Compared with traditional Intrusion Detection System (IDS) solutions, deploying IDS in Network Function Virtualization (NFV) environment can have better scalability and flexibility. Existing research works in this area do not consider many IDS features to design IDS-specific workload scheduling approaches. Thus, there is space further to promote the performance of IDS deployment in the NFV scenario. In this paper, we find some critical IDS features by analyzing packet processing procedures, software implementation, and rulesets of typical IDS. Combining these features with the flexibility of NFV, we propose a novel workload scheduling framework for IDS deployment in the NFV scenario. Our framework contains two parts: 1) a novel protocol & destination port based traffic migration strategy which can promote the detection performance and reduce the memory usage compared with the traditional 5-tuple hash based strategy; 2) an auto-configuration algorithm to find a better-than-default configuration for each Virtual Network Function (VNF) instance. We evaluate our framework with real network traffic and benchmark traffic datasets for IDS. Experimental results show that our framework can always have better detection performance and lower memory usage than the 5-tuple hash based migration strategy and the default configuration.

与传统的入侵检测系统（IDS）解决方案相比，在网络功能虚拟化（NFV）环境中部署IDS可以具有更好的可伸缩性和灵活性。该领域的现有研究工作并未考虑许多IDS功能来设计特定于IDS的工作负载调度方法。因此，在NFV方案中还有进一步提升IDS部署性能的空间。在本文中，我们通过分析典型IDS的数据包处理过程，软件实现和规则集，发现了一些关键的IDS功能。将这些功能与NFV的灵活性相结合，我们为NFV场景中的IDS部署提出了一种新颖的工作负载调度框架。我们的框架包含两个部分：1）新协议和 与传统的基于五元组哈希的策略相比，基于目标端口的流量迁移策略可提高检测性能并减少内存使用；2）一种自动配置算法，可以为每个虚拟网络功能（VNF）实例查找比默认更好的配置。我们使用真实的网络流量和IDS的基准流量数据集评估我们的框架。实验结果表明，与基于5元组哈希的迁移策略和默认配置相比，我们的框架始终可以具有更好的检测性能和更低的内存使用率。我们使用真实的网络流量和IDS的基准流量数据集评估我们的框架。实验结果表明，与基于5元组哈希的迁移策略和默认配置相比，我们的框架始终可以具有更好的检测性能和更低的内存使用率。我们使用真实的网络流量和IDS的基准流量数据集评估我们的框架。实验结果表明，与基于5元组哈希的迁移策略和默认配置相比，我们的框架始终可以具有更好的检测性能和更低的内存使用率。