Load Balancing for High Speed Parallel Network Intrusion Detection

Network intrusion detection systems (NIDS) are deployed near network gateways to analyze all traffic entering or leaving the network. The traffic at such locations is frequently transmitted in such volumes and speeds that a commodity computer quickly becomes overwhelmed. NIDS must be able to handle all of the traffic available. The SPANIDS platformaddresses this problem with a custom hardware load balancer that spreads traffic over several NIDS sensors. The load balancer ensures that sensors do not become overloaded by shifting traffic between sensors while maintaining network flow continuity when possible. The balancer must be resistant to attacks designed to overwhelm it. This work outlines the design of the SPANIDS load balancer and evaluates its performance using simulation. Several design points are examined, including overload detection, locating overload causes, and several overload avoidance techniques. The simulation results confirm the viability of the SPANIDS architecture for scalable parallel network intrusion detection.