A Load Balancing Algorithm for High Speed Intrusion Detection



Similar documents
Supply Chain Network Design with Preferential Tariff under Economic Partnership Agreement

3 Energy Non-Flow Energy Equation (NFEE) Internal Energy. MECH 225 Engineering Science 2

CHAPTER 4: NET PRESENT VALUE

Taking DCOP to the Real World: Efficient Complete Solutions for Distributed Multi-Event Scheduling

Ant Colony Algorithm Based Scheduling for Handling Software Project Delay

Your organization has a Class B IP address of Before you implement subnetting, the Network ID and Host ID are divided as follows:

Article Writing & Marketing: The Best of Both Worlds!

Modified Line Search Method for Global Optimization

Generation of Synthetic Data Sets for Evaluating the Accuracy of Knowledge Discovery Systems

How To Calculate Stretch Factor Of Outig I Wireless Network

Asymptotic Growth of Functions

Recovery time guaranteed heuristic routing for improving computation complexity in survivable WDM networks

ODBC. Getting Started With Sage Timberline Office ODBC

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

The analysis of the Cournot oligopoly model considering the subjective motive in the strategy selection

Section 11.3: The Integral Test

Confidence Intervals for One Mean

PROCEEDINGS OF THE YEREVAN STATE UNIVERSITY AN ALTERNATIVE MODEL FOR BONUS-MALUS SYSTEM

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

Properties of MLE: consistency, asymptotic normality. Fisher information.

GSR: A Global Stripe-based Redistribution Approach to Accelerate RAID-5 Scaling

Soving Recurrence Relations

In nite Sequences. Dr. Philippe B. Laval Kennesaw State University. October 9, 2008

CDAS: A Crowdsourcing Data Analytics System

The Binomial Multi- Section Transformer

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 13

The Stable Marriage Problem

A probabilistic proof of a binomial identity

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

arxiv: v2 [math.pr] 13 Oct 2009

Overview. Learning Objectives. Point Estimate. Estimation. Estimating the Value of a Parameter Using Confidence Intervals

Engineering Data Management

GOAL PROGRAMMING BASED MASTER PLAN FOR CYCLICAL NURSE SCHEDULING

Approximating Area under a curve with rectangles. To find the area under a curve we approximate the area using rectangles and then use limits to find

MapReduce Based Implementation of Aggregate Functions on Cassandra

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

Digital Interactive Kanban Advertisement System Using Face Recognition Methodology

Lecture 2: Karger s Min Cut Algorithm

5.4 Amortization. Question 1: How do you find the present value of an annuity? Question 2: How is a loan amortized?

Systems Design Project: Indoor Location of Wireless Devices

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Lesson 15 ANOVA (analysis of variance)

Evaluating Model for B2C E- commerce Enterprise Development Based on DEA

I. Chi-squared Distributions

CS103A Handout 23 Winter 2002 February 22, 2002 Solving Recurrence Relations

where: T = number of years of cash flow in investment's life n = the year in which the cash flow X n i = IRR = the internal rate of return

.04. This means $1000 is multiplied by 1.02 five times, once for each of the remaining sixmonth

Week 3 Conditional probabilities, Bayes formula, WEEK 3 page 1 Expected value of a random variable

A Cyclical Nurse Schedule Using Goal Programming

Determining the sample size

Incremental calculation of weighted mean and variance

How to use what you OWN to reduce what you OWE

Domain 1: Designing a SQL Server Instance and a Database Solution

1 Correlation and Regression Analysis

Estimating Probability Distributions by Observing Betting Practices

CHAPTER 3 THE TIME VALUE OF MONEY

Hypothesis testing. Null and alternative hypotheses

Plug-in martingales for testing exchangeability on-line

5.3. Generalized Permutations and Combinations

Study on the application of the software phase-locked loop in tracking and filtering of pulse signal

Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Distributed Storage Allocations for Optimal Delay

Optimizing Result Prefetching in Web Search Engines. with Segmented Indices. Extended Abstract. Department of Computer Science.

