy Ellens, Piotr .Zuraniewski, Anna Sperotto, Harm Schotanus, Michel Mandjes, and Erik Meeuwissen. 2013. Flow-based detection of DNS tunnels. In IFIP International Conference on Autonomous Infrastructure, Management and Security. Springer, 124--135. Google ScholarDigital Library
Greg Farnham and A Atlasis. 2013. Detecting DNS tunneling. SANS Institute InfoSec Reading Room, Vol. 9 (2013), 1--32.Google Scholar
Seyed K Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. 2015. Bohatei: flexible and elastic DDoS defense. In Proceedings of the 24th USENIX Conference on Security Symposium (USENIX Security 2015). USENIX Association, 817--832. Google ScholarDigital Library
Seyed Kaveh Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, and Jeffrey C Mogul. 2014. Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags. In Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), Vol. 543. 546. Google ScholarDigital Library
Jeanne Ferrante, Karl J Ottenstein, and Joe D Warren. 1987. The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 9, 3 (1987), 319--349. Google ScholarDigital Library
Open Networking Foundation. 2014. OpenFlow-enabled SDN and network functions virtualisation. https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-sdn-nvf-solution.pdf. (2014).Google Scholar
Aaron Gember-Jacobson, Raajay Viswanathan, Chaithan Prakash, Robert Grandl, Junaid Khalid, Sourav Das, and Aditya Akella. 2014. OpenNF: Enabling innovation in network function control. In Proceedings of the 2014 ACM SIGCOMM Conference, Vol. 44. ACM, 163--174. Google ScholarDigital Library
J Gross, T SRIDHAR, P GARG, C WRIGHT, and I GANGA. 2016. Geneve: Generic network virtualization encapsulation. IETF draft. (2016).Google Scholar
Ibbad Hafeez, Aaron Yi Ding, and Sasu Tarkoma. 2017. Securing Edge Networks with Securebox. arXiv preprint arXiv:1712.07740 (2017).Google Scholar
Susan Horwitz, Thomas Reps, and David Binkley. 1990. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 12, 1 (1990), 26--60. Google ScholarDigital Library
Jinho Hwang, K K_ Ramakrishnan, and Timothy Wood. 2015. NetVM: high performance and flexible networking using virtualization on commodity platforms. IEEE Transactions on Network and Service Management, Vol. 12, 1 (2015), 34--47.Google ScholarDigital Library
Murad Kablan, Azzam Alsudais, Eric Keller, and Franck Le. 2017. Stateless network functions: breaking the tight coupling of state and processing. In Proceedings of the 14th USENIX Conference on Networked Systems Design and Implementation (NSDI 2017). USENIX Association, 97--112. Google ScholarDigital Library
Murad Kablan, Blake Caldwell, Richard Han, Hani Jamjoom, and Eric Keller. 2015. Stateless network functions. In Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization (HotMiddlebox 2015). ACM, 49--54. Google ScholarDigital Library
Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Anubhavnidhi Abhashkumar, and Aditya Akella. 2016. Paving the way for NFV: simplifying middlebox modifications using StateAlyzr. In Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation (NSDI 2016). USENIX Association, 239--253. Google ScholarDigital Library
Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M Frans Kaashoek. 2000. The Click modular router. ACM Transactions on Computer Systems (TOCS), Vol. 18, 3 (2000), 263--297. Google ScholarDigital Library
Thomas Lengauer and Robert Endre Tarjan. 1979. A fast algorithm for finding dominators in a flowgraph. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 1, 1 (1979), 121--141. Google ScholarDigital Library
Bojie Li, Kun Tan, Layong Larry Luo, Yanqing Peng, Renqian Luo, Ningyi Xu, Yongqiang Xiong, Peng Cheng, and Enhong Chen. 2016. Clicknp: Highly flexible and high performance network processing with reconfigurable hardware. In Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 1--14. Google ScholarDigital Library
Edward S Lowry and Cleburne W Medlock. 1969. Object code optimization. Commun. ACM, Vol. 12, 1 (1969), 13--22. Google ScholarDigital Library
Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda, Roberto Bifulco, and Felipe Huici. 2014. ClickOS and the art of network function virtualization. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI 2014). USENIX Association, 459--473. Google ScholarDigital Library
Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, Vol. 38, 2 (2008), 69--74. Google ScholarDigital Library
Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. 2018. Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection. In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS 2018) .Google ScholarCross Ref
Roberto Morabito, Vittorio Cozzolino, Aaron Yi Ding, Nicklas Beijar, and Jorg Ott. 2018. Consolidate IoT edge computing with lightweight virtualization. IEEE Network, Vol. 32, 1 (2018), 102--111.Google ScholarCross Ref
John Ousterhout, Parag Agrawal, David Erickson, Christos Kozyrakis, Jacob Leverich, David Mazières, Subhasish Mitra, Aravind Narayanan, Guru Parulkar, Mendel Rosenblum, et al. 2010. The case for RAMClouds: scalable high-performance storage entirely in DRAM. ACM SIGOPS Operating Systems Review, Vol. 43, 4 (2010), 92--105. Google ScholarDigital Library
Jianli Pan and Zhicheng Yang. 2018. Cybersecurity Challenges and Opportunities in the New Edge Computing Google ScholarDigital Library
