A linear programming scheme for IPS traffic scheduling

Intrusion Prevention System (IPS) sensors represent the initial security barrier of a network. A main challenge in today´s Internet environment is the amount of traffic these devices have to inspect. This paper presents a linear program for traffic scheduling in multi-sensor environments that alleviates inspection load at sensors. The model uses a per-flow alarm rate metric which quantifies the ratio of the amount of traffic that matches the configured signatures to the amount of traffic inspected. Traffic flows can be classified based on the metric, which permits the efficient use of computational resources to inspect suspicious traffic. Numerical results demonstrate how the proposed model can be used in enterprise networks. While the linear program is not constrained to integral solutions, traffic flows are mostly scheduled for inspection to a single sensor, which facilitates the collection of state information. This feature is essential to detect malicious traffic characterized by composite signatures.