• No results found

MIDeA: A Multi-Parallel Intrusion Detection Architecture

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "MIDeA: A Multi-Parallel Intrusion Detection Architecture"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

MIDeA: A Multi-Parallel Intrusion

Detection Architecture

Giorgos Vasiliadis, FORTH-ICS, Greece

Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece

(2)

Network Intrusion Detection Systems

• Typically deployed at ingress/egress points

– Inspect all network traffic – Look for suspicious activities – Alert on malicious actions

10 GbE

[email protected] 2

Internet Internal

Network

(3)

• Traffic rates are increasing

– 10 Gbit/s Ethernet speeds are common in metro/enterprise networks

– Up to 40 Gbit/s at the core

• Keep needing to perform more complex analysis at higher speeds

– Deep packet inspection – Stateful analysis

– 1000s of attack signatures

Challenges

(4)

Designing NIDS

• Fast

– Need to handle many Gbit/s – Scalable

• Moore’s law does not hold anymore

• Commodity hardware

– Cheap

– Easily programmable

(5)

Today: fast or commodity

• Fast “hardware” NIDS

– FPGA/TCAM/ASIC based – Throughput: High

• Commodity “software” NIDS

– Processing by general-purpose processors – Throughput: Low

(6)

MIDeA

• A NIDS out of commodity components

– Single-box implementation – Easy programmability

– Low price

Can we build a 10 Gbit/s NIDS with commodity hardware?

(7)

Outline

• Architecture • Implementation • Performance Evaluation • Conclusions [email protected] 7

(8)

Single-threaded performance

• Vanilla Snort: 0.2 Gbit/s

NIC Preprocess Pattern

matching Output

(9)

Problem #1: Scalability

• Single-threaded NIDS have limited performance

– Do not scale with the number of CPU cores

(10)

Multi-threaded performance

• Vanilla Snort: 0.2 Gbit/s

• With multiple CPU-cores: 0.9 Gbit/s

NIC Preprocess Pattern matching Output Preprocess Pattern matching Output Preprocess Pattern matching Output [email protected] 10

(11)

Problem #2: How to split traffic

 Synchronization overheads  Cache misses Receive-Side Scaling (RSS) NIC cores 11

(12)

Multi-queue performance

• Vanilla Snort: 0.2 Gbit/s

• With multiple CPU-cores: 0.9 Gbit/s • With multiple Rx-queues: 1.1 Gbit/s

RSS NIC Pattern matching Output Preprocess Pattern matching Output Pattern matching Output Preprocess Preprocess 12

(13)

Problem #3: Pattern matching is the

bottleneck

Offload pattern matching on the GPU

NIC Pattern

matching Output

NIC Preprocess Pattern

matching Output

Preprocess

> 75%

(14)

Why GPU?

• General-purpose computing

– Flexible and programmable

• Powerful and ubiquitous

– Constant innovation

• Data-parallel model

– More transistors for data processing rather than data caching and flow control

(15)

Offloading pattern matching to the GPU

• Vanilla Snort: 0.2 Gbit/s

• With multiple CPU-cores: 0.9 Gbit/s • With multiple Rx-queues: 1.1 Gbit/s • With GPU: 5.2 Gbit/s

RSS NIC Pattern matching Output Preprocess Pattern matching Output Pattern matching Output Preprocess Preprocess 15

(16)

Outline

• Architecture • Implementation • Performance Evaluation • Conclusions [email protected] 16

(17)

Multiple data transfers

• Several data transfers between different devices Are the data transfers worth the computational

gains offered? NIC CPU GPU [email protected] 17 PCIe PCIe

(18)

Capturing packets from NIC

• Packets are hashed in the NIC and distributed to different Rx-queues

• Memory-mapped ring buffers for each Rx-queue

Rx Rx Queue Assigned Rx Rx Rx Network Interface Ring buffers Kernel space User space [email protected] 18

(19)

CPU Processing

• Packet capturing is performed by different CPU-cores in parallel – Process affinity

• Each core normalizes and reassembles captured packets to streams – Remove ambiguities

– Detect attacks that span multiple packets

• Packets of the same connection always end up to the same core – No synchronization

– Cache locality

• Reassembled packet streams are then transferred to the GPU for pattern matching

– How to access the GPU?

