Viable Network Intrusion Detection

Network intrusion detection systems (NIDS) continuously monitor network traffic for malicious activity, raising alerts when detecting attacks. However, high-performance Gbps networks pose major challenges for these systems, and despite vendor promises they often fail to work reliably in such environments. In this work, we set out to understand the trade-offs involved in network intrusion detection, and we mitigate their impact on operational security monitoring. We base our study on extensive experience with several large-scale network environments where immense traffic diversity requires any NIDS to deal robustly with unexpected situations. We devise new mechanisms for a popular open-source NIDS that allow the operator to trade-off the quality of the detection with the system's resource demands, and we enable the NIDS to transparently share its state across instances, thereby multiplying the available amount of resources. We also improve the precision of the NIDS's detection by enabling it to incorporate different kinds of network context into its analysis.