A Parallel Archtecture for Stateful Intruson Detecton n Hgh Traffc Networks Mchele Colajann Mrco Marchett Dpartmento d Ingegnera dell Informazone Unversty of Modena {colajann, marchett.mrco}@unmore.t Abstract In a scenaro where network bandwdth and traffc are contnuously growng, network applances that have to montor and analyze all flowng packets are reachng ther lmts. These ssues are crtcal especally for Network Intruson Detecton Systems (NIDS) that need to trace and reassemble every connecton, and to examne every packet flowng on the montored lnk(s), to guarantee hgh securty levels. Any NIDS based on a sngle component cannot scale over certan thresholds, even f t has some parts bult n hardware. Hence, parallel archtectures appear as the most valuable alternatve for the future. In ths paper, we propose a parallel NIDS archtecture that s able to provde us wth fully relable analyss, hgh performance and scalablty. These propertes come together wth the low costs and hgh flexblty that are guaranteed by a total software mplementaton. The load balancng mechansm of the proposed NIDS dstrbutes the traffc among a confgurable number of parallel sensors, so that each of them s reached by a manageable amount of traffc. The parallelsm and traffc dstrbuton do not alter the results of the traffc analyss that remans relable and stateful. I. INTRODUCTION Network Intruson Detecton Systems (NIDS) are becomng a valuable element n a modern network nfrastructure for guaranteeng the securty of complex nformaton systems. A NIDS s used to nspect network traffc wth the goal of lookng for evdences of llct actvtes and malcous network packets. To control all the traffc flowng through a network, a NIDS has to perform a stateful analyss on each packet. Ths requres a NIDS to track and reassemble each dstnct connecton. (For example, n a LAN, a NIDS has to get and analyze every Ethernet frame.) The throughput of the montored traffc and the number of concurrent connectons affect the amount of memory and computatonal power that are requred by each NIDS. Varous trends are affectng the capacty of present NIDS applances and ther possblty of beng appled to the most modern network nfrastructures. The ncreasng number of connected devces, the augment of lnk capactes, and the dffuson of network-related applcatons and servces are causng a contnuous growth of traffc flowng through wde and even local area networks. As a consequence, traffc generated n large network nstallatons may easly overwhelm the memory and power capacty of a typcal NIDS. For example, a NIDS mplemented through standard hardware can barely deal wth 100 Mbps traffc [1], even through specal confguratons (e.g., fast loggng n bnary format) [2]. The most common solutons to acheve hgh performance NIDS are beng drected towards custom hardware components, that are specfcally desgned for ntruson detecton on hgh speed lnks. Some valuable results are descrbed n Secton II. On the other hand, we thnk that custom hardware does not represent a long-term soluton for scalablty ssue. These hardware orented solutons only push further the maxmum manageable throughput, but they wll be overwhelmed by the traffc volumes of the near future (10 Gbt Ethernet technologes are behnd the corner). Moreover, they are characterzed by hgh costs and low flexblty that are typcal of hardware-based solutons. In ths paper, we propose an nnovatve parallel NIDS archtecture that acheves hgh performance by combnng conventonal sensors n parallel, wth no need of ad hoc hardware components. We thnk that parallel archtectures are the most valuable alternatve for guaranteeng scalablty and large dffuson of NIDS even to face future hgh capacty networks. We demonstrate that the proposed NIDS can effectvely scale and deal wth ncreasng traffc volumes thanks to a fne-gran traffc dstrbuton algorthm and an nnovatve load balancng technque, that dynamcally dspatches ncomng traffc to the avalable sensors. Ths archtecture allows the NIDS to nspect hgh speed lnks wth no packet loss and no negatve mpact on the accuracy of the traffc analyss, that reman relable and