Adaptive load balancing architecture for SNORT

Nowadays the importance of intrusion detection is amplified due to the incredible increase in the number of attacks on the networks. The ubiquity of the Internet and the easy perpetration of attacks will lead to more hostile traffic. With the advent of high-speed Internet connections, organizations today find it difficult to detect intrusions. So multi sensor intrusion detection systems are inevitable. The optimum distribution of traffic to the sensors is a challenging task. We present a mechanism to split traffic to different intrusion detection sensors (e.g., SNORT based sensors) to make the task manageable. This splitting of traffic to each sensor is managed by policies enforced on the splitter by the management console. The system is adaptive in the sense that it can adjust the splitting policies for keeping load disparity among sensors reduced. This mechanism of policy-reloading also take into account the similarity between all possible pairs of policies and tries to minimize the packet duplication rate during the operation of the system. Our mechanism is based on the observation that minimizing the percentage of traffic being duplicated can enhance system performance. We also discuss the effects of the reloading of splitting policies on packet duplication rate and on the load on the sensors.