Throughput and Delay Analysis of Hybrid Wireless Networks with Multi-Hop Uplinks

LECTURE 13: Cross-validation

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

Hypergeometric Distributions

1 Computing the Standard Deviation of Sample Means

Non-life insurance mathematics. Nils F. Haavardsson, University of Oslo and DNB Skadeforsikring

BENEFIT-COST ANALYSIS Financial and Economic Appraisal using Spreadsheets

On the Capacity of Hybrid Wireless Networks

Output Analysis (2, Chapters 10 &11 Law)

On the Throughput Scaling of Cognitive Radio Ad Hoc Networks

Controller Area Network (CAN) Schedulability Analysis with FIFO queues

Ekkehart Schlicht: Economic Surplus and Derived Demand

CHAPTER 3 DIGITAL CODING OF SIGNALS

Example 2 Find the square root of 0. The only square root of 0 is 0 (since 0 is not positive or negative, so those choices don t exist here).

C.Yaashuwanth Department of Electrical and Electronics Engineering, Anna University Chennai, Chennai , India..

Definition. A variable X that takes on values X 1, X 2, X 3,...X k with respective frequencies f 1, f 2, f 3,...f k has mean

Measures of Spread and Boxplots Discrete Math, Section 9.4

5: Introduction to Estimation

A zero one programming model for RNA structures with arc length 4

Lecture 4: Cauchy sequences, Bolzano-Weierstrass, and the Squeeze theorem

DAME - Microsoft Excel add-in for solving multicriteria decision problems with scenarios Radomir Perzina 1, Jaroslav Ramik 2

Annuities Under Random Rates of Interest II By Abraham Zaks. Technion I.I.T. Haifa ISRAEL and Haifa University Haifa ISRAEL.

Present Values, Investment Returns and Discount Rates

Center, Spread, and Shape in Inference: Claims, Caveats, and Insights

Capacity of Wireless Networks with Heterogeneous Traffic

THE HEIGHT OF q-binary SEARCH TREES

How To Solve The Homewor Problem Beautifully

Detecting Voice Mail Fraud. Detecting Voice Mail Fraud - 1

What Is Required? You need to find the final temperature of an iron ring heated by burning alcohol g

MTO-MTS Production Systems in Supply Chains

Transcription:

A Load Balacig Algorith for High Seed Itrusio Detectio LU Sheg, GONG Jia, RUI Suyig Deartet of Couter Sciece ad Egieerig, Southeast Uiversity, Naig, Chia Easter Chia (North) Network Ceter of CERNET (0096) 86-5-36478 {shlu, gog, syrui}@et.edu.c ABSTRACT Load balacig is alied to the develoet of etwork-based Itrusio Detectio Syste (NIDS) to fit the erforace roble caused by traffic i high badwidth etwork. Isired fro the cocet of bit etroy ad bit flow etroy, a ovel load-balacig algorith aed Diesio-based Classificatio Algorith (DCA) is itroduced i this aer. Based o the cotets of fields i IP acket header ad soe sile oeratios, this algorith ca kee the relativities aog ackets i a high badwidth etwork eviroet while distributig workload to differet rocessig ode. It has a fairly good load-balacig feature i both acroscoical ad icroscoical seses for high seed itrusio detectio. The selectio of oeratio ad oerad of DCA is discussed i detailed, ad their efficiecy is evaluated. Keywords Load Balace, Itrusio Detectio, High Badwidth Network, Packet Classificatio, Bit Etroy. Itroductio Cotiued rogress of couicatio techology elarges badwidth of etwork. The traffic i high badwidth etwork icreases fro Mbs to Gbs, which causes a uber of erforace robles i NIDS, ad akes ay traditioal ethods of IDS ufeasible ay ore. Nowadays, attackers ca fid ore ad ore valuable targets i the Net. Network attack icidets kee haeig alost all the tie. So NIDSes have to aalyze ore security related audit data i a shorter istat ever tha before. Meawhile, deliberated attacks becoe ore sohisticated ad seakier, which akes the desig of IDS ore challegig. Detectig algoriths have to be ore colex ad accurate, which would stay abreast of the eergig of etwork attacks. Therefore, the coflict betwee erforace of NIDS ad the arrived ass of ackets ust be dealt with, which is obvious ad exiget i high badwidth etwork. Whe rocessors erforace does ot eet the requireet, usig clustered architecture for load balace is a very coo solutio. But IDS has soe secific requireets of load distributio that should be et. That is, the cotext-sesitive relatioshi aog ackets ust be ket ad the couicatio aog rocessors should be iiized. For exale, soe sohisticated attackers will divide their reote exloit ackets ito fragets; ad NIDSes should have the ability to reasseble those ackets i order to detect such a actio. If oe wats to correlate attacks or itrusios, all the related ackets have to be set to the sae rocessig ode. Those requireets defiitely restrict the selectio of load balacig algoriths for NIDSes. Roud-robi ad soe other traditioal ethods ay ot be fit for such alicatio eviroets. New algorith is required to eet these secial requireets. Isired fro the cocet of bit etroy, this aer rooses a ew load balacig algorith, aed Diesio-based Classificatio Algorith (DCA), to be used i a high badwidth etwork for NIDS ad other alicatios i which the cotext-sesitive feature of flows eed to be ket. With this algorith, a good load balace ca be

