Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.

Slides:



Advertisements
Similar presentations
Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Advertisements

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.
Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.
DSPs Vs General Purpose Microprocessors
Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Nan Hua 1, Haoyu Song 2, T. V. Lakshman 2 1 Georgia Tech, 2 Bell Labs, Alcatel-Lucent.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC.
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.
MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
A hybrid finite automaton for practical deep packet inspection Department of Computer Science and Information Engineering National Cheng Kung University,
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
ECE 526 – Network Processing Systems Design
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
 Author: Tsern-Huei Lee  Publisher: 2009 IEEE Transation on Computers  Presenter: Yuen-Shuo Li  Date: 2013/09/18 1.
Deep Packet Inspection as a Service Anat Bremler-Barr IDC Herzliya Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University Appeared.
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh.
Theory and Applications of GF(2 p ) Cellular Automata P. Pal Chaudhuri Department of CST Bengal Engineering College (DU) Shibpur, Howrah India (LOGIC ON.
Vampire Attacks: Draining Life from Wireless Ad Hoc Sensor Networks.
University of Michigan Electrical Engineering and Computer Science 1 Extending Multicore Architectures to Exploit Hybrid Parallelism in Single-Thread Applications.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems CSCI-6140 – Computer Operating Systems David Goldschmidt, Ph.D.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Accelerating Multipattern Matching on Compressed HTTP Traffic Published in : IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 3, JUNE 2012 Authors : Bremler-Barr,
An Improved Algorithm to Accelerate Regular Expression Evaluation Author: Michela Becchi, Patrick Crowley Publisher: 3rd ACM/IEEE Symposium on Architecture.
Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering.
Space-Time Tradeoffs in Software-Based Deep Packet Inspection Anat Bremler-Barr Yotam Harchol ⋆ David Hay IDC Herzliya, Israel Hebrew University, Israel.
Space-Time Tradeoffs in Software-Based Deep Packet Inspection Anat Bremler-Barr Yotam Harchol ⋆ David Hay IDC Herzliya, Israel Hebrew University, Israel.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
ORange: Multi Field OpenFlow based Range Classifier Liron Schiff Tel Aviv University Yehuda Afek Tel Aviv University Anat Bremler-Barr Inter Disciplinary.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Authors: Fang Yu, Zhifeng Chen, Yanlei Diao, T. V. Lakshman, Randy H.
An Efficient Regular Expressions Compression Algorithm From A New Perspective  Author: Tingwen Liu, Yifu Yang, Yanbing Liu, Yong Sun, Li Guo  Publisher:
Topic 6: Further System Fundamentals. Fetch-Execute Cycle Review Computer programs are instructions stored in RAM Processor fetches instructions and executes.
GPEP : Graphics Processing Enhanced Pattern- Matching for High-Performance Deep Packet Inspection Author: Lucas John Vespa, Ning Weng Publisher: 2011 IEEE.
Efficient Processing of Multi-Connection Compressed Web Traffic Yaron Koral 1 with: Yehuda Afek 1, Anat Bremler-Barr 1 * 1 Blavatnik School of Computer.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
Parallelization and Characterization of Pattern Matching using GPUs Author: Giorgos Vasiliadis 、 Michalis Polychronakis 、 Sotiris Ioannidis Publisher:
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Memory Compression Algorithms for Networking Features Sailesh Kumar.
A Resource Efficient Content Inspection System for Next Generation Smart NICs Karthikeyan Sabhanatarajan, Ann Gordon-Ross* The Energy Efficient Internet.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
INFAnt: NFA Pattern Matching on GPGPU Devices Author: Niccolo’ Cascarano, Pierluigi Rolando, Fulvio Risso, Riccardo Sisto Publisher: ACM SIGCOMM 2010 Presenter:
Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection Sailesh Kumar Sarang Dharmapurikar Fang Yu Patrick Crowley Jonathan.
Extending Finite Automata to Efficiently Match Perl-Compatible Regular Expressions Publisher : Conference on emerging Networking EXperiments and Technologies.
TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.
Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 5 (Deep Packet Inspection)
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.
Kargus: A Highly-scalable software-based network intrusion detection awoo100 Anthony Wood.
A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching Yao Song 11/05/2015.
A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:
Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Publisher : ANCS’ 06 Author : Fang Yu, Zhifeng Chen, Yanlei Diao, T.V.
Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]
Haiyang Jiang, Gaogang Xie, Kave Salamatian and Laurent Mathy
Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.
David Hay The Hebrew University of Jerusalem
GPUNFV: a GPU-Accelerated NFV System
A DFA with Extended Character-Set for Fast Deep Packet Inspection
Multilevel Memories (Improving performance using alittle “cash”)
Advanced Algorithms for Fast and Scalable Deep Packet Inspection
Optical Overlay NUCA: A High Speed Substrate for Shared L2 Caches
CS 3410, Spring 2014 Computer Science Cornell University
How information moves in load heavy networks.
Presentation transcript:

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University

Anat Bremler-Barr David HayYotam Harchol Yaron Koral Joint work with This work was supported by European Research Council (ERC) Starting Grant no

Deep Packet Inspection IPS/IDS/FW Heaviest processing part: Search for malicious patterns in the payload 1.Pipeline multi-core, not efficient. – Imbalance of pipeline stations, DPI much heavier 2.Parallel multi-core?

