入侵偵測系統(Intrusion Detection System, IDS)為預防入侵攻擊之資安設備，藉由檢查封包以偵測資安攻擊事件。然而，隨著網際網路的蓬勃發展，網路流量日漸增加。單一的入侵偵測系統架構因處理能力受限，無法即時處理大量封包而造成丟棄(Drop)封包的現象。
本論文提出「動態平行式架構入侵偵測系統(Dynamic Parallel Intrusion Detection Systems, DPIDS)」，使用多台入侵偵測系統平行執行封包檢測。此系統以「監督者(Taskmaster)」為核心，主動收集各入侵偵測系統之狀態，再依賽局理論動態分配(dynamic allocation)流量與實施負載平衡(load balancing)，因此可避免流量驟增導致封包丟棄與處理入侵偵測系統當機的突發事件。在實施流量分配時，因本系統為會話導向(Session-oriented)，所以具有狀態化分析(Stateful analysis)的效果。另外由於此演算法具有易加入新硬體與汰換舊硬體之特性，且可讓不同等級之入侵偵測系統平行進行封包檢查，因此硬體上的使用更具有彈性(Flexibility)選擇的優勢。
由實驗結果得知，監督者機制可動態平衡流量、更有效率的使用整體系統資源，因此可增加效能並減少封包丟棄的現象。

An Intrusion detection system (IDS) is a network security tool that can check packets passing through it. However, with the rapid development of Internet, network bandwidth has steadily increased. So a major issue with IDS is an overly high volume of traffic where the NIDS is unable to process all data resulting in “dropped” traffic. Scaling NIDS to high speed networks can be achieved by using multiple NIDS operating in parallel.
We propose a Dynamic Parallel Intrusion Detection System (DPIDS) with dynamic allocation and a load balancing mechanism to handle the increased load. For improving performance of using multiple IDS, we introduce a taskmaster, which is the core of the DPIDS. The taskmaster oversees division and allocation of responsibility and performs packet control, pre-filtering, and state management. This taskmaster uses active analysis to achieve intelligent assignment of work distribution using game theory contrasting against the passive distribution methods proposed by previous works. The active mechanism improves division of labor by dynamically loading the slave IDSs and can account for sudden increases in traffic or slave IDS crashes. In addition, this mechanism also allows for different grades of IDSs to work in tandem within the DPIDS architecture.
The overall system is designed as session-oriented signature-based IDS, which provides stateful analysis to aggregate related events for detection by a single Slave IDS. Our experimental results show that DPIDS maintains stable loading as a function of the taskmaster. This feature allows better performance of the overall system as a result of more efficient use of IDS capacity.

[1] F. Alserhani, M. Akhlaq, I. U. Awan, A. J. Cullen, J. Mellor and P. Mirchandani," Snort performance Evaluation," In Proceedings of Twenty Fifth UK Performance Engineering Workshop (UKPEW 2009), Leeds. Uk, July 6-7(2009)
[2] M. Andreolini, S. Casolari, M. Colajanni, and M. Marchetti, "Dynamic load balancing for network intrusion detection systems based on distributed architectures, " In Proc. of the sixth IEEE International Symposium on Network Computing and Applications (NCA 2007), Cambridge, MA, USA, July 2007
[3] J.P. Anderson, "Computer security threat monitoring and surveillance," Technical Report, 1980
[4] R. Axelrod, "The Evolution of Cooperation," The RAND Journal of Economics, Vol. 15, No. 2 (Summer, 1984), pp. 305-309
[5] I. Charitakis, S. Anagnostakis, and E. P. Markatos, "An active traffic splitter architecture for intrusion detection, " In Proc. of the 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems (MASCOTS 2003), Orlando, FL, USA, Oct. 2003
[6] W.Y. Chen, "The Study and Implementation of Alert Integration, Correlation, and Presentation System In SOC, " NCKU, 2006
[7] M. Colajanni and M.Marchetti, "A parallel architecture for stateful intrusion detection in high traffic networks, " In Proc. of the IEEE/IST Workshop on "Monitoring, attack detection and mitigation" (MonAM2006), Tuebingen, Germany, September 2006
[8] I. J. Curiel, M. Maschler, and S. H. Tijs, "Bankruptcy Games, " Zeitschrift für Operations Research 31, vol. 31, pp.A143-A159
[9] D.E. Denning, "An intrusion detection model," IEEE Transaction on Software Engineering, 1987.