Raw Packets First: Packet Filter Secod: Low Precisio Detectio Third: High Precisio Detectio Result Actio Figure : A cascade odel of High Seed Itrusio Detectio achieved ad the itegrity of cotext-sesitive ackets ca be aitaied as well. It should be oted that the algorith discussed i this aer is isuse detectio orieted. I sectio, a cascade odel is itroduced which is tyical cluster structure for high badwidth NIDS ileetatio, ad the basic cocets of DCA are defied. The oeratios ad oerads to be used i DCA are studied i sectio 3. The features of acroscoic ad icroscoic load balace of DCA are discussed i sectio 4 ad sectio 5 resectively. Sectio 6 coares DCA with soe traditioal load balacig algoriths. Soe coclusios are give i sectio 7. Load Balacig for High Seed Itrusio Detectio. A cascade odel There are aroaches to resolve the erforace roble i etwork-based itrusio detectio, oe of which is to sale the ackets at various iterval. However, this ethod has high robability of issig idividual attack, which will brig about high false ositive rate. Therefore, ost of the NIDSes aalyze every acket that they catured i the etwork, but that will robably suffer severe erforace roble whe used i high badwidth etwork, e.g. OC48. To hadle this issue, a cascade odel, show i fig., ca be used. By this way, the frot rocessor filters the ackets i sile way, ad dros all the ackets that are urelated with ay itrusio. The followed rocessors aalyze the ackets left with higher recisio ad do ore colex detectio. Here, higher recisio detectio eas ore cost i storage ad coutatio. Although this cascade odel does soe work, it caot settle all erforace robles. Load-balacig is still eeded i such a architecture, because certai rocessig hase ay still be overloaded o soe occasios, e.g. a traffic burst occurs.. Load balacig Static ad dyaic load balacig algoriths are widely used i ay areas, fro arallel coutig to cluster coutig eviroets. Ad they ca be classified as geoetric based algoriths, grah theory based algoriths ad ode igratio algoriths etc. 3. All of these algoriths focus o task schedule ad task distributio. Load balacig is also used i server cluster eviroet, such as distributed FTP servers, Web server clusters ad so o. These clusterig servers ofte use soe kids of algoriths that eed less couicatio aog odes, e.g. rado, roud-robi, weighted roud-robi, high availability etc. 4 5. There are rograatic algoriths used to select a workig rocessor accordig to IP address or soe other iforatio. Beyod those algoriths, there are also soe solutios used for web load balacig. For exale, irrorig, ulti-hoed/ulti-rovider etwork, cotet distributed server, server cluster etc.

