skip to main content
10.1145/2046707.2046741acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

MIDeA: a multi-parallel intrusion detection architecture

Published: 17 October 2011 Publication History

Abstract

Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data processing. In this paper, we present a multi-parallel intrusion detection architecture tailored for high speed networks. To cope with the increased processing throughput requirements, our system parallelizes network traffic processing and analysis at three levels, using multi-queue NICs, multiple CPUs, and multiple GPUs. The proposed design avoids locking, optimizes data transfers between the different processing units, and speeds up data processing by mapping different operations to the processing units where they are best suited. Our experimental evaluation shows that our prototype implementation based on commodity off-the-shelf equipment can reach processing speeds of up to 5.2 Gbit/s with zero packet loss when analyzing traffic in a real network, whereas the pattern matching engine alone reaches speeds of up to 70 Gbit/s, which is an almost four times improvement over prior solutions that use specialized hardware.

References

[1]
Endace Security Manager. http://www.endace.com/endace-security-manager2.html.
[2]
Intel 82599EB 10 Gigabit Ethernet Controller. http://ark.intel.com/Product.aspx?id=32207.
[3]
Receive side scaling on Intel Network Adapters. http://www.intel.com/support/network/adapter/pro100/sb/cs-027574.htm.
[4]
Tcpreplay. http://tcpreplay.synfin.net/.
[5]
A. V. Aho and M. J. Corasick. Efficient String Matching: an Aid to Bibliographic Search. Communications of the ACM, 18(6):333--340, June 1975.
[6]
Z. K. Baker and V. K. Prasanna. Time and Area Efficient Pattern Matching on FPGAs. In Proceedings of the 12th ACM/SIGDA International Symposium on Field Programmable Gate Arrays (FPGA), 2004.
[7]
M. Becchi and P. Crowley. A Hybrid Finite Automaton for Practical Deep Packet Inspection. In Proceedings of the ACM International Conference on emerging Networking Experiments and Technologies Conference (CoNEXT), 2007.
[8]
V. Chandola, A. Banerjee, and V. Kumar. Anomaly Detection: A Survey. ACM Computing Surveys, 41:15:1--15:58, July 2009.
[9]
C. R. Clark, W. Lee, D. E. Schimmel, D. Contis, M. Koné, and A. Thomas. A Hardware Platform for Network Intrusion Detection and Prevention. In P. Crowley, M. A. Franklin, H. Hadimioglu, and P. Z. Onufryk, editors, Proceedings of the 3rd Workshop on Network Processors and Applications (NP3), 2005.
[10]
C. R. Clark and D. E. Schimmel. Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL), 2003.
[11]
L. Deri. Improving Passive Packet Capture: Beyond Device Polling. In Proceedings of 4th International System Administration and Network Engineering Conference (SANE), 2004.
[12]
S. Dharmapurikar, P. Krishnamurthy, T. S. Sproull, and J. W. Lockwood. Deep Packet Inspection Using Parallel Bloom Filters. IEEE Micro, 24(1), 2004.
[13]
M. Dobrescu, N. Egi, K. Argyraki, B.-G. Chun, K. Fall, G. Iannaccone, A. Knies, M. Manesh, and S. Ratnasamy. RouteBricks: Exploiting Parallelism to Scale Software Routers. In Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles (SOSP), 2009.
[14]
L. Foschini, A. V. Thapliyal, L. Cavallaro, C. Kruegel, and G. Vigna. A Parallel Architecture for Stateful, High-Speed Intrusion Detection. In Proceedings of the 4th International Conference on Information Systems Security (ICISS), 2008.
[15]
F. Fusco and L. Deri. High Speed Network Traffic Analysis with Commodity Multi-core Systems. In Proceedings of the 10th Internet Measurement Conference (IMC), 2010.
[16]
J. M. Gonzalez, V. Paxson, and N. Weaver. Shunting: A Hardware/Software Architecture for Flexible, High-Performance Network Intrusion Prevention. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007.
[17]
S. Han, K. Jang, K. Park, and S. Moon. PacketShader: A GPU-accelerated Software Router. In Proceedings of the ACM SIGCOMM 2010 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), August 2010.
[18]
N.-F. Huang, H.-W. Hung, S.-H. Lai, Y.-M. Chu, and W.-Y. Tsai. A GPU-Based Multiple-Pattern Matching Algorithm for Network Intrusion Detection Systems. In Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - Workshops (AINAW), 2008.
[19]
Intel Corporation. Supra-linear Packet Processing Performance with Intel Multi-core Processors, 2006.
[20]
Intel Corporation. Removing System Bottlenecks in Multi-threaded Applications, 2008.
[21]
C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the 23rd IEEE Symposium on Security and Privacy (S&P), May 2002.
[22]
S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese. Curing Regular Expressions Matching Algorithms from Insomnia, Amnesia, and Acalculia. In Proceedings of the 3rd ACM/IEEE Symposium on Architecture for Networking and Communications Systems (ANCS), 2007.
[23]
S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner. Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection. In Proceedings of the ACM SIGCOMM 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 2006.
[24]
