RNA: Automating IDS/IPS Event Detection Offload into Programmable Forwarding Devices

Intrusion Detection and Prevention Systems (IDS/IPSs) are essential for identifying and preventing the increasingly complex and growing number of cyber-attacks. These systems analyze streams of network packets, providing ways to identify attack patterns and notify operators about possible threats. Nonetheless, server-only approaches are inefficient, overwhelming server resources since servers typically operate at a Mbps scale, which is drastically slower than the Tbps scale of high-speed networks. In this paper, we propose RNA, a system that offloads to programmable forwarding devices the identification of critical events (per-packet) that are "consumed" by IDS/IPSs, thereby reducing the resource overhead of a serveronly solution. At its core, RNA provides a mechanism for distilling events of interest from security signature specifications and an approach for automatically generating code to offload IDS/IPS event processing to programmable switches. The proposed system "envelops" this functionality into interfaces that allow for transparent communication between forwarding devices and IDS/IPS systems transparently. We implement a proof-of-concept of RNA on top of Zeek. Our evaluations with real datasets show that RNA can identify attacks while releasing resources from the server-only solution. We also show that RNA minimizes the effort by operators to code P4 software. (AU)