All the load-balacig algoriths etioed above disatch the workload o a cotext-free basis with the ehasis o the load fairess o each rocessor. However, IDS requires that the relatioshi aog ackets caot be lost whe sharig the rocessig load with each rocessor. Therefore, it is ore a classificatio tha ust radoly balacig the workload, so as to kee the itegrity of cotext-sesitive ackets..3 Classificatio based load balace G.Cheg, et.al. roosed a acket classificatio odel which ca be used for salig etwork traffic i high badwidth etwork. With this odel, certai bits i acket are used to classify ackets ito differet grou for rocessig, so that the effect of load balacig is achieved. The chose bits, e.g. Idetificatio field i IP acket header, have a good radoess, ad are suitable for salig. The seciality of this odel is that it ca aitai the cosistecy of the ackets saled at differet salig oit. That is, if oe acket is saled at a oit, it will be saled at all the oits, with which acket ca be distiguished ad classified i high seed. This feature ca be alied to IDS load balace. Istead of selectig a set of sales by secific bits value, oe ca ust searate the set of ackets ito subsets by the value of a bit or a set of bits, so that these ackets are groued for load balacig while the (cotext-sesitive) relativity aog the is reserved. Geerally, if oe wats to sale the sae traffic with differet salig rate Aratio ad Bratio (Aratio >= Bratio), the forula ust be satisfied. Ω () ( Aratio) Ω( Bratio) I this forula, is the set of sales uder give salig ratio 6. But i load balacig algorith, if there are rocessors with IDs fro to, ad (i) is the ackets set that the ith rocessor deals with. The the forula should be satisfied (I is corora, is ety set). U i= Ω( i) = I i,, i,, i, Ω( i) I Ω( ) = Φ Usig the cocets of Field, Rule List, etc. defied i 7, the basic idea of load balace usig acket classificatio ca be forally described as below : i Packet Classificatio (PC): PC(O,, M )->i, {,,, }; is the uber of rocessors}; where three oeratios are ivolved. Field Geerate Oeratio (O) O(F, F,, F)->F F F F are fields i acket P. O is a oeratio o F~F. F is a set of bits, which is the result of oeratio O. Let F be a secific field of IP header i this secific cotext. Classificatio Oeratio ( ): (R, F)->R R={R, R,, R} F is the result of oeratio O. R is a subset of R, ad is the result of oeratio. Maig Oeratio (M) M(R)->i R =, i secific cotext. {,,, } is required i this Obviously, each acket should sed exactly to oe rocessor ( R =), ad each rocessor should be set soe ackets aggregated by the sessios which beloged to for rocessig ( R =). It is assued that the rocessors are hoogeeous because NIDS is suosed to be ileeted with a cluster i this secific cotext. For hoogeeous rocessors, balace of task schedule is ost sigificat while ubalace aog rocessors will decrease the total ability of the rocessor cluster rearkably. Therefore the task each rocessor takes ust be alost i sae quatity i order to achieve a good load balace i both acroscoical ad icroscoical scoes. We do ot use the whole defiitio set of 7, because ot all the cocets are required i the aer. ()

.4 Diesio-based Classificatio Algorith 3 Selectio of Oeratios ad Oerads i DCA With the cocets described above, the diesio-based classificatio algorith (DCA) ca be defied geerally as followig: For each icoig acket P ) Get the values of F, F,, F i P; ) Perfor the oeratio O o F, F,, F, ad gai the result field F; 3) Accordig to the rule set R ad field F, do the classificatio oeratio, ad gai a result rule set R; 4) Based o a redefied aig oeratio M, a the result rule set R to a classificatio uber i (i=m(r)); 5) Usig the classificatio uber i, assig P to ith rocessor. Notice: ay well-kow acket classificatio algoriths, e.g. give i 9, could be directly used i ste 3. Fro above oe ca see that o couicatio aog rocessors is required whe dealig with the icoig acket. The relatioshi aog ackets will be assured by the selectio of oeratio O ad field Fi ( i ) sice the cotext-sesitive relatioshi is aitaied by ivariat of field. For exale, for the segeted IP acket, ost of the acket header cotet will be the sae; ad for a TCP sessio, all ackets will at least have sae source IP address ad destiatio IP address. Because R =, the iteger i is ust the idetificatio of the rocessor which will hadle the acket P, so that aig oeratio M will be very sile. Therefore, the selectio of Fields Fi, Field Geerate Oeratio O, ad Rule Set R becoe the key oits of the algorith. 3. Bit Etroy ad Bit Flow Etroy Etroy, a iortat cocet of iforatio theory, is beig used to easure radoess of various rado exeriets, ad this cocet ca be exteded to estiate bit radoess as well. The followig cocets are fro. Defiitio : Bit Etroy, the etroy value of a bit, is defied as: H ( b) = ( log + ( )log ( )) Where is the robability of b=0, ad (-) is the robability of b=. H(b) is the average ideteriacy of bit occurreces ad ca be used as a etrics of the radoess of bit b. The robabilities of bit b=0 or b= are alost the sae, so that for higher stochastic bit b, its bit etroy is larger ad vice versa. Meawhile, H(b) reresets the average aout of iforatio that each bit rovided withi a bit strea, so it is also a etrics of iforatio easureet. I reality, a flow of bits is ore useful tha a sigle bit, so that the radoess of a bit flow ust also be defied. Defiitio : Bit Flow Etroy is defied as: H ( s) = s i= 0 i log i, where s is the legth of a bit flow which has = s evets all together, ad 0,,..., - are robabilities of each evet. Accordig to the Maxial Bit Flow Etroy Theore, the axiu of bit flow etroy is Hax(s)=s. The the Iforatio Efficiecy E of a bit flow is defied by as: defies the legth of s as += s the bit flow fro 0 to. We defies the legth of s is, the bit flow fro 0 to -.