J. Lee, S. H. Hwang, N. Park, S.-W. Lee, S. Jun, and Y. S. Kim. A High Performance NIDS Using FPGA-based Regular Expression Matching. In Proceedings of the 22nd ACM Symposium on Applied computing (SAC), 2007.
[25]
B. H. Leitao. Tuning 10Gb Network Cards on Linux. In Proceedings of the 2009 Linux Symposium, July 2009.
[26]
R.-T. Liu, N.-F. Huang, C.-H. Chen, and C.-N. Kao. A Fast String-matching Algorithm for Network Processor-based Intrusion Detection System. ACM Transactions on Embedded Computing Systems, 3(3):614--633, 2004.
[27]
C. R. Meiners, J. Patel, E. Norige, E. Torng, and A. X. Liu. Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems. In Proceedings of the 19th USENIX Security Symposium, 2010.
[28]
Microsoft Corporation. Scalable Networking: Eliminating the Receive Processing Bottleneck - Introducing RSS, 2005.
[29]
A. Mitra, W. Najjar, and L. Bhuyan. Compiling PCRE to FPGA for accelerating SNORT IDS. In Proceedings of the 3rd ACM/IEEE Symposium on Architecture for Networking and Communications Systems (ANCS), 2007.
[30]
J. Moscola, J. Lockwood, R. Loui, and M. Pachos. Implementation of a Content-Scanning Module for an Internet Firewall. In Proceedings of 11th IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), 2003.
[31]
M. Norton. Optimizing Pattern Matching for Intrusion Detection, July 2004.
[32]
NVIDIA. NVIDIA CUDA Programming Guide.
[33]
V. Paxson. Bro: A System for Detecting Network Intruders in Real-time. In Proceedings of the 7th Conference on USENIX Security Symposium, 1998.
[34]
V. Paxson, K. Asanović, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer, and N. Weaver. Rethinking Hardware Support for Network Analysis and Intrusion Prevention. In Proceedings of the 1st USENIX Workshop on Hot Topics in Security (HotSec), 2006.
[35]
V. Paxson, R. Sommer, and N. Weaver. An Architecture for Exploiting Multi-core Processors to Parallelize Network Intrusion Prevention. In Proceedings of the 30th IEEE Sarnoff Symposium, May 2007.
[36]
M. Roesch. Snort: Lightweight Intrusion Detection for Networks. In Proceedings of the 1999 USENIX Large Installation System Administration Conference (LISA), 1999.
[37]
D. P. Scarpazza, O. Villa, and F. Petrini. Exact Multi-pattern String Matching on the Cell/B.E. Processor. In Proceedings of the 5th Conference on Computing Frontiers (CF), 2008.
[38]
L. Schaelicke, K. Wheeler, and C. Freeland. SPANIDS: A Scalable Network Intrusion Detection Loadbalancer. In Proceedings of the 2nd Conference on Computing Frontiers (CF), 2005.
[39]
D. L. Schuff, Y. R. Choe, and V. S. Pai. Conservative vs. Optimistic Parallelization of Stateful Network Intrusion Detection. In Proceedings of the 12th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP), 2007.
[40]
R. Smith, C. Estan, and S. Jha. XFA: Faster Signature Matching with Extended Automata. In Proceedings of the 29th IEEE Symposium on Security and Privacy (S&P), 2008.
[41]
R. Smith, N. Goyal, J. Ormont, K. Sankaralingam, and C. Estan. Evaluating GPUs for Network Packet Signature Matching. In Proceedings of the International Symposium on Performance Analysis of Systems and Software (ISPASS), 2009.
[42]
R. Sommer and V. Paxson. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In Proceeding of the 31st IEEE Symposium on Security and Privacy (S&P), 2010.
[43]
H. Song, T. Sproull, M. Attig, and J. Lockwood. Snort Offloader: A Reconfigurable Hardware NIDS Filter. In Proceedings of the 15th International Conference on Field Programmable Logic and Applications (FPL), 2005.
[44]
Sourcefire. Sourcefire 3D System. http://www.sourcefire.com/security-technologies/cyber-security-products%/3d-system.
[45]
I. Sourdis and D. Pnevmatikatos. Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. In Proceedings of the 12th Annual IEEE Symposium on Field Programmable Custom Computing Machines (FCCM), 2004.
[46]
N. Tuck, T. Sherwood, B. Calder, and G. Varghese. Deterministic Memory-efficient String Matching Algorithms for Intrusion Detection. In Proceedings of the 23rd IEEE International Conference on Computer Communications Conference (INFOCOM), 2004.
[47]
M. Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, and B. Tierney. The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), 2007.
[48]
G. Vasiliadis, S. Antonatos, M. Polychronakis, E. P. Markatos, and S. Ioannidis. Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID), 2008.
[49]
G. Vasiliadis, M. Polychronakis, S. Antonatos, E. P. Markatos, and S. Ioannidis. Regular Expression Matching on Graphics Hardware for Intrusion Detection. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection (RAID), 2009.
[50]
K. Xinidis, I. Charitakis, S. Antonatos, K. G. Anagnostakis, and E. P. Markatos. An Active Splitter Architecture for Intrusion Detection and Prevention. IEEE Transactions on Dependable and Secure Computing, 3:31--44, January 2006.
[51]
F. Yu, Z. Chen, Y. Diao, T. V. Lakshman, and R. H. Katz. Fast and Memory-efficient Regular Expression Matching for Deep Packet Inspection. In Proceedings of the 2nd ACM/IEEE symposium on Architecture for Networking and Communications Systems (ANCS), 2006.
[52]
F. Yu, R. H. Katz, and T. V. Lakshman. Gigabit Rate Packet Pattern-Matching Using TCAM. In Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP), October 2004.