stateful. The rest of ths paper s organzed as followng. Secton II compares our proposal aganst other works n the feld of hgh speed NIDS. Secton III analyzes the detals of the parallel NIDS archtecture. Secton IV descrbes the confguraton rules that may be used to guarantee the effcacy of the proposed archtecture. Secton V presents expermental results acheved by a prototype mplementaton of the proposed NIDS. Fnally, Secton VI outlnes man conclusons and results of ths paper. II. RELATED WORK The most common solutons to acheve hgh performance NIDS rely on hardware-based components. For example, Applcaton Specfc Integrated Crcuts (ASIC) applances can nspect hgh traffc throughput [3], [4], but they do not represent an exhaustve soluton to scalablty. Moreover, ASIC applances are characterzed by hgh costs and low flexblty. Smlar problems affect others hardware-based archtectures, such as FPGA [5] [7] and Network Processors (NP) [8], [9].
It s mportant to observe that the parallel NIDS archtecture proposed n ths paper should not be confused wth dstrbuted NIDS archtectures that have been extensvely studed n lterature [10] [13], and can be mplemented through commercal or open source software [14] [16]. A dstrbuted NIDS archtecture s composed by sensors deployed at dfferent places of a network. Ther typcal scenaro s represented by a large network consstng of small nterconnected subnets where a dstrbuted NIDS archtecture deploys a sensor n each subnet. These sensors may be connected to a central manager that concentrates and correlates sensors alerts. On the other hand, a parallel NIDS archtecture may be thought as a sngle, logcal NIDS sensor, composed by a traffc dstrbuton devce that s connected to conventonal sensors that operate n parallel, each analyzng only a subset of the traffc on the same lnk. To the best of our knowledge, there are not many other parallel NIDS archtectures. The frst parallel mplementaton of a NIDS descrbed n [17] s characterzed by some drawbacks n the traffc dspatchng algorthm, that s able to classfy packets just on the IP address bass. Ths s a man lmt n many network confguratons, especally f we consder that Network Address Translaton (NAT) mechansms hde entre computer networks behnd a sngle IP address [18]. Hence, even the traffc flowng between two IP addresses may be too much for the capacty of a sngle NIDS sensor, wth the possblty of system bottlenecks and lmts to the archtecture scalablty. On the other hand, the proposed system acheves an effectve, fne-gran traffc sharng between ts NIDS sensors. Moreover, the traffc dspatchng algorthm of the archtecture n [17] does not adapt to the current traffc pattern because the traffc dstrbuton depends on a set of statc rules that assgn dfferent traffc flows to dfferent sensors. The problem s that traffc composton may change rapdly, thus overloadng some sensors wth sgnfcant packet loss and leavng other sensors almost unused. The proposed system addresses even ths ssue. The other nterestng parallel archtecture presented n [19] s characterzed by a custom hardware load balancer that feeds conventonal NIDS sensors. To ensure that every packet belongng to a certan flow s analyzed by the same sensor, the hardware load balancer calculates a set of hashng functons on dfferent felds of the packet. The destnaton NIDS sensor s selected on the bass of the resultng hashes. However, although the balancer may dynamcally adapt to the traffc dspatchng rules, the redrecton of already establshed connectons to a dfferent sensor makes t mpossble to perform a stateful analyss. A seralzaton of the nternal NIDS state was proposed n [20]. Ths s an mportant contrbuton because a seralzed representaton can be propagated to other NIDS sensors to acheve better coordnaton n dstrbuted NIDS archtectures. However, ths paper does not consder state seralzaton as a mean to provde stateful and dynamc load balancng of establshed connectons among dfferent NIDS sensors. The proposed parallel NIDS archtecture dfferentates from all the prevous proposals. It s a total software based soluton where every element s bult