Table Truth table of two bits oeratios 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A B 0 & A B B A Defiitio 3: Iforatio Efficiecy E of A Bit Flow, a etric of bit flow radoess, is the ratio betwee H(s) ad Hax(s) : E = H ( s) / H ax ( s) = H ( s) / s. The istace of DCA is defiitely deteried by the selectio of oerators ad oerads, which could be see as the arguets of algorith. To choose best-fit fields i a acket whe istace a algorith, bit etroy ad bit flow etroy aalysis is a very useful ethod. Larger bit flow etroy of a field is a strog assurace of good acroscoic load balace. After fields ad oeratios are decided, aother erforace etric of icroscoic load balace will be cosidered. 3. Selectio of Fields Fi ad Field Geerate Oeratio O The DCA does ot use the fields i acket directly, but a result of a oeratio o the istead. Because the result of a bit flow oeratio is also a bit flow (field), its Iforatio Efficiecy E could also be used to test such a secial field. The Maxial Bit Flow Etroy Theore shows that the Iforatio Efficiecy E of a bit flow is satisfied if ad oly if all the coosig bits of this bit flow have large Bit Etroy. That is, good stochastic field is coosed of good stochastic bits. To fid good oeratios ad good fields for DCA, oe ca look at two bits oeratios first. There are oly = 6 two bit oerads show i table. tyes of oerators betwee If the result of the oeratio is all 0 or, the etroy of result bit is 0. It is obvious that such two oeratios are t fit for DCA. There are 8 tyes of oeratios that the ratio of 0 ad i result is 3: or 3 :3 ( C 4 + C4 ). For those oeratios, if the etroies of A ad B are both large ad the correlatio betwee A ad B is early zero, the differece of the ratio of 0 ad i the result could be sigificat, so that the etroy of result bit should ot be large eough. Of course, oe could try to gai a large result etroy by usig those oeratios whe the etroies of A ad B are both less. For exale, if both A ad B have high robability of beig, the bit etroy of the result of oeratio (A & B) could be uch larger tha that of A or B. However, it is very difficult to fid the bit A ad bit B that has such a strage characteristics to be used to those oeratios. So, usig the oeratios which have two 0s ad two s i result is a ore reasoable choice. There are oly six (C 4 ) tyes of oeratios have such feature. For oeratios A both as sae as ad A A, the bit etroies are s bit etroy, because H ( A) = (( )log ( ) + log ) = H ( A). For the sae reaso, the bit etroies of oeratios B ad B oeratio B are both as sae as the bit etroy of. Thus, there are oly two tyes of oeratios with sae etroy will eed to be aalyzed. They are exclusive OR (XOR) ad NOT exclusive OR. Let the robability that result equals to is, is the robability of A = ad is the robability of + )( =. Suose that there is o correlatio betwee ad, the = of is: B A ( ) B, ad the etroy

