TY - JOUR
T1 - The Next‐Generation NIDS Platform
T2 - Cloud‐Based Snort NIDS Using Containers and Big Data
AU - Saputra, Ferry Astika
AU - Salman, Muhammad
AU - Hasim, Jauari Akhmad Nur
AU - Nadhori, Isbat Uzzin
AU - Ramli, Kalamullah
N1 - Funding Information:
Funding: This publication is supported by Direktorat Riset dan Pengembangan Universitas Indo‐ nesia through Hibah Publikasi Terindeks Internasional (PUTI) Q2 Scheme No. NKB‐ 1680/UN2.RST/HKP.05.00/2020.
Funding Information:
Acknowledgments: The authors gratefully acknowledge the financial support from the Direktorat Riset dan Pengembangan Universitas Indonesia. The authors thank all members of the Mata‐Elang teams (Di‐ mas, Fadhil, Alfiyan, Ahmada, Ikbar, Andi) from Computer Network Laboratory of Politeknik El‐ ektronika Negeri Surabaya, id.CARE of Universitas Indonesia (Gde, Elvian and Astha), BJIK‐BPPT (Tau‐ fik, Andi and Cahyo), and JICA‐TOKYO (Ide, Takano, Akiyama and Sakurai) for helpful discussion and technical support.
Publisher Copyright:
© 2022 by the authors. Licensee MDPI, Basel, Switzerland.
PY - 2022/3
Y1 - 2022/3
N2 - Snort is a well‐known, signature‐based network intrusion detection system (NIDS). The Snort sensor must be placed within the same physical network, and the defense centers in the typical NIDS architecture offer limited network coverage, especially for remote networks with a restricted bandwidth and network policy. Additionally, the growing number of sensor instances, followed by a quick increase in log data volume, has caused the present system to face big data challenges. This research paper proposes a novel design for a cloud‐based Snort NIDS using containers and implementing big data in the defense center to overcome these problems. Our design consists of Docker as the sensor’s platform, Apache Kafka, as the distributed messaging system, and big data technology orchestrated on lambda architecture. We conducted experiments to measure sensor deploy-ment, optimum message delivery from the sensors to the defense center, aggregation speed, and efficiency in the data‐processing performance of the defense center. We successfully developed a cloud‐based Snort NIDS and found the optimum method for message‐delivery from the sensor to the defense center. We also succeeded in developing the dashboard and attack maps to display the attack statistics and visualize the attacks. Our first design is reported to implement the big data architecture, namely, lambda architecture, as the defense center and utilize rapid deployment of Snort NIDS using Docker technology as the network security monitoring platform.
AB - Snort is a well‐known, signature‐based network intrusion detection system (NIDS). The Snort sensor must be placed within the same physical network, and the defense centers in the typical NIDS architecture offer limited network coverage, especially for remote networks with a restricted bandwidth and network policy. Additionally, the growing number of sensor instances, followed by a quick increase in log data volume, has caused the present system to face big data challenges. This research paper proposes a novel design for a cloud‐based Snort NIDS using containers and implementing big data in the defense center to overcome these problems. Our design consists of Docker as the sensor’s platform, Apache Kafka, as the distributed messaging system, and big data technology orchestrated on lambda architecture. We conducted experiments to measure sensor deploy-ment, optimum message delivery from the sensors to the defense center, aggregation speed, and efficiency in the data‐processing performance of the defense center. We successfully developed a cloud‐based Snort NIDS and found the optimum method for message‐delivery from the sensor to the defense center. We also succeeded in developing the dashboard and attack maps to display the attack statistics and visualize the attacks. Our first design is reported to implement the big data architecture, namely, lambda architecture, as the defense center and utilize rapid deployment of Snort NIDS using Docker technology as the network security monitoring platform.
KW - Big data
KW - Cloud‐based IDS
KW - Docker
KW - Lambda architecture
KW - Snort
UR - http://www.scopus.com/inward/record.url?scp=85124392474&partnerID=8YFLogxK
U2 - 10.3390/bdcc6010019
DO - 10.3390/bdcc6010019
M3 - Article
AN - SCOPUS:85124392474
SN - 2504-2289
VL - 6
JO - Big Data and Cognitive Computing
JF - Big Data and Cognitive Computing
IS - 1
M1 - 19
ER -