NIDS architecture for clusters

Abstract

Intrusion detection is a security concept implemented on networks in various academic and commercial solutions. Most of them rely on sensors dedicated to local area networks or Internet. However clusters rely heavily on networks. Because of their uniformity, they are sensible to attacks: one compromised node can lead to the control of whole cluster. In order to solve such security issues, we purpose a NIDS architecture which addresses the same constraints as a cluster: efficiency, scalability and reliability. It is based on the cluster paradigm. We stress on the facts that network packets must be dispatched according to streams and analysis must be load-balanced at process level. Moreover two types of practical parallel analysis are presented, depending on the type of flows. Finally, we discuss implementations and dimensioning issues