H = ( )( ( )( log log ) log ( ) ) log ( ) 3.3 Choose Rule Set R, Classificatio Oeratio ad Maig Oeratio M 0.75 0.5 0.5 0 For (0,) ad is show as figure. Because 0. (0,), the etroy of The axiu oit is outed at = = 0.4 0.5, where the etroy H equals to. H + = l + l 0.6 0.8 Figure Bit Etroy of Two Bits Exclusive OR tha 0 i area (0,) ad shows as a arch structure. will less (0,), so that H With the discussio above, oe ca draw the coclusio that if fields with large Iforatio Efficiecy are chose ad XOR or NOT XOR oeratios are used over the, the Iforatio Efficiecy of the result will be good. Fortuately, those fields we eed to kee the relativities aog ackets all have good bit flow etroy ad Iforatio Efficiecy, such as source IP address, destiatio IP address, source ort, destiatio ort, IP idetificatio field ad so o. 0. 0.4 0.6 0.8 There are less costraits about the selectio of rule set R, classificatio oeratio ad aig oeratio M. If these oeratios do ot ifluece the efficiecy of load balacig, the siler, the better. A sile ethod described below is effective. Choose log ( ust be a exoetial of ) bits i field F based o the uber of rocessors, ad select the rocessors by those bits. For exale, it would select two bits to deote 0~3 whe equals to 4, or select three bits to deote 0~7 whe equals to 8. If there are rocessors, R={R, R,, R}, each Ri is a sequece of bits with legth R={0..0, 0..,,..} (each rule of R has, as bits). The aig oeratio is ust the EQUAL, usig the value of Ri directly. log log Classificatio oeratio could be ay oe as log as it eets the erforace ad recisio requireet of the roble, so it will ot be discussed i this aer ay ore. I the followig discussio, oly fields Fi ad field geerate oeratio O will be cocered. 4 Macroscoic Load Balace of DCA To coare the load balacig erforace of istaces with differet arguets, soe etrics are eeded. I this aer, two tyes of etrics are ut forward, acroscoic etric ad icroscoic etric. Macroscoic etric is ust the radoess of ackets. If the ackets dealt to the rocessors with siilar robability, it is axioatic that each rocessor will hadle the ackets with alost sae aout i a log eriod. I this sectio, we will show that DCA ca achieve good load balace i acroscoy (i a log

Bit Etroy eriod) by choosig the arguets roerly. Because the calculatio of the acroscoic load balace is very sile, it would also be a good way to select the fields ad field geerate oeratio for a istace of DCA. 67,870,553 ackets were aalyzed that gaied fro CERNET backboe i oe week with the static iterval of duig all ackets i secods for every 75 secods. Oly those fields that kee the relative iforatio of the ackets will be aalyzed, which yields to differet algoriths. Algorith : Let F be the idetificatio field of IP head, field geerate oeratio O be EQUAL. O: (=, F) 3 Bit Etroy of IP Idetificatio Field 0.8 0.6 0.4 0. 0 3 4 5 6 7 8 9 0 3 4 5 6 Bit Idetificatio of IP Figure 3 Bit Etroy of IP Idetificatio Field had gaied a coclusio that idetificatio field of IP header has very good Iforatio Efficiecy. Figure 3 roved such declaratio. This field is aalyzed ust because it ivolved i soe attacks toward TCP/IP rotocol ileetatios. Of course, the highest bit is ot a fair bit that would be chose. Algorith : Let F be the source IP address, F be destiatio IP address, ad field geerate oeratio O be exclusive OR (XOR). O=(^, F, F) Both Source IP address ad destiatio IP address are good stochastic variables. Figure 4 shows bit etroies of source IP address, destiatio IP 3 O is rereseted by s-exressio leaded by oerator, Bit Etroy Bit Etroy ad IE 0.8 0.6 0.4 0. 0.95 0.9 0.85 Bit Etroies of IP Addresses ad XOR Result of IP Addresses 5 9 3 7 Bit 5 9 Source IP Address Dest i Address XOR Result of IP Addresses Figure 4 Bit Etroies of IP Addresses ad XOR Result of IP Addresses Bit Etroies ad IE of Lower Bits i IP Head 3 5 7 9 Bit 3 5 Source IP Dest address ad the result of XOR oeratio betwee the. i XOR Result of IP Addresses IE of XOR Oeratio Figure 5 Bit Etroies ad IE of Lower Bits i IP Head The etroies of lower 6 bits ad the Iforatio Efficiecies (IE) of lower 7 bits are show i figure 5. (The Iforatio Efficiecy oit at the 6th bit is the Iforatio Efficiecy of the 6th bit, The Iforatio Efficiecy oit at the 5th bit is the Iforatio Efficiecy of the bit flow cosisted of the 5th bit ad the 6th bit, ad so o) Figure 5 illustrates that the etroy of the result is better tha ay other oerads. It eas that the XOR oeratio will aeliorate the radoess of bit flows. Algorith 3: Let F be source ort field, F be destiatio ort field, ad field geerate oeratio O be XOR. O=(^, F, F) Algorith 4: Let F be source IP address, F be sae as i other algoriths descritio

