Recent Advances in Intrusion Detection

Volume 4637 of the series Lecture Notes in Computer Science pp 107-126

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware

  • Matthias VallentinAffiliated withTU München
  • , Robin SommerAffiliated withLawrence Berkeley National LaboratoryInternational Computer Science Institute
  • , Jason LeeAffiliated withLawrence Berkeley National Laboratory
  • , Craig LeresAffiliated withLawrence Berkeley National Laboratory
  • , Vern PaxsonAffiliated withInternational Computer Science InstituteLawrence Berkeley National Laboratory
  • , Brian TierneyAffiliated withLawrence Berkeley National Laboratory

* Final gross prices may vary according to local VAT.

Get Access


In this work we present a NIDS cluster as a scalable solution for realizing high-performance, stateful network intrusion detection on commodity hardware. The design addresses three challenges: (i)  distributing traffic evenly across an extensible set of analysis nodes in a fashion that minimizes the communication required for coordination, (ii)  adapting the NIDS’s operation to support coordinating its low-level analysis rather than just aggregating alerts; and (iii)  validating that the cluster produces sound results. Prototypes of our NIDS cluster now operate at the Lawrence Berkeley National Laboratory and the University of California at Berkeley. In both environments the clusters greatly enhance the power of the network security monitoring.