SNIPS: A Software-Defined Approach for Scaling Intrusion Prevention Systems via Offloading

  • Victor Heorhiadi
  • Seyed Kaveh Fayaz
  • Michael K. Reiter
  • Vyas Sekar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)


Growing traffic volumes and the increasing complexity of attacks pose a constant scaling challenge for network intrusion prevention systems (NIPS). In this respect, offloading NIPS processing to compute clusters offers an immediately deployable alternative to expensive hardware upgrades. In practice, however, NIPS offloading is challenging on three fronts in contrast to passive network security functions: (1) NIPS offloading can impact other traffic engineering objectives; (2) NIPS offloading impacts user perceived latency; and (3) NIPS actively change traffic volumes by dropping unwanted traffic. To address these challenges, we present the SNIPS system. We design a formal optimization framework that captures tradeoffs across scalability, network load, and latency. We provide a practical implementation using recent advances in software-defined networking without requiring modifications to NIPS hardware. Our evaluations on realistic topologies show that SNIPS can reduce the maximum load by up to 10× while only increasing the latency by 2%.


Intrusion Detection Intrusion Detection System Drop Rate Network Intrusion Detection Linear Programming Solution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Private communication with UNC administrators (2013)Google Scholar
  2. 2.
    Abraham, A., Jain, R., Thomas, J., Han, S.Y.: D-SCIDS: Distributed soft computing intrusion detection system. Journal of Network and Computer Applications 30 (2007)Google Scholar
  3. 3.
    Casado, M., et al.: Ethane: Taking control of the enterprise. ACM SIGCOMM (2007)Google Scholar
  4. 4.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the resource consumption of network intrusion detection systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Feldmann, A., et al.: Deriving traffic demands for operational IP networks: methodology and experience. In: Proc. SIGCOMM (2000)Google Scholar
  6. 6.
    Fortz, B., Rexford, J., Thorup, M.: Traffic engineering with traditional IP routing protocols. IEEE Communications Magazine 40 (2002)Google Scholar
  7. 7.
    Gibb, G., Zeng, H., McKeown, N.: Outsourcing network functionality. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (2012)Google Scholar
  8. 8.
    Google Research: No Mobile Site = Lost Customers,
  9. 9.
    Heorhiadi, V., Reiter, M.K., Sekar, V.: New opportunities for load balancing in network-wide intrusion detection systems. ACM CoNEXT (2012)Google Scholar
  10. 10.
    Jamshed, M.A., Lee, J., Moon, S., Yun, I., Kim, D., Lee, S., Yi, Y., Park, K.: Kargus: a highly-scalable software-based intrusion detection system. In: ACM CCS (2012)Google Scholar
  11. 11.
    Jin, X., Li, L.E., Vanbever, L., Rexford, J.: SoftCell: Scalable and Flexible Cellular Core Network Architecture. In: Proc. CoNext (2013)Google Scholar
  12. 12.
    Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, M.F.: The Click modular router. TOCS 18, 263–297 (2000)CrossRefGoogle Scholar
  13. 13.
    Kreibich, C., Sommer, R.: Policy-controlled event management for distributed intrusion detection. In: Distributed Computing Systems Workshops (2005)Google Scholar
  14. 14.
    Lee, J., et al.: A high performance NIDS using FPGA-based regular expression matching. In: ACM Symposium on Applied Computing (2007)Google Scholar
  15. 15.
    Meiners, C.R., et al.: Fast regular expression matching using small TCAMs for network intrusion detection and prevention systems. In: USENIX Security Symposium (2010)Google Scholar
  16. 16.
  17. 17.
    Network functions virtualisation – introductory white paper,
  18. 18.
    Openflow standard,
  19. 19.
    Papadogiannakis, A., Polychronakis, M., Markatos, E.P.: Tolerating Overload Attacks Against Packet Capturing Systems. In: USENIX Annual Technical Conference (2012)Google Scholar
  20. 20.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proc. USENIX Security (1998)Google Scholar
  21. 21.
    Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling response to anomalous live disturbances. In: National Information Systems Security Conference (1997)Google Scholar
  22. 22.
  23. 23.
    Qazi, Z., Tu, C.-C., Chiang, L., Miao, R., Sekar, V., Yu, M.: Simple-fying middlebox policy enforcement using sdn. In: Proc. SIGCOMM (2013)Google Scholar
  24. 24.
    Wang, R., Butnariu, D., Rexford, J.: Openflow-based server load balancing gone wild. In: Proc. Hot-ICE (2011)Google Scholar
  25. 25.
    Reitblatt, M., Foster, N., Rexford, J., Schlesinger, C., Walker, D.: Abstractions for network update. In: ACM SIGCOMM (2012)Google Scholar
  26. 26.
    Roughan, M.: Simplifying the synthesis of internet traffic matrices. ACM CCR, 35 (2005)Google Scholar
  27. 27.
    Sekar, V., Krishnaswamy, R., Gupta, A., Reiter, M.K.: Network-wide deployment of intrusion detection and prevention systems. In: ACM CoNEXT (2010)Google Scholar
  28. 28.
    Sekar, V., Reiter, M.K., Willinger, W., Zhang, H., Kompella, R.R., Andersen, D.G.: CSAMP: a system for network-wide flow monitoring. In: Proc. NSDI (2008)Google Scholar
  29. 29.
    Sherry, J., et al.: Making middleboxes someone else’s problem: Network processing as a cloud service. In: ACM SIGCOMM (2012)Google Scholar
  30. 30.
    Shin, S., Gu, G.: Attacking Software-Defined Networks: A First Feasibility Study. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (2013)Google Scholar
  31. 31.
    Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., Tyson, M.: FRESCO: Modular composable security services for software-defined networks. In: Proc. NDSS (2013)Google Scholar
  32. 32.
    Smith, R., Estan, C., Jha, S.: XFA: Faster signature matching with extended automata. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  33. 33.
    Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with rocketfuel. In: ACM SIGCOMM (2002)Google Scholar
  34. 34.
    Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  35. 35.
    Vasiliadis, G., Polychronakis, M., Antonatos, S., Markatos, E.P., Ioannidis, S.: Regular expression matching on graphics hardware for intrusion detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 265–283. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  36. 36.
    Vasiliadis, G., Polychronakis, M., Ioannidis, S.: MIDeA: a multi-parallel intrusion detection architecture. In: ACM CCS (2011)Google Scholar
  37. 37.
    Wang, R., Butnariu, D., Rexford, J.: Openflow-based server load balancing gone wild. In: Proc. Hot-ICE (2011)Google Scholar
  38. 38.
    World intrusion detection and prevention markets,
  39. 39.
    Yu, F., et al.: SSA: a power and memory efficient scheme to multi-match packet classification. In: ACM ANCS (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Victor Heorhiadi
    • 1
  • Seyed Kaveh Fayaz
    • 2
  • Michael K. Reiter
    • 1
  • Vyas Sekar
    • 2
  1. 1.UNC Chapel HillChapel HillUSA
  2. 2.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations