Adaptive load balancing architecture for SNORT

Nowadays the importance of intrusion detection is amplified due to incredible increase in number of attacks on the networks. The ubiquity of the Internet and the easy perpetration of the attacks will lead to more hostile traffic on the Internet. With the advent of high-speed Internet connections, the organizations today rind it difficult to detect intrusions. So multi sensor Intrusion Detection Systems are inevitable. The optimum distribution of traffic to the sensors is a challenging task. In this paper we present a mechanism to split traffic to different intrusion detection sensors to make the task manageable. This splitting of traffic to each sensor is managed by policies enforced on the splitter by the management console. The system is adaptive in the sense that it can adjust the splitting policies for keeping load disparity among sensors reduced. This mechanism of policy- reloading also take into the account the similarity between all possible pairs of policies and tries to minimize the packet duplication rate during the operation of the system. Our mechanism is based on the observation that minimizing the percentage of traffic being duplicated can enhance system performance. We have also discussed the effects of reloading of splitting policies on packet duplication rate and load on sensors.