Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

Slides:

Advertisements

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.

Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

INTRUSION DETECTION SYSTEM

1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

Kamalapurkar Shounak Rajarshi Salil Joshi Rohan Bhavsar Sagar Pai Sandesh Low Latency Publisher-Subscriber Network for Stock Market Application Team WhiteWalkers.

Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Authors: Tong Li, Dan Baumberger, David A. Koufaty, and Scott Hahn [Systems Technology Lab, Intel Corporation] Source: 2007 ACM/IEEE conference on Supercomputing.

Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.

Xinming Chen, Zhen Chen, Beipeng Mu, Lingyun Ruan, Jinli Meng Towards High-performance IPsec on Cavium OCTEON Platform Research Institute of Information.

Predictive Runtime Code Scheduling for Heterogeneous Architectures 1.

“Low-Power, Real-Time Object- Recognition Processors for Mobile Vision Systems”, IEEE Micro Jinwook Oh ; Gyeonghoon Kim ; Injoon Hong ; Junyoung.

Orchestration by Approximation Mapping Stream Programs onto Multicore Architectures S. M. Farhad (University of Sydney) Joint work with Yousun Ko Bernd.

MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

Uncovering the Multicore Processor Bottlenecks Server Design Summit Shay Gal-On Director of Technology, EEMBC.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,

SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.

On the processing time for detection of Skype traffic P.M. Santiago del Río, J. Ramos, J.L. García-Dorado, J. Aracil Universidad Autónoma de Madrid A.

StreamX10: A Stream Programming Framework on X10 Haitao Wei School of Computer Science at Huazhong University of Sci&Tech.

MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.

Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

XStream: Rapid Generation of Custom Processors for ASIC Designs Binu Mathew * ASIC: Application Specific Integrated Circuit.

Lecture 13: Reconfigurable Computing Applications October 10, 2013 ECE 636 Reconfigurable Computing Lecture 11 Reconfigurable Computing Applications.

P-GAS: Parallelizing a Many-Core Processor Simulator Using PDES Huiwei Lv, Yuan Cheng, Lu Bai, Mingyu Chen, Dongrui Fan, Ninghui Sun Institute of Computing.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 5 (Deep Packet Inspection)

Kargus: A Highly-scalable software-based network intrusion detection awoo100 Anthony Wood.

Authors: Danhua Guo 、 Guangdeng Liao 、 Laxmi N. Bhuyan 、 Bin Liu 、 Jianxun Jason Ding Conf. : The 4th ACM/IEEE Symposium on Architectures for Networking.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.

Shouqing Hao Institute of Computing Technology, Chinese Academy of Sciences Processes Scheduling on Heterogeneous Multi-core Architecture.

PROOF Benchmark on Different Hardware Configurations 1 11/29/2007 Neng Xu, University of Wisconsin-Madison Mengmeng Chen, Annabelle Leung, Bruce Mellado,

Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date:

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 4 (Network Packet Filtering)

Haiyang Jiang, Gaogang Xie, Kave Salamatian and Laurent Mathy

Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.

NFP: Enabling Network Function Parallelism in NFV

NFV Compute Acceleration APIs and Evaluation

Snort – IDS / IPS.

Reorganized and Compact DFA for Efficient Regular Expression Matching

Distributed Network Traffic Feature Extraction for a Real-time IDS

High-performance tracing of many-core systems with LTTng

Tapping Into The Unutilized Router Processing Power

NFP: Enabling Network Function Parallelism in NFV

NFP: Enabling Network Function Parallelism in NFV

Yan Chen Department of Electrical Engineering and Computer Science

SigMatch Fast and Scalable Multi-Pattern Matching

2019/1/3 Exscind: Fast Pattern Matching for Intrusion Detection Using Exclusion and Inclusion Filters Next Generation Web Services Practices (NWeSP) 2011.

Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform

IP Control Gateway (IPCG)

Presentation transcript:

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun Li

2 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions *NIDS: Network Intrusion Detection System *IA: Intel Architecture (also known as x86, or x64 for IA-64)

3 NIDS on IA platform NIDS looks into both header and payload of packets to identify intrusion IA is not so fast as ASICs or FPGA, but it’s  cheap  easy to develop with  flexible on structure and ruleset Many NIDS on IA is not designed for multi-core processors. *NIDS: Network Intrusion Detection System *IA: Intel Architecture (also known as x86, or x64 for IA-64)

4 Our purpose To design NIDS that can utilize multi-core IA platforms.  With modular design  Shouldn’t introduce new bottlenecks Our work is based on Snort.  by Sourcefire Inc.  The most popular open source NIDS on IA platform.  It identifies intrusion by matching the coming packets with the signatures (ruleset)  Single-thread

5 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

6 The architecture of SnortThe architecture of Para-Snort

7 Based on SnortSP 3.0, a new different branch Features:  Modular design  Multifunction processing modules  Memory sharing  Optimization on core algorithms The architecture of Para-Snort

8 Detailed module design Processing Module  each is a single thread  preprocessors and detection engine  easy to develop functions other than intrusion detection, such as antivirus or URL filtering  We designed a ClamAV processing module to do antivirus Data Source Module  data acquisition and decoder Load Balance Module  dispatches traffic and makes multi-staged processing Output Module  Generate alert

9 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

10 Performance Evaluation For tcpdump tracesFor real traffic two quad-core Xeon E5335 at 2.00GHz 4 GB DRAM Ubuntu 8.04 Linux kernel version

11 Performance Scaling with increase in Threads

12 Speedup of 2~7 threads

13 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

14 Optimize Load Balancing SnortSP 3.0 provides IP hash algorithm Not balanced when there are few flows Three improve methods: 5-tuple hash Join the Shortest Queue Modified-JSQ Reassign a flow when it has silenced for a long time

15 Modified-JSQ Reassign a flow when it has silenced for a long time. We use number of packets instead of time to identify if a flow has silenced for a long time. Flow A Other flows Threshold = n packets

16 Performance of different load balancers

17 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

18 Conclusions Multi-thread design fully utilizes multi-core CPU Modular design, multifunction process modules, easy to add modules. Solve the issues in load balancing and other algorithms Good speedup, up to 7. Performance up to 800Mbps

19 Questions Thank You