wth standard hardware, whch s flexble and nexpensve. The dspatchng algorthm s able to classfy network packets on the bass of many features, such as protocols, IP addresses, and port numbers. Ths mechansm allows the NIDS to acheve an effectve load sharng among multple NIDS sensors. Another nnovatve feature s represented by the ntroducton of a load balancng mechansm that can dynamcally reassgn an already establshed connecton to an arbtrary sensor. Moreover, ths algorthm allows sensors to perform a stateful, n-depth traffc analyss, that guarantee maxmum detecton accuracy together wth load balancng propertes. III. PARALLEL NIDS ARCHITECTURE The proposed archtecture for traffc dstrbuton and analyss conssts of varous components that are descrbed n Fgure 1. The traffc source s nstalled on the hgh-speed montored lnk. Its purpose s to provde the scatterer wth a copy of the traffc that must be nspected. A sutable traffc source may be mplemented by mean of a network tap, a swtch wth SPAN port or a hub. The preference for a network tap nstead of a hub or a swtch s motvated by ts hgher throughput and avalablty. The traffc source feeds a scatterer that, n our mplementaton, captures every Ethernet frame and sends the frame to one of the drectly connected slcers. The scatterer s the only centralzed element, and has to manage traffc at the same throughput of the network lnk. Archtecture scalablty s lmted by the number of slcers that the scatterer s able to handle. In order to keep the computatonal cost reasonably low, scatterng operatons must be as smple as possble. Here, the presented results are based on a smple roundrobn dspatchng polcy, because the comparson of dfferent algorthms s out the scope of ths paper. Fg. 1. Parallel NIDS archtecture
The slcers capture every frame from the nput nterface and have to determne the destnaton NIDS sensor of each of them. That operaton cannot be executed by the scatterer, because n our mplementaton the destnaton sensor s selected on the bass of a frame analyss, that s a qute complex operaton. Indeed, each slcer mplements a set of slcng rules, that are used to classfy every receved Ethernet frame. In partcular, our mplementaton of the slcer makes t possble to select the destnaton sensor on the bass of varous features, such as protocols, IP addresses and port numbers. Slcng rules need to be carefully desgned, so to route every frame towards the NIDS that may need t to detect an attack (see Secton IV). Ths s one of the most crtcal task because we want to perform a stateful traffc analyss. Hence, we must guarantee that every frame belongng to the same transport level connecton s routed to the same NIDS sensor. Once appled the slcng rules to determne the destnaton sensor, a slcer wrtes a logcal ndcator of the selected sensor n the MAC destnaton address feld of the Ethernet header. It s also possble that a sngle Ethernet frame has to be sent towards two or more sensors. In those nstances, the slcer creates a copy of the frame for each destnaton sensor, and apples a dfferent ndcator to each copy. After the slcer layer, the frames are sent to the swtch that s used to enforce routng decsons that have been prevously taken by slcers. Every frame comng from one of the swtch nput nterfaces s routed to the sensor ndcated by the value wrtten n the MAC destnaton address of the Ethernet frame header. If the swtch s programmable (that s, f the swtch s provded wth a statc routng table), then sensor ndcators used by the slcers may be unrelated to the real hardware addresses of the sensors nput nterfaces. On the other hand, f the swtch s not programmable, then each sensor ndcator s gven by the MAC address owned by the nput nterface of the correspondng sensor. The next layer of the archtecture conssts of a set of NIDS sensors. In our proposal, NIDS sensors are mplemented through a custom verson of Snort IDS [15], that allows the mgraton of state nformaton related to currently analyzed connectons. Ths new feature makes t possble to redrect an already opened connecton to a dfferent NIDS sensor wthout alterng the results of the