Multi-Core Deep Packet Inspection (DPI) Option 1: Each core a subset of patterns Core 1 Core 2 Core 3 Core 4 Pattern Set 1 Pattern Set 2 Pattern Set 3 Pattern Set 4

Multi-Core Deep Packet Inspection (DPI) Option 1: Each core a subset of patterns Core 1 Core 2 Core 3 Core 4 Pattern Set 1 Pattern Set 2 Pattern Set 3 Pattern Set 4

Multi-Core Deep Packet Inspection (DPI) Option 1: Each core a subset of patterns Core 1 Core 2 Core 3 Core 4 Pattern Set 1 Pattern Set 2 Pattern Set 3 Pattern Set 4

Multi-Core Deep Packet Inspection (DPI) Option 1: Each core a subset of patterns Option 2: All cores are the same, Load-balance between cores Core 1 Core 2 Core 3 Core 4 Pattern Set 1 Pattern Set 2 Pattern Set 3 Pattern Set 4

Multi-Core Deep Packet Inspection (DPI) Option 2: All cores are the same, Load-balance between cores Core 1 Core 2 Core 3 Core 4 DPI

Multi-Core Deep Packet Inspection (DPI) Option 2: All cores are the same, Load-balance between cores Core 1 Core 2 Core 3 Core 4 DPI

Complexity DoS Attack Over NIDS Easy to craft – very hard to process packets 2 Steps attack: Attacker Internet 2. Steal CC. 1. Kill IPS/FW

Attack on Security Elements Combined Attack: DDoS on Security Element exposed the network – theft of customers’ information

Attack on Snort The most widely deployed IDS/IPS worldwide. Heavy packets rate

OUR GOAL: A multi-core system architecture, which is robust against complexity DDoS attacks

Airline Desk Example

A flight ticket

Airline Desk Example An isle seat near window!! Three carry handbags !!! Doesn’t like food!!! Can’t find passport!! Overweight!!!

Airline Desk Example

Domain Properties 1.Heavy & Light customers. 2.Easy detection of heavy customers. 3.Moving customers between queues is cheap. 4.Heavy customers have special more efficient processing method. Special training packets

Some packets are much “heavier” than others The Snort-attack experiment Property 1 in Snort Attack

DPI mechanism is a main bottleneck in Snort Allows single step for each input symbol Holds transition for each alphabet symbol Snort uses Aho-Corasick DFA Heavy Packet Fast & Huge Best for normal traffic Exposed to cache-miss attack Best for normal traffic Exposed to cache-miss attack

Crafting HEAVY packets Snort patterns DatabaseMalicious pkts Factory Chop last 2 bytes

Snort-Attack Experiment Cache Main Memory Normal TrafficAttack Scenario Does not require many packets!!!

The General Case: Complexity Attacks Trivial to Craft --- Hard to process packets Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

Property 2 in Snort Attack Detecting heavy packets is feasible

How Do We Detect? May be quickly classified Common states Claim: the general case in complexity attacks!!! threshold Percent non-common states

How Do We Detect? Common States Non Common States Heavy packet : # Not Common States # Common States ≤ α After at least 20 bytes

Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

System Architecture Processor Chip Core #8 NIC Core #1 Q Core #2 Q Q Q Q Detects heavy packets Core #9 Core #10 Routine Mode: Load balance between cores

System Architecture Processor Chip Core #8 Dedicated Core #9 NIC Core #1 Q Core #2 Q Q Q B Dedicated Core #10 B Q Detects heavy packets Alert Mode: Dedicated cores for heavy packets Others detect and move heavy to Dedicated. BB

Inter-Thread Communication Heavy packets queues are non-blocking – no locking mechanisms are used Writers write to the queue in cycles (incrementing every full round) – Cycle ID is stored before and after the passed message Readers read in the opposite direction: – If left ID != right ID then writer is now writing – wait and retry – If left ID > expected ID  overflow

Inter-Thread Communication Non-blocking IN-queues – Only one thread accesses Dedicated queues blocking (using test&set locks) – Non-dedicated threads “steal” packets from the HoL when sending a heavy packet Processor Chip Core #8 Dedicated Core #9 NIC Core #1 Q Core #2 Q Q Q B Dedicated Core #10 B Q BB

Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

Snort uses Aho-Corasick DFA

Full Matrix vs. Compressed Heavy packets rate

Domain Properties 1.Heavy & Light packets. 2.Easy detection of heavy packets 3.Moving packets between queues is cheap. 4.Heavy packets have special more efficient processing method.

Experimental Results

System Throughput Over Time Reaction time can be smaller

Different Algorithms Goodput

Additional Application for MCA 2 The Hybrid-FA-attack experiment

Hybrid-FA Space-efficient data structure for regular expression matching Faster than NFA Structure: – Head DFA – Border states – Tail DFAs More than one state can be active at the same time! s0s0 s7s7 s 12 s1s1 s2s2 s3s3 s5s5 s4s4 C C E D B ED s 14 s 13 s6s6 D s8s8 B s9s9 C s 10 A s 11 B A A.* [^\n]*

Hybrid-FA Attack Normal TrafficAttack Scenario Again: Does not require many packets!!! s0s0 s7s7 s 12 s1s1 s2s2 s3s3 s5s5 s4s4 C C E D B ED s 14 s 13 s6s6 D s8s8 B s9s9 C s 10 A s 11 B A A.* [^\n]* s0s0 s7s7 s8s8 s9s9 s 10 s 11 s 12 s2s2 s5s5 s 13 Input: CDBBCAB

Heavy Packet Detection threshold

MCA 2 With Hybrid-FA

Concluding Remarks A multi-core system architecture Robustness against complexity DDoS attacks In this talk we focused on specific NIDS and complexity attack – MCA 2 can handle more NIDS complexity attacks, like the Bro Lazy-FA We believe this approach can be generalized (outside the scope of NIDS)

Thank You!! Deep packet inspection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.