Performance Improvement by Coordinating Configurations of Independently-managed NIDS

Because of today's increased traffic volume and sophisticated attacks, implementing a network intrusion detection/prevention system (NIDS/NIPS) with a single workstation has been challenging. In this paper, we propose Brownie, a system for improving performance by coordinating configurations of alreadyexisting, independently-managed NIDSs in an organization. Instead of installing one expensive hardware or parallel NIDSs at a network entry point, Brownie achieves performance improvement by 1) offloading overloaded NIDS, and 2) eliminating redundant rules. First, Brownie exchanges NIDSs' load status and transfers some rules from overloaded to light-loaded NIDSs, which prevents the overloaded NIDSs from bottlenecking the network. Second, if some NIDSs on a network path enable the same rules, Brownie eliminates the redundant rules, which reduces the aggregate overhead of the NIDSs. The experimental results with a web server benchmark suggest that Brownie increases the benchmark throughput by more than 10%. In addition, Brownie running with a university full-packet trace successfully offloads overloaded NIDS and eliminates redundant rules.