IoT World. In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 29--32.Google Scholar
Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, and Scott Shenker. 2016. NetBricks: taking the V out of NFV. In Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation (OSDI 2016). USENIX Association, 203--216. Google ScholarDigital Library
Ruoming Pang, Vern Paxson, Robin Sommer, and Larry Peterson. 2006. binpac: A yacc for writing application protocol parsers. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 289--300. Google ScholarDigital Library
Milan Patel, B Naughton, C Chan, N Sprecher, S Abeta, A Neal, et al. 2014. Mobile-edge computing introductory technical white paper. White Paper, Mobile-edge Computing (MEC) industry initiative (2014).Google Scholar
Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks, Vol. 31, 23 (1999), 2435--2463. Google ScholarDigital Library
Larry Peterson, Ali Al-Shabibi, Tom Anshutz, Scott Baker, Andy Bavier, Saurav Das, Jonathan Hart, Guru Palukar, and William Snow. 2016. Central office re-architected as a data center. IEEE Communications Magazine, Vol. 54, 10 (2016), 96--101. Google ScholarDigital Library
Paul Quinn and Uri Elzur. 2016. Network service header. Internet Engineering Task Force, Internet-Draft draft-ietf-sfc-nsh-10 (2016).Google Scholar
Shriram Rajagopalan, Dan Williams, Hani Jamjoom, and Andrew Warfield. 2013. Split/merge: system support for elastic execution in virtual middleboxes. In Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation (NSDI 2013). USENIX Association, 227--240. Google ScholarDigital Library
S. K. N. Rao. 2014. SDN and its Use-Cases-NV and NFV. http://www.nectechnologies.in/en_TI/pdf/NTI_whitepaper_SDN_NFV.pdf. (2014).Google Scholar
Thomas Reps and Genevieve Rosay. 1995. Precise interprocedural chopping. In ACM SIGSOFT Software Engineering Notes, Vol. 20. ACM, 41--52. Google ScholarDigital Library
Martin Roesch and Chris Green. 2016. Snort Users Manual 2.9. 8.2. (2016).Google Scholar
Rodrigo Roman, Javier Lopez, and Masahiro Mambo. 2018. Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges. Future Generation Computer Systems, Vol. 78 (2018), 680--698.Google ScholarCross Ref
Mahadev Satyanarayanan, Paramvir Bahl, Ramón Caceres, and Nigel Davies. 2009. The case for vm-based cloudlets in mobile computing. IEEE pervasive Computing, Vol. 8, 4 (2009). Google ScholarDigital Library
Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. 2012. Making middleboxes someone else's problem: network processing as a cloud service. In Proceedings of the 2012 ACM SIGCOMM Conference, Vol. 42. ACM, 13--24. Google ScholarDigital Library
Robin Sommer, Vern Paxson, and Nicholas Weaver. 2009. An architecture for exploiting multi-core processors to parallelize network intrusion prevention. Concurrency and Computation: Practice and Experience, Vol. 21, 10 (2009), 1255--1279. Google ScholarDigital Library
Aditya K Sood and Richard J Enbody. 2013. Targeted cyberattacks: a superset of advanced persistent threats. IEEE security & privacy, Vol. 11, 1 (2013), 54--61. Google ScholarDigital Library
Chen Sun, Jun Bi, Zhilong Zheng, Heng Yu, and Hongxin Hu. 2017. NFP: Enabling Network Function Parallelism in NFV. Proceedings of the 2017 ACM SIGCOMM Conference. ACM, 43--56. Google ScholarDigital Library
Matthias Vallentin. 2011. Taming the Sheep: Detecting Sidejacking with Bro. http://matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro/. (2011).Google Scholar
Matthias Vallentin, Robin Sommer, Jason Lee, Craig Leres, Vern Paxson, and Brian Tierney. 2007. The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007). Springer, 107--126. Google ScholarDigital Library
Mark Weiser. 1981. Program slicing. In Proceedings of the 5th international conference on Software engineering. IEEE Press, 439--449. Google ScholarDigital Library
G. Wellbrock and T. J. Xia. 2014. How will optical transport deal with future network traffic growth?. In 2014 The European Conference on Optical Communication (ECOC). 1--3.Google Scholar
Shinae Woo, Justine Sherry, Sangjin Han, Sue Moon, Sylvia Ratnasamy, and Scott Shenker. 2018. Elastic Scaling of Stateful Network Functions. In Proceedings of the 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018). USENIX Association, 299--312.Google Scholar
Tianlong Yu, Seyed K Fayaz, Michael Collins, Vyas Sekar, and Srinivasan Seshan. 2017. PSI: Precise Security Instrumentation for Enterprise Networks. In Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017) .Google ScholarCross Ref
Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks (HotNets 2015). ACM, 5. Google ScholarDigital Library
Wei Zhang, Guyue Liu, Wenhui Zhang, Neel Shah, Phillip Lopreiato, Gregoire Todeschi, KK Ramakrishnan, and Timothy Wood. 2016. OpenNetVM: A platform for high performance network service chains. In Proceedings of the 2016 workshop on Hot topics in Middleboxes and Network Function Virtualization (HotMiddlebox 2016). ACM, 26--31. Google ScholarCross Ref
Yang Zhang, Bilal Anwer, Vijay Gopalakrishnan, Bo Han, Joshua Reich, Aman Shaikh, and Zhi-Li Zhang. 2017. ParaBox: Exploiting Parallelism for Virtual Network Functions in Service Chaining. In Proceedings of the Symposium on SDN Research. ACM, 143--149. Google ScholarDigital Library

