Class-Chord: Efficient Messages to Classes of Nodes in Chord

Security Information Event Management (SIEM) systems are used to monitor large networks for malware infestations, DDoS attacks, and many other types of network intrusions. Typical SIEMs are centrally managed with information flowing in from across the enterprise. In this architecture, as the enterprise grows, the SIEM must also scale proportionally. In our research we are working to create a Peer-to-Peer distributed SIEM system to leverage the power of all the devices in the network for monitoring. The system scales naturally, as the enterprise grows, more devices come into the peer-to-peer network (P2P). The added devices increase the SIEM´s processing power and storage ability. A P2P SIEM will drastically reduce upfront hardware costs and provide an increased processing power for advanced analytics. In this paper, we present Class-Chord which is a P2P network fabric designed to support a P2P SIEM. We have modified the well known Chord DHT to support efficient 1-n messaging that is required to enable SIEM administrators to query subsets of the network rather than flooding queries to all nodes. Class-Chord uses a modified Chord ID and a new message type that enables administrators to send messages to network subsets using complex class matching specifiers. We analyze theoretical models for the system and present experimental results from a live system deployed across 300 physical nodes. The results attest that Class-Chord is more efficient than traditional communication mechanisms used in SIEM systems.