Cited By

View all
  • (2024)AdaptChain: Adaptive Data Sharing and Synchronization for NFV Systems on Heterogeneous ArchitecturesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2024.340059435:7(1281-1292)Online publication date: Jul-2024
  • (2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
  • (2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
  • Show More Cited By

Index Terms

  1. MIDeA: a multi-parallel intrusion detection architecture

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '11: Proceedings of the 18th ACM conference on Computer and communications security
    October 2011
    742 pages
    ISBN:9781450309486
    DOI:10.1145/2046707
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 17 October 2011

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. GPU
    2. NIDs
    3. acceleration
    4. intrusion detection
    5. pattern matching

    Qualifiers

    • Research-article

    Conference

    CCS'11
    Sponsor:

    Acceptance Rates

    CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)33
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 14 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)AdaptChain: Adaptive Data Sharing and Synchronization for NFV Systems on Heterogeneous ArchitecturesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2024.340059435:7(1281-1292)Online publication date: Jul-2024
    • (2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
    • (2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
    • (2023)Paradise: Real-Time, Generalized, and Distributed Provenance-Based Intrusion DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316087920:2(1624-1640)Online publication date: 1-Mar-2023
    • (2023)A Reconfigurable IDS Framework for Encrypted and Non-Encrypted Network Data in Supply Chains2023 International Conference on Engineering and Emerging Technologies (ICEET)10.1109/ICEET60227.2023.10525930(1-6)Online publication date: 27-Oct-2023
    • (2023)A Malicious Network Traffic Detection Model Based on Bidirectional Temporal Convolutional Network with Multi-Head Self-Attention MechanismComputers & Security10.1016/j.cose.2023.103580(103580)Online publication date: Nov-2023
    • (2023)Lightweight real-time WiFi-based intrusion detection system using LightGBMWireless Networks10.1007/s11276-023-03516-030:2(749-761)Online publication date: 5-Oct-2023
    • (2023)Challenges and Opportunities for Network Intrusion Detection in a Big Data EnvironmentDigital Transformation, Cyber Security and Resilience10.1007/978-3-031-44440-1_16(93-106)Online publication date: 1-Nov-2023
    • (2022)The Diversification and Enhancement of an IDS Scheme for the Cybersecurity Needs of Modern Supply ChainsElectronics10.3390/electronics1113194411:13(1944)Online publication date: 22-Jun-2022
    • (2022)Gaviss : Boosting the Performance of GPU-Accelerated NFV Systems via Data SharingIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2022.319336833:12(4472-4483)Online publication date: 1-Dec-2022
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media