A novel scaleable architecture for intrusion detection and mitigation in switched networks

High-speed, switched networks present scalability challenges to a network intrusion detection system, both in terms of the volume of data that must be analyzed, and the extent to which sensors must be inserted into the switched network to achieve comprehensive visibility. An architecture that uses a single point for intrusion assessment would quickly become overwhelmed with incoming event data from intrusion sensors that are deployed on even a moderate number of high-speed links. This is particularly true if an earnest attack (generating many events in a short period of time) is underway. The authors propose a novel architecture that hierarchically distributes the assessment function into two assessment categories - tactical assessment, and strategic assessment. The tactical assessment function provides low-level event correlation and decision making for a small sub-network (e.g., a department LAN, an ATM switch peer group, etc.), and is capable of providing fast, real-time response when millisecond response times are required due to network attacks. The strategic assessment function, on the other hand, implements high-level event correlation, which is useful when a larger view of the network is required (e.g., for low intensity or distributed attacks). The tactical assessment engines interface to the strategic assessment engine by, filtering and summarizing low-level events, ensuring that the strategic assessment engine´s workload remains manageable. This paper describes the distributed intrusion assessment architecture in more detail, presents a few application scenarios that benefit from hierarchical attack assessment, and summarizes ongoing work in developing prototype components for this architecture.