Vortex: Enabling Cooperative Selective Wormholing for Network Security Systems

Jack Lange, Peter Dinda and Fabián E. Bustamante
In Proc. of 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007.

EECS Department
Northwestern University
Evanston, IL 60201, USA
This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it.

Abstract

We present a novel approach to remote traffic aggregation for Network Intrusion Detection Systems (NIDS) called Cooperative Selective Wormholing (CSW). Our approach works by selectively aggregating traffic bound for unused network ports on a volunteer’s commodity PC. CSW could enable NIDS operators to cheaply and efficiently monitor large distributed portions of the Internet, something they are currently incapable of. Based on a study of several hundred hosts in a university network, we posit that there is sufficient heterogeneity in hosts’ network service configurations to achieve a high degree of network coverage by re-using unused port space on client machines. We demonstrate Vortex, a proof-of-concept CSW implementation that runs on a wide range of commodity PCs (Unix and Windows). Our experiments show that Vortex can selectively aggregate traffic to a virtual machine backend, effectively allowing two machines to share the same IP address transparently. We close with a discussion of the basic requirements for a large-scale CSW deployment.

Downloads