traffc analyss. The last element s the coordnator, whch s drectly connected to all slcers and sensors. The coordnator s used to run the load balancng algorthm, and t s mportant to notce that t does not lmt the scalablty of the archtecture. Indeed, t only montors the load of sensors and enforces actons possbly trggered by the load balancng algorthm, lke changes n slcng rules and mgraton of connecton states. NIDS sensors are drectly connected to the swtch, and receves only a subset of the traffc flowng through the montored lnk. That subset of traffc ncludes every necessary frame to carry out a stateful traffc analyss so that the proposed archtecture can safely dstrbute network traffc analyss. Due to the parallel nature of the proposed archtecture, network packets belongng to the same transport level connecton may reach the NIDS sensor n a wrong order. As an example, ths could be due to the use of slcers wth dfferent computatonal power. However, Snort pre-processors are able to restore the correct order of the network packets. Hence, traffc flow reorderng can be carred out by the NIDS sensors, wthout the use of specfc network components. Expermental results that demonstrate scalablty and effcacy of the proposed archtecture are reported n Secton V-A. IV. CONFIGURATION OF THE PARALLEL ARCHITECTURE A parallel NIDS archtecture s a complex nfrastructure that must be carefully confgured. To ths purpose, we need to know (at least approxmately) some mportant characterstcs about the ncomng traffc, such as maxmum throughput and most common protocols. That nformaton allow us to desgn and mplement the set of slcng rules, whch have a great mpact on the overall effcacy of the archtecture. In our verson, a well desgned set of slcng rules has to satsfy the followng man propertes. 1) Packets belongng to the same connecton have to be routed towards the same NIDS sensor. Ths s necessary to trace and reassemble all connectons, as requred by the stateful traffc analyss characterzng the proposed archtecture. 2) Network traffc should be equally dstrbuted among the avalable NIDS sensors. Ths allows the archtecture to acheve good load balancng propertes. Both requrements can be satsfed even through a well desgned set of slcng rules. Whle t s rather smple to wrte slcng rules that preserve transport level connectons, achevng a reasonable load balancng among NIDS sensors s a non-trval task. A. Load Balancng In statc archtectures, such as [17], the set of slcng rule s desgned on the bass of a quanttatve analyss of traffc samples, so that every relevant change n traffc pattern can lead to load unbalance and consequent rsks of packet losses. On the other hand, the proposed parallel archtecture can acheve load balancng by dynamcally adaptng slcng rules and NIDS sensors to the current NIDS sensors load. We have deployed a novel mechansm that allows the parallel NIDS to dynamcally move an open connecton to a dfferent sensor wthout alterng the results of the traffc analyss. To ths purpose, the sensors are mplemented by addng two new features to the orgnal verson of Snort: the frst feature exports state nformaton related to analyzed connecton and to store them n fles; the second reads state nformaton stored n fles generated by other nstances of Snort, thus creatng the correct state for a connecton that has not been yet analyzed. To move a connecton to a dfferent sensor, we have frst to export ts state from the sensor that prevously handled that connecton, and then we have to move fles contanng state nformaton to the new sensor. Fnally, the new sensor can read a fle and mport state nformaton for the moved connecton.