(20)

Accessing the GPU

• Solution #1: Master/Slave model

• Execution flow example

[email protected] 20 GPU Thread 2 P1 P1 Transfer to GPU: GPU execution:

Transfer from GPU: P1

P1 P1 P1 14.6 Gbit/s Thread 3 Thread 4 Thread 1 PCIe 64 Gbit/s

(21)

Accessing the GPU

• Solution #2: Shared execution by multiple threads

• Execution flow example

[email protected] 21

P1 P2 P3

P1 P2 P3

Transfer to GPU: GPU execution:

Transfer from GPU: P1 P2 P3

P1 P1 P1 GPU 48.1 Gbit/s Thread 1 Thread 2 Thread 3 Thread 4 PCIe 64 Gbit/s

(22)

Transferring to GPU

• Small transfer results to PCIe throughput degradation

Each core batches many reassembled packets into a single buffer [email protected] CPU-core Scan Push Push Push GPU

(23)

Pattern Matching on GPU

• Uniformly, one GPU core for each reassembled packet stream GPU core Matches GPU core GPU core GPU core Packet Buffer GPU core GPU core [email protected] 23

(24)

Pipelining CPU and GPU

• Double-buffering

– Each CPU core collects new reassembled packets, while the GPUs process the previous batch

– Effectively hides GPU communication costs

CPU

Packet buffers

(25)

Recap

1-10Gbps Demux Per-flow protocol analysis Data-parallel content matching NIC: CPUs: GPUs: Packet streams Reassembled packet streams Packets [email protected] 25

(26)

Outline

• Architecture • Implementation • Performance Evaluation • Conclusions [email protected] 26

(27)

Setup: Hardware

• NUMA architecture, QuickPath Interconnect

Memor

y

IOH IOH

GPU GPU NIC

Memor

y

CPU-0 CPU-1

[email protected] 27

Model Specs

2 x CPU Intel E5520 2.27 GHz x 4 cores 2 x GPU NVIDIA GTX480 1.4 GHz x 480 cores 1 x NIC 82599EB 10 GbE

(28)

Pattern Matching Performance

• The performance of a single GPU increases, as the number of CPU-cores increases

Bounded by PCIe capacity GPU Thr oug hput 1 14.6 26.7 42.5 48.1 2 4 8 #CPU-cores [email protected] 28

(29)

Pattern Matching Performance

• The performance of a single GPU increases, as the number of CPU-cores increases

70.7 Adding a second GPU [email protected] 29 GPU Thr oug hput 1 14.6 26.7 42.5 48.1 2 4 8 #CPU-cores

(30)

Setup: Network

[email protected] 30

Traffic

Generator/Replayer MIDeA

(31)

Synthetic traffic

• Randomly generated traffic

Gbi t/s 1.5 4.8 7.2 Snort (8x cores) MIDeA 200b 800b 1500b Packet size [email protected] 31 2.1 1.1 2.4

(32)

Real traffic

Gbi

t/s

5.2

• 5.2 Gbit/s with zero packet-loss

– Replayed trace captured at the gateway of a university campus

[email protected] 32

1.1

Snort (8x cores) MIDeA

(33)

Summary

• MIDeA: A multi-parallel network intrusion detection architecture

– Single-box implementation

– Based on commodity hardware – Less than $1500

• Operate on 5.2 Gbit/s with zero packet loss

– 70 Gbit/s pattern matching throughput

(34)

Thank you!

[email protected]

References

Download now ( PDF - 34 Page - 1.23 MB )

Related documents

Career-Focused Course Sequencing and Retention to Graduation in a Tennessee Community College

Similar to learning support reading and writing requirement completion, the analysis suggested that there is no significant difference between first-time full-time freshman

Debt-Deflation versus the Liquidity Trap : the Dilemma of Nonconventional Monetary Policy

This paper examines quantity-targeting monetary policy in a two-period economy with fiat money, endogenously incomplete markets of financial secu- rities, durable goods and

Project Planning and Control: Does National Culture Influence Project Success?

The analysis of Table 8, which presents the results of One-Way ANOVA test, show that there are no statistically significant differences of the mean of the factor Importance given

Gamification as a motivational tool for software systems, as illustrated in a second-language learning environment

Glossary – customised for the nature of this thesis “the feeling of volition that can accompany any act” Ryan & Deci, 2000a The mastery of “optimal challenges that are

Analyzing the Quality Assurance of Trainees Competency Assessment and Accreditation of Cyber Forensic Education/Training Programs

Ten training/education providers in USA [34, 35]: Central Michigan University [25], California State University [26], California State Polytechnic University [26], Poly Pomona

Biomass fuel use and indoor air pollution in homes in Malawi

different between the rural (wood burning) and urban (charcoal) homes in our study, there was a trend to higher levels in the rural environment and data from Mozambique suggest

Differentiated Curriculum: The Perspectives of the Special Educationist

To differentiate process, Tomlinson and Allan (2000), have suggested the use tiered activities through which all learners work on building the same important understandings and