Abstract
In this paper, we present the design and implementation of Haetae, a high-performance Suricata-based NIDS on many-core processors (MCPs). Haetae achieves high performance with three design choices. First, Haetae extensively exploits high parallelism by launching NIDS engines that independently analyze the incoming flows at high speed as much as possible. Second, Haetae fully leverages programmable network interface cards to offload common packet processing tasks from regular cores. Also, Haetae minimizes redundant memory access by maintaining the packet metadata structure as small as possible. Third, Haetae dynamically offloads flows to the host-side CPU when the system experiences a high load. This dynamic flow offloading utilizes all processing power on a given system regardless of processor types. Our evaluation shows that Haetae achieves up to 79.3 Gbps for synthetic traffic or 48.5 Gbps for real packet traces. Our system outperforms the best-known GPU-based NIDS by 2.4 times and the best-performing MCP-based system by 1.7 times. In addition, Haetae is 5.8 times more power efficient than the state-of-the-art GPU-based NIDS.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
A hash function for hash table lookup. http://www.burtleburtle.net/bob/hash/doobs.html
AMD: OpenCL Zone. http://developer.amd.com/tools-and-sdks/
AMD Opteron Processor Solutions. http://products.amd.com/en-gb/opteroncpuresult.aspx
Check Point IP Appliances. http://www.checkfirewalls.com/IP-Overview.asp
EZchip TILEncore-Gx72 Intelligent Application Adapter. http://tilera.com/products/?ezchip=588&spage=606
Intel Data Direct I/O Technology. http://www.intel.com/content/www/us/en/io/direct-data-i-o.html
Intel DPDK. http://dpdk.org/
Kalray MPPA 256 Many-core processors. http://www.kalrayinc.com/kalray/products/#processors
NVIDIA: What is GPU Computing? http://www.nvidia.com/object/what-is-gpu-computing.html
\({\rm {PF\_RING}}\). http://www.ntop.org/products/pf_ring
SnortSP (Security Platform). http://blog.snort.org/2014/12/introducing-snort-30.html
Sourcefire 3D Sensors Series. http://www.ipsworks.com/3D-Sensors-Series.asp
Suricata Open Source IDS/IPS/NSM engine. http://suricata-ids.org/
The Intel Xeon Processor E7 v2 Family. http://www.intel.com/content/www/us/en/processors/xeon/xeon-processor-e7-family.html
TILE-Gx Processor Family. http://tilera.com/products/?ezchip=585&spage=614
Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975)
Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Proceedings of the ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA), pp. 223–232. ACM (2004)
Chen, X., Wu, Y., Xu, L., Xue, Y., Li, J.: Para-snort: A multi-thread snort on multi-core ia platform. In: Proceedings of the Parallel and Distributed Computing and Systems (PDCS) (2009)
Han, S., Jang, K., Park, K., Moon, S.: Packetshader: a gpu-accelerated software router, vol. 41, pp. 195–206 (2011)
Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: USENIX Security Symposium, pp. 115–131 (2001)
Huang, N.F., Hung, H.W., Lai, S.H., Chu, Y.M., Tsai, W.Y.: A GPU-based multiple-pattern matching algorithm for network intrusion detection systems. In: Proceedings of the International Conference on Advanced Information Networking and Applications - Workshops (AINAW), pp. 62–67. IEEE (2008)
Jamshed, M.A., Lee, J., Moon, S., Yun, I., Kim, D., Lee, S., Yi, Y., Park, K.: Kargus: a highly-scalable software-based intrusion detection system. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 317–328 (2012)
Jiang, H., Zhang, G., Xie, G., Salamatian, K., Mathy, L.: Scalable high-performance parallel design for network intrusion detection systems on many-core processors. In: Proceedings of the ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS). IEEE Press (2013)
Kuon, I., Tessier, R., Rose, J.: FPGA architecture: Survey and challenges. In: Foundations and Trends in Electronic Design Automation, vol. 2, pp. 135–253. Now Publishers Inc. (2008)
Meiners, C.R., Patel, J., Norige, E., Torng, E., Liu, A.X.: Fast regular expression matching using small TCAMs for network intrusion detection and prevention systems. In: Proceedings of the 19th USENIX conference on Security, pp. 8–8. USENIX Association (2010)
Mitra, A., Najjar, W., Bhuyan, L.: Compiling PCRE to FPGA for accelerating Snort IDS. In: Proceedings of the ACM/IEEE Symposium on Architecture for Networking and Communications Systems (ANCS), pp. 127–136. ACM (2007)
Rizzo, L.: netmap: a novel framework for fast packet i/o. In: USENIX Annual Technical Conference. pp. 101–112 (2012)
Roesch, M., et al.: Snort - lightweight intrusion detection for networks. In: Proceedings of the USENIX Systems Administration Conference (LISA) (1999)
Smith, R., Estan, C., Jha, S., Kong, S.: Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. ACM SIGCOMM Comput. Commun. Rev. 38, 207–218 (2008)
Smith, R., Goyal, N., Ormont, J., Sankaralingam, K., Estan, C.: Evaluating gpus for network packet signature matching. In: Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS) (2009)
Tan, L., Sherwood, T.: A high throughput string matching architecture for intrusion detection and prevention. In: ACM SIGARCH Computer Architecture News, vol. 33, pp. 112–122. IEEE Computer Society (2005)
Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: high performance network intrusion detection using graphics processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008)
Vasiliadis, G., Polychronakis, M., Ioannidis, S.: Midea: a multi-parallel intrusion detection architecture. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 297–308 (2011)
Woo, S., Jeong, E., Park, S., Lee, J., Ihm, S., Park, K.: Comparison of caching strategies in modern cellular backhaul networks. In:Proceeding of the Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), pp. 319–332. ACM (2013)
Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit rate packet pattern-matching using tcam. In: Proceedings of the IEEE International Conference on Network Protocols(ICNP), pp. 174–183. IEEE (2004)
Acknowledgments
We thank anonymous reviewers of RAID 2015 for their insightful comments on our paper. This research was supported in part by SK Telecom [G01130271, Research on IDS/IPS with many core NICs], and by the ICT R&D programs of MSIP/IITP, Republic of Korea [14-911-05-001, Development of an NFV-inspired networked switch and an operating system for multi-middlebox services], [R0190-15-2012, High Performance Big Data Analytics Platform Performance Acceleration Technologies Development].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Nam, J., Jamshed, M., Choi, B., Han, D., Park, K. (2015). Haetae: Scaling the Performance of Network Intrusion Detection with Many-Core Processors. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)