Bro-Intelligent Load Balancer Towards Terabit-Scale Cyber-Security
Department of Energy
Agency Tracking Number:
Solicitation Topic Code:
Small Business Information
Reservoir Labs, Inc.
632 Broadway Suite 803, New York, NY, 10012-2614
Socially and Economically Disadvantaged:
Jordi Ros Giralt
AbstractIn an increasingly hostile computing environment, Network Intrusion Detection Systems (NIDS) serve an indispensable role in preserving the integrity of computer networks. This comes to manifest as the DOE is working at a national level to secure a number of strategic network entry points using Bro [DOE06, DOE09], a powerful NIDS developed by the networking group at the International Computer Science Institute (ICSI) in Berkeley, California. Existing NIDS such as Bro, however, have been for the most part deployed as single-node appliances protecting a specific network asset. This architecture is being driven to a breaking point by two independent realities: first, as network data-rates increase, single-node NIDS boxes are being overwhelmed by the quantity of computation they must perform to continuously secure the network; second, as attacks become ever more sophisticated, NIDS have to incorporate more complex traffic analysis heuristics that further stress the systems processing capacity.To address these trends, we are developing a cyber-security intelligent load balancer for securing terabit-scale network facilities. Our technology is unique in that it incorporates Bro into the load balancer to address the problem of optimally mapping network traffic into IDS (intrusion detection system) nodes. Our research starts by recognizing first the two essential (indivisible) elements of the architecture, forwarders and analyzers, and developing a framework toward the composition of terabit-scale cyber-security clusters. This leads to a fractal- like architecture which, thanks to its self-similarity properties, allows for a methodology to arbitrarily scale up or down the performance of the cluster in two dimensions: degree of cyber-intelligence detected and packet forwarding performance. In Phase I we developed a fully operational prototype of our architecture at 10Gbps. We demonstrated that by adding intelligence to the system, an important amount of low-entropy trafficthat is, traffic that carries little or no cyber-intelligencecan be offloaded from the cloud, increasing the degree of cyber-intelligence extracted from the network while yielding substantial energy savings. As compared to the current state-of-the-art, our architecture allows for larger degree of intelligence extracted per unit of cost (in terms of CAPEX and OPEX costs). This new degree of efficiency is key toward efficiently securing private and public network assets from external cyber-threats. In Phase II, our objective is to scale up our cloud-based IDS technology to secure network facilities that operate at up to terabit per second traffic rates. To achieve such objective, we have designed an architecture that can flexibly adjust the degree of intelligence performed by each node as a function of current traffic demands and the systems state. This leads to the notion of an elastic cyber-security cloud, understood as a virtual facility which can organically grow by adding more physical nodes. Furthermore, since our technology is based on Bro, a project driven by an open source community of developers, the cloud will be able to accept progressively higher degrees of intelligence as newer and more sophisticated Bro cyber-security applications continue to be developed by the community. This technology will provide a key element in the effort of securing US network-based facilities, whether private or public. The technology will therefore target customers that have large network assets, including corporations, Internet Service Providers and Government.
* information listed above is at the time of submission.