Both export and mport operatons can be trggered at run-tme by smply sendng the proper sgnals to a runnng nstance of our Snort verson. Fgures 2, 3 and 4 descrbe an example of the problems related to load balancng for NIDS sensors and the steps of the proposed soluton. In Fgure 2 we have two NIDS sensors that perform a stateful, n-depth analyss on ncomng traffc. We assume that the sensor NIDS 1 analyzes the network connecton Connecton 1, and State 1 represents the state nformaton related to that connecton. The sensor NIDS 2 analyzes two network connectons (Connecton 2 and Connecton 3) that have state nformaton stored n State 2 and State 3, respectvely. Let us suppose that sensor NIDS 2 gets overloaded, and that the load balancng algorthm reacts by movng Connecton 2 from NIDS 2 to NIDS 1. Fgure 3 shows the effects of the load balancng acton through tradtonal NIDS sensors: NIDS 1 pcks Connecton 2 mdstream, but t s unable to create a consstent state and to perform a stateful analyss on that connecton. Instead, our soluton s shown n Fgure 4 showng how t s possble to mgrate the state of Connecton 2 to NIDS 1, thus allowng our system to perform a relable and stateful analyss. on the last part of the connecton. Ths mechansm allows for a dynamc traffc redstrbuton between NIDS sensors wthout alterng the analyss results. Moreover, t s mportant to observe that ths mechansm can work wth any load balancng polcy. B. Dmensonal bndngs An mportant step for the confguraton of the parallel archtecture for NIDS s to carry out a dmensonal bndng for each component. For ths analyss, we use the notatons n Table I. Symbol B Lnk IN B NIC IN N NIC OUT B NIC OUT S IN W IN W T MAX TABLE I CONSTRAINTS OF THE ARCHITECTURE COMPONENTS Meanng Throughput of ncomng traffc Hghest bandwdth of the scatterer nput nterface Number of slcers Bandwdth of the scatterer -th output nterface Hghest bandwdth manageable by the -th slcer Bandwdth of the -th slcer output nterface Bandwdth of the -th nput nterface of the swtch Hghest aggregate throughput of the swtch W OUT I MAX Bandwdth of the -th output nterface of the swtch Hghest throughput manageable by the -th NIDS sensor Fg. 2. Intal stuaton To get a well dmensoned archtecture, where no component s overwhelmed by the ncomng traffc, we have to satsfy the followng condtons: B NIC IN B Lnk IN Fg. 3. Fg. 4. Connecton reassgnment wthout state mgraton Connecton reassgnment wth state mgraton Thanks to our novel technque, the NIDS recevng an already opened connecton, that was prevously analyzed by an overloaded sensor, s able to perform a stateful nspecton The bandwdth manageable by the scatterer nput nterface has to be bgger than the bandwdth of the traffc that we want to nspect. m 1 =0 B NIC OUT B Lnk IN The aggregate output bandwdth of the scatterer has to be bgger than the bandwdth of the traffc that we want to nspect. S IN B NIC OUT, The computatonal capacty of the slcer connected to the - th scatterer output nterface has to be large enough to manage all the traffc generated by that nterface. W IN S OUT, The bandwdth of every nput nterface of the swtch has to be bgger than the traffc produced by the drectly connected
slcer. W T MAX m 1 =0 The aggregate throughput of the swtch has to be bgger than the sum of the traffc volumes generated by the slcers. I MAX W OUT, The hghest bandwdth that the -th NIDS sensor s able to manage has to be bgger than the throughput generated by the -th output nterface of the swtch. Dependng on the slcng rules, a sngle frame can be requred by two or more sensors. In that nstance, we have to create a copy of the frame for every sensor that requres t, hence the number of frames generated by the slcers can be bgger than the number of frames captured by the scatterer. We can state that B NIC OUT, Hence, the number of frames to be analyzed by NIDS sensors s equal or greater than the number of frames flowng through the montored lnk. If we consder that slcers share the same confguraton rules, and slcers have the same probablty to receve a frame that s requred by more sensors, then we can state that The constant k s gven by k = = B NIC OUT T 1 t=0 N(f t) T k where T represents the number of frames receved by the -th slcer, and the functon N(f t ) denotes the number of copes of the t-th frame produced by the -th slcer. We can verfy that k 1, and S IN = k = 1 N(f t ) = 1 t The mportant consequence of ths analyss s that the parallel archtecture proposed n ths paper may acheve an ncrement n the volume of traffc to be analyzed by NIDS sensors. Frame duplcaton can be