[10] H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, "Operational experiences with high-volume network intrusion detection," In Proc. of the 11th ACM conference on Computer and communications security, 2004
[11] M. Dashtbozorgi and M. Abdollahi Azgomi, "A high-performance software solution for packet capture and transmission, " Proceedings of ICCSIT, (2009)
[12] R. Heady, G. Luger, A. Maccabe and M. Servilla, "The architecture of a network level intrusion detection system," Technical report, Department of Computer Science, University of New Mexico, August 1990
[13] "Intrusion detection system," available online at http://www.scribd.com/doc/7148986/Intrusion-Detection-Systems.
[14] C. V. Kopek, E. W. Fulp, P. S. Wheeler, "Distributed Data Parallel Techniques for Content-Matching Intrusion Detection Systems," Military Communications Conference, 2007. MILCOM 2007. IEEE
[15] C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer, "Stateful intrusion detection for high-speed networks, " In Proc. of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, USA, May 2002
[16] S. Kornexl, V. Paxson, H. Dreger, A. Feldmann and R. Sommer," Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic," (Short Paper). In Proc. ACM SIGCOMM IMC (2005)
[17] A. Kelly, "Decision Making using Game Theory, " Cambridge University Press. 2003.
[18] A. Le, R. Boutaba, and E. Al-Shaer, "Correlation-based load balancing for network intrusion detection and prevention systems," In SecureComm: Proceedings of the 4th international conference on Security and privacy in communication netowrks, New York, NY, USA, pp. 1–10. ACM, 2008
[19] A. Le, E. A. Shaer, and R. Boutaba, "On optimizing load balancing of intrusion detection and prevention systems," In: Proceedings of the IEEE INFOCOM Computer Communications Workshops 2008, pages 1–6, Phoenix, AZ, USA, April 13–18, 2008
[20] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, "Network intrusion detection,' IEEE Network, vol. 8, no. 3, pp. 26-41, May/June 1994.
[21] J.Nash, "Equilibrium points in n-person games, " Proc. Nat. Acad. U.S.A, 36, pp. 48-49, 1950
[22] J.V. Neumann, J, "Zur Theorie der Gesellschaftsspiele Math. Annalen, " 100 (1928) 295-320
[23] B. O'Neill, "A problem of rights arbitration from the Talmud, " Mathematical Social Sciences 2, 345–371
[24] G. Owen, "Game Theory," Academic Press, New York, NY, USA, 3rd edition, 1995.
[25] T. Peng, C. Leckie, , and R. Kotagiri, "Proactively detecting distributed denial of service attacks using source ip address monitoring, " in Proc. of the Third International IFIP-TC6 Networking Conference, 2004, pp. 771–782
[26] "Prelude hybrid intrusion detection system," available online at http://www.preludeids.org/.
[27] T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service, "Eluding network intrusion detection, " Technical report, Secure Networks, Inc., Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-0Y6, 1998
[28] L. Schaelicke, K.Wheeler, and C. Freeland. Spanids, "A scalable network intrusion detection loadbalancer, " In Proc. of the 2nd conference on Computing frontiers, Ischia, Italy, May 2005
[29] SWOT, http://en.wikipedia.org/wiki/SWOT_analysis
[30] T. L. Turocy and B. V. Stengel, "Game Theory," CDAM Research Report Oct. 2001
[31] M.Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, B. Tierney, "The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware," In: RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)
[32] Wikipedia, "Shapley Value," http://en.wikipedia.org/wiki/Shapley_value
[33] K. Xinidis, I. Charitakis, S. Antonatos, K. G. Anagnostakis, and E. P. Markatos, "An active splitter architecture for intrusion detection and prevention," IEEE Transactions on Dependable and Secure Computing, 03(1):31–44, 2006