The Study on the Blocking Time Reduction of the IDS/SON Cooperative Firewall System

Abstract

This research introduces a method to reduce the mean time-To-respond of the Intrusion detection system (IDS) / software-defined network (SDN) cooperative firewall system to increase its efficiency. The previous IDS/SDN Cooperative firewall system relies on Syslog events to pass the message between the SDN controller, IDS, and Open Virtual Switch (OvS) to alter the flow entries. This, however, was proven to be too slow in blocking some malicious packets. This new study aims to improve the blocking delay in two ways: by integrating the IDS with the Open Virtual Switch, and by adding multiple IDS cores to it. By integrating the IDS into the OvS, the study has found that the blocking speed has increased significantly, approximately 7 times faster since there is no communication overhead. This, however, might lower the flexibility of the SDN system since the IDS is now attached to OvS itself. The configuration is explored further by adding another IDS instance to the device running the OvS to create a dual-core IDS system. This configuration is proven to increase the efficiency of the IDS/SDN cooperative firewall when under high load. However, it is slower than the former single-core IDS when under normal load due to the communication overhead.