Introduction

At ShitOps, ensuring unparalleled security for our infrastructure is paramount. Recently, we encountered a challenge in enhancing our Intrusion Detection System (IDS) responsiveness and scalability while maintaining low latency and high throughput. Traditional IDS solutions seemed insufficient for our highly distributed environment involving Dell hardware and diverse software stacks.

In this post, I will detail a state-of-the-art solution we conceived, involving cutting-edge technologies like Vue, XML, Apache Pulsar, JavaScript, and even low code methodologies, orchestrated on our fleet of Dell servers to create a powerhouse IDS pipeline unparalleled in the industry.

The Challenge

Our legacy IDS solutions were slow to adapt to anomalies. The problem? Massive volumes of log data from our Dell servers and network devices. Parsing this data, detecting anomalous behavior, and alerting faster was imperative. Moreover, we desired a user interface that not only showed real-time alerts but also provided dynamic configuration capabilities accessible to our security analysts.

Solution Architecture Overview

Our novel approach leverages an event-driven architecture powered by Apache Pulsar, coupled with a Vue-based frontend for real-time monitoring and low code interfaces for rapid IDS rule modification.

Step 1: XML-Based Log Serialization

All logs from Dell hardware and network devices are first serialized into verbose XML format. While JSON is popular, XML provides strict schema validation suitable for our stringent compliance requirements.

Step 2: Apache Pulsar for Stream Processing

The XML logs enter an Apache Pulsar cluster, where multiple consumers apply complex filters and anomaly detection algorithms, implemented as JavaScript UDFs (User Defined Functions). This approach ensures distributed load balancing and guaranteed message delivery.

Step 3: Low Code Configuration Layer

Security analysts utilize a low code platform that generates configuration scripts for JavaScript UDFs in Pulsar. This empowers rapid adaptation of detection algorithms without the need for deep programming expertise.

Step 4: Vue Frontend Dashboard

The frontend is a single-page application built entirely with Vue. It consumes real-time Pulsar topics via a websocket proxy, rendering live alerts and system health metrics. The UI also allows analysts to tweak detection rules via the low code interface, with immediate propagation to back-end units.

Step 5: Dell Hardware Clusters

Our entire pipeline runs on clusters of latest Dell PowerEdge servers, configured with redundant network paths for maximum resilience.

System Flow Diagram

sequenceDiagram participant Dell as Dell Servers participant XML as XML Transformer participant Pulsar as Apache Pulsar Cluster participant JSUDF as JavaScript UDFs for Detection participant LowCode as Low Code Platform participant Vue as Vue Frontend Dell->>XML: Send raw logs XML->>Pulsar: Produce XML messages Pulsar->>JSUDF: Consume and process XML LowCode->>JSUDF: Deploy detection rules JSUDF->>Pulsar: Produce alerts Pulsar->>Vue: Publish alerts Vue->>LowCode: User modifies rules

Implementation Details

Advantages of Our Approach

Lessons Learned

While the implementation required significant upfront resources and architectural complexity, the resulting system provides a robust, extensible IDS platform. Future efforts will include incorporation of AI/ML components within Apache Pulsar streams and further enhancing the low code environment.

Conclusion

By integrating Vue, XML, Dell hardware, Apache Pulsar, JavaScript UDFs, and low code methodologies, ShitOps has built a next-generation intrusion detection system that is resilient, flexible, and responsive to the evolving threat landscape. This architectural paradigm showcases how leveraging a broad technology stack can solve intricate engineering challenges efficiently.

I invite the engineering community to explore and iterate upon these concepts to advance the frontier of security monitoring systems.


Author: Dr. Max Overkill
Senior Solution Architect at ShitOps