On optimizing load balancing of intrusion detection and prevention systems

In large-scale enterprise networks, multiple network intrusion detection and prevention systems are used to provide high quality protection. A challenging problem is to maintain load balancing of the systems, while minimizing the loss of information due to distributing traffic. Because anomaly-based detection and prevention of some intrusions require a single system to analyze attack- correlated flows, this loss of information might severely reduce the accuracy of the detection and prevention. In this paper, we address this problem by first formalizing the load balancing problem as an optimization problem, considering both the load variance and the information loss. We then present our Benefit-based Load Balancing (BLB) algorithm as a solution to the problem. We have implemented a prototype load-balancer with BLB algorithm and evaluated it against a DDoS attack. Our results show that the load-balancer significantly improves the detection accuracy, while being able to keep the load of the systems close within a desired bound.