kept reasonably low (eventually nullfed) thanks to a careful desgn of the slcng rules and event space dstrbuton. V. EXPERIMENTAL RESULTS In ths secton we descrbe the most mportant expermental results that am to valdate the functonal propertes of the parallel archtecture, to demonstrate ts scalablty and to prove the feasblty of the load balancng mechansm. The prototype archtecture has been mplemented n C language for GNU/Lnux platforms. A. Archtecture valdaton For the tests we have confgured a vrtual network, where vrtual hosts have been mplemented through User Mode Lnux [21], and vrtual Ethernet lnks through OpenVPN [22]. Vrtual networks allow us to test the effcacy of the archtecture for an arbtrary number of slcers, reassemblers and NIDS sensors, and lmted usage of hardware. The prototype archtecture conssts of three slcers, and three NIDS sensors. Traffc source actvty s emulated through Tcpreplay [23], that replays the IDEVAL [24] [26] traffc towards the nput nterface of the scatterer at a confgurable rate. Each NIDS has been mplemented through the open source software Snort [15]. Many dfferent confguratons have been tested, and for space lmt reasons, here we report the results referrng to one sgnfcant example, where slcers mplement a smple set of slcng rules. The frst rule routes to the sensor 1 every TCP packet comng from or, drected to, port 80. The second rule routes to the sensor 2 every TCP packet comng from, or drected to, port 23. The thrd rule routes to the sensor 3 every packet that has not been routed to sensors 1 or 2. From ths test, we have that the frst NIDS (connected to the frst sensor) analyzes 526440 frames and generates 495 alerts, the second NIDS analyzes 529439 frames and generates 22 alerts, and the thrd NIDS analyzes 597498 frames and generates 2686 alerts. The results are summarzed n Table II. Despte of the smplcty of the slcer rules, we can observe that the traffc s really well dstrbuted among the three NIDS sensors. Load sharng s an mportant property, but we also need to guarantee that the dstrbuton of the traffc analyzes among dfferent components does not affect the stateful analyss propertes. To ths purpose, we collect relable data traffc by usng just one Snort sensor that s confgured wth the same rules that were used for the prevous experment. From ths system, we obtaned a total of 3203 alerts that correspond perfectly to the sum of the alerts obtaned by three sensors reported n Table II. TABLE II VALIDATION OF THE ARCHITECTURE NIDS 1 NIDS 2 NIDS 3 Total Packets 526440 529439 597498 1653377 Alerts 495 22 2686 3203 Ths mportant result proves that the proposed archtecture allows us to dstrbute the computatonal costs of traffc analyss wthout alterng the results. B. Scalablty of components and system To verfy the scalablty of the entre archtecture, we carry out several experments for dfferent number of sensors. In each test we measure the hghest network traffc that we are able to analyze correctly, that s, wthout sgnfcant (greater
than 1%) packet loss n NIDS sensors. For the parallel archtecture, we use common PC hardware that was connected as n the scheme of Fgure 1. Generated traffc reproduces IDEVAL traffc that s transmtted through Tcpreplay and flows through a Ggabt Ethernet. The results are shown n Fgure 5, where the X-axs denotes the number of sensors, and the Y-axs the hghest analyzed throughput. Analyzed Traffc [Mbt/s] 220 200 180 160 140 120 100 80 60 2 3 4 5 6 7 8 Fg. 5. Number of NIDS sensors Scalablty of the parallel NIDS archtecture From ths fgure, t s mmedate to observe that the capacty of analyss grows almost lnearly for ncreasng numbers of sensors, thus demonstratng the scalablty propertes of the proposed archtecture. C. Load Balancng Another nnovaton of the proposed archtecture s represented by ts ablty of dynamcally mgratng the states of analyzed connectons between dfferent sensors. Ths feature can be used to acheve load balancng among NIDS sensors, thus ncreasng the scalablty and the overall effectveness of the parallel NIDS archtecture, although t s mandatory not to alter the analyss