Iforatio Efficiecy Bit Etroy 0.9 0.8 0.7 0.6 0.5 0.9999 0.9998 0.9997 0.9996 0.9995 destiatio IP address, F3 be source ort, F4 be destiatio ort, ad field geerate oeratio O be XOR. O=(^, F, F, F3, F4) Bit Etroies of Ports ad XOR Result of Ports 3 5 7 Port fields are used i algorith 3 ad algorith 4. Figure 6 illustrates the etroies of source ort, destiatio ort, result of XOR oeratio betwee orts ad result of XOR oeratio aog orts ad addresses. It roves that use XOR oeratio o good stochastic field, the etroy of the result will becoe larger. 9 Bit 3 5 Figure 6 Bit Etroies of Ports ad XOR Result of Ports Source Port Destiatio Port XOR of Ports XOR of Ports ad Addresses The Iforatio Efficiecy of last seve bits is show i figure 7. The oit at the 6th bit is the Iforatio Efficiecy of the 6th bit, the oit at the 5th bit is the Iforatio Efficiecy of the bit flow cosisted i the 5th bit ad the 6th bit, ad so o. IE of XOR of IP Addresses ad Ports 0 3 4 5 6 Bit IE source IP address ad destiatio IP address will be assiged to sae rocessor. Algorith 4 will roise that all ackets i oe TCP sessio will be assiged to sae rocessor, ad both of the would achieve good load balace. They both fit for high seed itrusio detectio ad other eviroet where such features are eeded. But it is very hard to iage the usage of algorith 3. 5 Microscoic Load Balace of DCA Good bit etroy ad Iforatio Efficiecy roise a good acroscoic load balace, but they caot assure the load balace i icroscoicy (short tie eriod). Ad soe other etrics i arallel coutig caot be used also, for exale the achie balace etric ad other becharks 0. Two easures of load balace i dealig with ackets are defied to settle this roble, with the basic idea borrowed fro 5. The basic defiitios of this two easures are sae as i 5, but the fial etrics has bee chaged accordigly to be alicable for acket ad flow. Defiitio 4: loadi, - Load of rocessor i (of rocessors) at the th salig oit (of such oits) eak_load - highest load o ay rocessors at the th salig oit ead_to_ea ratio:- ( eak _ load i= load i, ) / LBM(Load Balace Metric) - Figure 7 Iforatio Efficiecy of Algorith 4 Figure 7 tells if ore bits are used, the Iforatio Efficiecy will decrease. It eas that icreasig the uber of rocessors will decrease the acroscoic load balace. For all of the algoriths etioed above, algorith will guaratee that all ackets with sae