Index Terms

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

HoneyMix: Toward SDN-based Intelligent Honeynet
SDN-NFV Security '16: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Honeynet is a collection of honeypots that are set up to attract as many attackers as possible to learn about their patterns, tactics, and behaviors. However, existing honeypots suffer from a variety of fingerprinting techniques, and the current ...
Read More
A low latency service function chain with SR-I/OV in software defined networks
Abstract
A network flow is required to be processed by multiple network functions such as PGW and SGW in mobile networks as a service function chain (SFC). Compared to hardware-based network functions, virtualized network functions are more flexible for ...
Read More
Service Function Chaining Across OpenStack and Kubernetes Domains
DEBS '19: Proceedings of the 13th ACM International Conference on Distributed and Event-based Systems

Remarkable advantages of Containers (CNs) over Virtual Machines (VMs) such as lower overhead and faster startup has gained the attention of Communication Service Providers (CSPs) as using CNs for providing Virtual Network Functions (VNFs) can save costs ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
October 2018
2359 pages
ISBN:9781450356930
DOI:10.1145/3243734
General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 October 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
network function virtualization
network intrusion detection systems
software-defined networking
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '18 Paper Acceptance Rate134of809submissions,17%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 26
  Total Citations
  View Citations
- 1,759
  Total Downloads
- Downloads (Last 12 months)197
- Downloads (Last 6 weeks)20
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

HoneyMix: Toward SDN-based Intelligent Honeynet

A low latency service function chain with SR-I/OV in software defined networks

Service Function Chaining Across OpenStack and Kubernetes Domains