Performance assessment of a distributed intrusion detection system in a real network scenario

The heterogeneity and complexity of modern networks and services urge the requirement for flexible and scalable security systems, which can be dynamically configured to suit the everchanging nature of security threats and user behavior patterns. In this paper we present a distributed architecture for an Intrusion Detection System, allowing for traffic analysis at different granularity levels, performed by using the best available techniques. Such architecture leverages the principle of separation of concerns, and hence proposes to build up a system comprising entities specialized in performing different tasks, appropriately orchestrated by a broker entity playing the crucial role of the mediator. This paper stresses the point that a distributed system, besides being inherently more scalable than a centralized one, allows for better detection capabilities thanks to the effective exploitation of the inner heterogeneity of the involved detection engines. In order to support our findings, we will describe the design, implementation and deployment of the proposed solution in the framework of the INTERSECTION FP7 European Project.