[en] Network Intrusion Detection Systems (NIDSes) face significant challenges coming from the relentless network link speed growth and increasing complexity of threats. Both hardware accelerated and parallel software-based NIDS solutions, based on commodity multi-core and GPU processors, have been proposed to overcome these challenges. Network Intrusion Detection Systems (NIDSes) face significant challenges coming from the relentless network link speed growth and increasing complexity of threats. Both hardware accelerated and parallel software-based NIDS solutions, based on commodity multi-core and GPU processors, have been proposed to overcome these challenges. This work explores new parallel opportunities afforded by many-core processors for high performance, scalable and inexpensive NIDS. We exploit the huge many-core computational power by adopting a hybrid parallel architecture combining data and pipeline parallelism. We also design a hybrid load balancing scheme, using both ruleset and flow space partitioning. Furthermore, the proposed design leverages particular features of the processor to break the bottlenecks. We have integrated the open source NIDS Suricata into our proposed design and evaluated its performance with synthetic traffic. The prototype exhibits almost linear speedup and can handle up to 7.2 Gbps traffic with 100-bytes packets.
Disciplines :
Computer science
Author, co-author :
Jiang, Hayang; Chinese Academy of Sciences - CAS > Institute of Computing Technology - ICT
Xie, Gaogang; Chinese Academy of Sciences - CAS > Institute of Computing Technology - ICT
Salamatian, Kavé; Université de Savoie
Mathy, Laurent ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Systèmes informatiques répartis et sécurité
Language :
English
Title :
Scalable High-Performance Parallel Design for Network Intrusion Detection Systems on Many-Core Processors
Publication date :
2013
Event name :
ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS)
V. Paxson. Bro: A System for Detecting Network Intruders in Real-time. In Proceedings of the 7th Conference on USENIX Security Symposium, 1998
Zachary K. Baker and Viktor K. Prasanna, "High-throughput Linked-Pattern Matching for Intrusion Detection Systems", In ANCS 2005, Oct 26-28, 2005, Princeton, New Jersey, USA
V. Paxson, R. Sommer, and N. Weaver, "An architecture for exploiting multi-core processors to parallelize network intrusion prevention" In Proceedings IEEE Sarnoff Symposium, May 2007
J. Lee, S. H. Hwang, N. Park, S.-W. Lee, S. Jun, and Y. S. Kim. A High Performance NIDS Using FPGA-based Regular Expression Matching. In Proceedings of the 22nd ACM Symposium on Applied computing (SAC), 2007
Mitra, W. Najjar, and L. Bhuyan. Compiling PCRE to FPGA for accelerating SNORT IDS. In Proceedings of the 3rd ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS, 2007
M. Colajanni and M. Marchetti, "A parallel architecture for stateful intrusion detection in high traffic networks", IEEE IST Workshop on Monitoring, Attack Detection and Mitigation, Tuebingen, Germany, Sept. 2006
Kim, Sunil, and Jun-yong Lee. "A system architecture for high-speed deep packet inspection in signature-based network intrusion prevention." Journal of Systems Architecture 53.5 (2007): 310-320.
G. Vasiliadis, M. Polychronakis, and S. Ioannidis. "MIDeA: A Multi-Parallel Intrusion Detection Architecture", In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.
M. Jamshed, J. Lee, S. Moon, I. Yun, D. Kim, S. Lee, Y. Yi, and K. Park. "Kargus: a highly-scalable software-based intrusion detection system", In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2012
http://vrt-blog.snort.org
J. Cabrera, J. Gosar, W. Lee, and R. Mehra, - a?rOn the statistical distribution of processing times in network intrusion detection - ás In 43rd IEEE Conference on Decision and Control, Dec 2004, pp. 75́lC80.
Salminen, Erno, Ari Kulmala, and Timo D. Hamalainen. "Survey of network-on-chip proposals." white paper, OCP-IP (2008): 1-13.
www.suricata-ids.org
www.openinfosecfoundation.org
Wentzlaff, David, et al. "On-chip interconnection architecture of the tile processor."Micro, IEEE 27.5 (2007): 15-31.
Sourdis, Ioannis, et al. "Packet pre-filtering for network intrusion detection." ACM/IEEE Symposium on Architecture for Networking and Communications systems, 2006
Suleman, M. Aater, Moinuddin K. Qureshi, and Yale N. Patt. "Feedback-directed pipeline parallelism." Proceedings of the 19th international conference on Parallel architectures and compilation techniques. ACM, 2010.
Supra-linear packet processing performance with intel multi-core processors white paper. Intel Corporation, 2006.
Removing System Bottlenecks in Multi-threaded Applications white paper. Intel Corporation, 2008.
Schuff, Derek L., Yung Ryn Choe, and Vijay S. Pai. "Conservative vs. optimistic parallelization of stateful network intrusion detection." IEEE International Symposium on Performance Analysis of Systems and software, 2008
Chen, Xinming, et al. "Para-snort: A multi-thread snort on multi-core ia platform." Proceedings of Parallel and Distributed Computing and Systems (PDCS) (2009).
Martin, Ruediger, Michael Menth, and Michael Hemmkeppler. "Accuracy and dynamics of hash-based load balancing algorithms for multipath Internet routing." Broadband Communications, IEEE International Conference on Networks and Systems, 2006
Weiguang Shi, Lukas Kencl, Sequence-preserving adaptive load balancers, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
Haiyang Jiang, Gaogang Xie, Kav́e Salamatian, Load Balancing by Ruleset Partition for Parallel IDS on Multi-Core Processors, International Conference on Computer Communications and Networks, ICCCN 2013
C. Grozea, Z. Bankovic, and P. Laskov, FPGA vs. multi-core cpus vs. gpus: Hands-on experience with a sorting application, In Conference Facing the Multicore-Challenge, pp.105-117, 2010
P. P. C. Lee, T. Bu, and G. P. Chandranmenon, A Lock-free, Cache efficient Multi-core Synchronization Mechanism for Line-rate Network Traffic Monitoring, in IEEE International Symposium on Parallel and Distributed Processing (IPDPS 2010), Atlanta, GA, April 2010, pp.1012
http://oprofile.sourceforge.net/download
Xie, Gaogang, et al. "PEARL: a programmable virtual router platform." Communications Magazine, IEEE 49.7 (2011): 71-77.