Load Balace Metrics Load Balace Metrics 5 4 3 5 4 3 = = ( eak _ load ( ) ( load ) / = i= eak _ load = i= = i= load i, i, load i, ) / i= / load i, ) (3) The aor differece betwee 5 ad this aer is the defiitios of loadi,. si,(acket er secod) ad bsi,(bits er secod) are defied here for differet usages. Two tyes of LBMs are discussed, PLM (s Load Balace Metric) ad BLM (bs Load Balace Metric). Load Balace Metrics of Algorith 4 8 6 3 64 8 The PLM ad BLM of algorith are show i figure 8, ad the PLM ad BLM of algorith 4 are show i figure 9. Nuber of Processors Figure 8 LBM of Algorith Load Balace Metrics of Algorith 4 4 8 6 3 64 8 Nuber of Processors Figure 9 LBM of Algorith 4 PLM BLM PLM BLM These two figures show that the icreasig of the uber of rocessors decrease the icroscoic load balace. This coclusio is siilar to the oe obtaied fro acroscoic aalysis. Coarig figure 8 with figure 9, it is clear that the icroscoic load balace of algorith 4 is better tha that of algorith. It is aother roof that usig ore stochastic variable will irove the load balace. 6 Coclusio DCA deals the ackets to differet rocessors. It is very siilar with the algoriths i server cluster, but quite differet fro the algoriths i arallel coutig. Because the arrival seed of the ackets is uch faster tha ay other requests i server cluster, it lacks the tie of couicatio aog rocessors, so that the couicatio ust be restricted to alost oe. Based o fields i IP acket header ad the cocets of bit etroy ad bit flow etroy, this ovel load-balacig algorith ca kee the relativities aog ackets. Ad with a cascade odel, DCA ca be alied a NIDS i a very high badwidth etwork eviroet. The load-balacig features of DCA i both acroscoical ad icroscoical seses are aalyzed i the aer. It is show that the higher the radoess of the bits chose, the better the balace achieved. Ad the XOR oeratio ca also give hel to irove the acroscoical balace. Both the acroscoical ad icroscoical aalysis shows that the size of the cluster used to balace the work is liited, ad the best uber of ode is betwee 4 to 8 i cotext-free eviroet. However, this coclusio also suggests that if soe cotext is itroduced, e.g. the curret workload of odes, or the redictio of workload i certai eriod of tie, the size of the cluster could be exaded, which eas that ore workload could be hadled. The algorith described i the aer ot oly ca be used i high seed Itrusio Detectio Syste, but also ca used i ay other situatio eed to kee the relativities aog ackets, for exale, the

geeratio of flow, flow aalysis etc. i etwork easureet. Refereces CHENG Guag, GONG Jia, DING Wei, Network Traffic Salig Measureet Model o Packet Idetificatio, Acta Electroica Siica (Tie Tzu Hsueh Pao), Vol.30, No.A, Dec. 00: 89-93(i Chiese) Jaes Caady, Itrusio Detectio Caabilities ad Cosideratios, Global Iforsecurity 00 3 Y. F. Hu, R. J. Blake, Load Balacig for Ustructured Mesh Alicatios, Parallel ad Distributed Coutig Practices, Vol., No. 3, Seteber 999 4 Growig Your E-Busiess with IBM Server Load Balacig ad Cachig ebedded solutios, IBM White Paer. htt://www.etworkig.ib.co/white/serverload.ht l 5 Richard B. But, Derek L. Eager, Gregory M. Oster, ad Carey L. Williaso, Achievig Load Balace ad Effective Cachig i Clustered Web Servers, Proceedigs of the forth Iteratioal Web Cachig Worksho, Sa Diego, Califoria, Aril 999, 59-69 6 CHENG Guag, GONG Jia, DING Wei, A Tie-series Decoosed Model of Network Traffic Macro-Behavior Aalysis, Acta Electroica Siica (Tie Tzu Hsueh Pao), Vol.30 No., Nov. 00(i Chiese) 7 Sudar Lyer, Raaa Rao Koella, Ait Shelat, ClassiPI: A Architecture for Fast ad Flexible Packet Classificatio, IEEE Network, March/Aril 00,.33-4 8 IP Deial-of-Service Attacks, CERT Advisory, CA-997-8 9 Paka Guta, NIck McKeow, Algoriths for Packet Classificatio, IEEE Network, March/Aril 00,.4. 0 Kai Hwag, Zhiwei Xu, Scalable Parallel Coutig: Techology, Architecture, Prograig, Chia Machie Press, ISBN 7--0776-X,.9, May. 999

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information