results. To demonstrate the feasblty of our proposal, we confgure a smple parallel NIDS archtecture, wth two slcers and two NIDS sensors, to analyze the IDEVAL network traffc njected n the scatterer by Tcpreplay. In Fgure 6, we can see the amount of traffc analyzed by each sensor. The Y-axs reports the throughput analyzed by the sensors n Mbt per second, whle the X-axs represents the tme of the experment (n second). We can see that durng the frst 100 seconds both the sensors have to analyze a manageable amount of traffc (always less than 35 Mbt/s). Ths result ndcates that slcng rules acheve an acceptable load sharng between the two sensors. Around 100 second, the traffc pattern changes, and the traffc analyzed by sensor 1 suddenly ncreases, whle the traffc analyzed by sensor 2 remans almost constant. Fgure 6 hghlghts the consequences of a change n network traffc pattern. To address ths load unbalance, wthout tamperng the stateful nspecton carred out by NIDS sensors, we use our load balancng mechansm that allows the mgraton of state nformaton. The desgn of the best load balancng algorthm for a parallel NIDS archtecture s beyond the scope of ths work. Hence, for the purposes of ths paper, we used a smple algorthm based on two thresholds and round-robn dstrbuton. A sensor s consdered overloaded, f t has to analyze over 40 Mbt/s of traffc for more than 5 seconds (on threshold). In ths nstance, the load balancng algorthm assgns slces of traffc from the overloaded NIDS sensor to the other (not overloaded) sensors n a round-robn way. Meanwhle, state nformaton related to the reassgned slces of traffc are moved to the new NIDS sensor. Analyzed Traffc [Mbt/s] Analyzed Traffc [Mbt/s] 60 50 40 30 20 10 Sensor 1 Sensor 2 0 0 50 100 150 200 Fg. 6. 60 50 40 30 20 Tme [s] Throughput for sensors 1 and 2 wthout load balancng 10 Sensor 1 Sensor 2 0 0 50 100 150 200 Fg. 7. Tme [s] Throughput for sensors 1 and 2 wth load balancng The results of ths smple load balancng algorthm are presented n Fgure 7. Network traffc and ntal confguraton of the parallel NIDS archtecture are dentcal to the scenaro represented n Fgure 6 for the frst 100 seconds. At ths pont, the ncrement of traffc to the sensor 1 trggers the load balancng algorthm. It moves some packets to the sensor 2 untl the traffc of the sensor 1 goes below the second
threshold equal to 30 Mbt/s (off threshold). The success of the mechansm s clearly demonstrated by the second part of the experment after 100 seconds n Fgure 7. VI. CONCLUSIONS Network Intruson Detecton Systems have to perform a complete analyss of the traffc flowng through networks that can easly reach Gbps capactes. We should also consder that a fully relable analyss requres the NIDS to track and reassemble each dstnct connecton. Hence, the throughput of montored traffc and the number of concurrently open connectons may represent a lmt to the applcablty of NIDS to the modern and future networks. Any NIDS based on a sngle component cannot scale over certan thresholds, even f t has some parts bult n hardware. Hence, parallel archtectures appear as the most valuable alternatve for achevng a scalable NIDS. In ths paper, we propose a parallel archtecture of a NIDS that guarantees stateful analyss, load balancng and hgh scalablty. The proposed archtecture represents a sgnfcant mprovement wth respect to prevous works. We demonstrate that there s no theoretcal lmt to ncrease the number of the parallel archtecture components. These performance propertes come together wth low costs and hgh flexblty that s guaranteed by a total software mplementaton. Future work s drected to propose and compare dfferent load balancng algorthms that may be ntegrated n the proposed system. REFERENCES [1] L. Schaelcke, T. Slabach, B. Moore, and C. Freeland, Characterzng the performance of network ntruson detecton sensors, n Proceedngs of the Sxth Internatonal Symposum on Recent Advances n Intruson Detecton (RAID 2003), ser. Lecture Notes n Computer Scence. Berln Hedelberg New York: Sprnger-Verlag, September 2003. [2] M. Roesch, Snort - lghtweght ntruson detecton