A Scalable Distributed IDS Architecture for High Speed Networks
As networks become faster there is a need for security analysis techniques that can keep up with the increased network throughput. Traditional centralized approaches to traffic analysis cannot scale with the increase of bandwidth advances mainly due to their memory and computational requirements. In the last few years a number of distributed architectures have already been proposed for dedicated network monitoring tasks but they are not scalable in the context of high speed networks. This paper presents an optimized scalable distributed architecture which is about 10 times quicker than the centralized architecture. The solution is based on switch-based splitting approach that supports intrusion detection on high-speed links by balancing the traffic load among different sensors running Snort.