vNIDS Conference Paper uri icon


  • 2018 Association for Computing Machinery. Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.

name of conference

  • Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

published proceedings

  • Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

author list (cited authors)

  • Li, H., Hu, H., Gu, G., Ahn, G., & Zhang, F.

citation count

  • 21

complete list of authors

  • Li, Hongda||Hu, Hongxin||Gu, Guofei||Ahn, Gail-Joon||Zhang, Fuqiang

publication date

  • October 2018