for networks, n LISA 99: Proceedngs of the 13th USENIX conference on System admnstraton. Berkeley, CA, USA: USENIX Assocaton, 1999, pp. 229 238. [3] Top layer networks. [Onlne]. Avalable: http://tcpreplay.sourceforge. net [4] Junper networks. [Onlne]. Avalable: http://www.junper.net [5] H. Song, T. Sproull, M. Attg, and J. Lockwood, Snort offloader: A reconfgurable hardware NIDS flter, n 15th Internatonal Conference on Feld Programmable Logc and Applcatons (FPL), Tampere, Fnland, Aug. 2005. [6] H. Song and J. W. Lockwood, Effcent packet classfcaton for network ntruson detecton usng fpga, n FPGA 05: Proceedngs of the 2005 ACM/SIGDA 13th nternatonal symposum on Feld-programmable gate arrays. New York, NY, USA: ACM Press, 2005, pp. 238 245. [7] L. Bu and J. A. Chandy, Fpga based network ntruson detecton usng content addressable memores, fccm, vol. 00, pp. 316 317, 2004. [8] C. R. Clark, W. Lee, D. E. Schmmel, D. Conts, M. Kon, and A. Thomas, A hardware platform for network ntruson detecton and preventon, n Workshop on Network Processors and Applcatons at HPCA (NP-3), Madrd, Span, 2004, pp. 136 145. [9] K. Xnds, K. G. Anagnostaks, and E. P. Markatos, Desgn and mplementaton of a hgh-performance network ntruson preventon system. n SEC, 2005, pp. 359 374. [10] S. R. Snapp, J. Brentano, G. V. Das, T. L. Goan, L. T. Heberlen, C.- L. Ho, K. N. Levtt, B. Mukherjee, S. E. Smaha, T. Grance, D. M. Teal, and D. Mansur, Dds (dstrbuted ntruson detecton system) motvaton, archtecture, and an early prototype, Internet beseged: counterng cyberspace scofflaws, pp. 211 227, 1998. [11] S. Snapp, J. Brentano, G. Das, T. Goan, L. Heberlen, C. Ho, K. Levtt, B. Mukherjee, (wth T. Grance D.L. Mansur, K. Pon, and S. Smaha), A system for dstrbuted ntruson detecton, n COMPCON, San Francsco, CA, 1991, pp. 170 176. [12] P. K. Varshney, Dstrbuted Detecton and Data Fuson. Secaucus, NJ, USA: Sprnger-Verlag New York, Inc., 1996. [13] D. Burroughs, L. Wlson, and G. Cybenko, Analyss of dstrbuted ntruson detecton systems usng bayesan methods, n IEEE Internatonal Performance Computng and Communcaton Conference, 2002. [14] Prelude home page. [Onlne]. Avalable: http://www.prelude-ds.org/ [15] Snort home page. [Onlne]. Avalable: www.snort.org [16] A. Orebaugh, S. Bles, and J. Babbn, Snort cookbook. O relly, 2005. [17] C. Kruegel, F. Valeur, G. Vgna, and R. Kemmerer, Stateful ntruson detecton for hgh-speed networks, n Proceedngs of the IEEE Symposum on Research on Securty and Prvacy. Oakland, CA: IEEE Press, May 2002. [18] Y. Janyng, Z. Jantao, W. Pe, and T. Wang, An applcaton of network address translaton on gateway, n Proceedngs of the 2003 Internatonal Conference on Neural Networks and Sgnal Processng, 2003, pp. 229 238. [19] L. Schaelcke, K. Wheeler, and C. Freeland, Spands: a scalable network ntruson detecton loadbalancer, n CF 05: Proceedngs of the 2nd conference on Computng fronters. New York, NY, USA: ACM Press, 2005, pp. 315 322. [20] R. Sommer and V. Paxson, Explotng ndependent state for network ntruson detecton, n ACSAC 05: Proceedngs of the 21st Annual Computer Securty Applcatons Conference. Washngton, DC, USA: IEEE Computer Socety, 2005, pp. 59 71. [21] U. M. L. C. Team, User mode lnux howto. [Onlne]. Avalable: http://user-mode-lnux.sourceforge.net/usermodelnux-howto.html [22] Openvpn home page. [Onlne]. Avalable: http://www.openvpn.net [23] Tcpreplay home page. [Onlne]. Avalable: http://tcpreplay. sourceforge.net [24] R. Lppmann, J. W. Hanes, D. J. Fred, J. Korba, and K. Das, Analyss and results of the 1999 darpa off-lne ntruson detecton evaluaton, n RAID 00: Proceedngs of the Thrd Internatonal Workshop on Recent Advances n Intruson Detecton. London, UK: Sprnger-Verlag, 2000, pp. 162 182. [25] J. M. Hugh, Testng ntruson detecton systems: a crtque of the 1998 and 1999 darpa ntruson detecton system evaluatons as performed by lncoln laboratory, ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 262 294, 2000. [26] M. V. Mahoney and P. K. Chan, An analyss of the 1999 darpa/lncoln laboratory evaluaton data for network anomaly detecton. n RAID, 2003, pp. 220 237.