Kargus: A Highly-scalable software-based network intrusion detection 4906520 awoo100 Anthony Wood.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

1 A GPU Accelerated Storage System NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany Sathish Gopalakrishnan Matei.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

OpenFlow-Based Server Load Balancing GoneWild

Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.

Chapter 8 Hardware Conventional Computer Hardware Architecture.

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Hermes: An Integrated CPU/GPU Microarchitecture for IPRouting Author: Yuhao Zhu, Yangdong Deng, Yubei Chen Publisher: DAC'11, June 5-10, 2011, San Diego,

ECE 526 – Network Processing Systems Design Software-based Protocol Processing Chapter 7: D. E. Comer.

Intrusion Detection Systems and Practices

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Chapter 9 Classification And Forwarding. Outline.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Implementing Efficient RSS Capable Hardware and Drivers for Windows 7

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Server Load Balancing. Introduction Why is load balancing of servers needed? If there is only one web server responding to all the incoming HTTP requests.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

Xinming Chen, Zhen Chen, Beipeng Mu, Lingyun Ruan, Jinli Meng Towards High-performance IPsec on Cavium OCTEON Platform Research Institute of Information.

Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?

MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October.

Uncovering the Multicore Processor Bottlenecks Server Design Summit Shay Gal-On Director of Technology, EEMBC.

Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

On the processing time for detection of Skype traffic P.M. Santiago del Río, J. Ramos, J.L. García-Dorado, J. Aracil Universidad Autónoma de Madrid A.

Computer Emergency Notification System (CENS)

Srihari Makineni & Ravi Iyer Communications Technology Lab

Chapter 5: Implementing Intrusion Prevention

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

Author ： Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher ： ANCS’06 Presenter ： Zong-Lin Sie Date ： 2011/01/05.

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

Hot Interconnects TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor David V. Schuehler

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Detecting Evasion Attack at High Speed without Reassembly.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

Authors: Danhua Guo 、 Guangdeng Liao 、 Laxmi N. Bhuyan 、 Bin Liu 、 Jianxun Jason Ding Conf. : The 4th ACM/IEEE Symposium on Architectures for Networking.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.

Haiyang Jiang, Gaogang Xie, Kave Salamatian and Laurent Mathy

Gnort: High Performance Network Intrusion Detection Using Graphics Processors Date:101/2/15 Publisher:ICS Author:Giorgos Vasiliadis, Spiros Antonatos,

Snort – IDS / IPS.

Problem: Internet diagnostics and forensics

MadeCR: Correlation-based Malware Detection for Cognitive Radio

for the Offline and Computing groups

Introduction to Networking

Software Architecture in Practice

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Operating System Introduction.

ECE 671 – Lecture 8 Network Adapters.

Presentation transcript:

Kargus: A Highly-scalable software-based network intrusion detection awoo100 Anthony Wood

Contents  Background – What is Network Intrusion Detection  Motivation  Related work – hardware-based systems  Limitations of hardware-based systems  Related work – software-based systems  Contribution  Kargus – Methodology  Kargus – Architecture  Results  Critical and Appreciative Analysis

Background – What is Network Intrusion Detection?  Intrusion detection is the process of identifying and responding to malicious activities targeted at computing and network resources  The goal of intrusions detection is to identify potential network intrusions and report them  A typical workflow for NID is outlined below:

What is Kargus?  Software-based Network Intrusion Detection system  Based on Signature matching (i.e. Misuse detection)  Uses Batch Processing and Data Parallelism

Motivation  High-bandwidth networks are becoming more common place, with many large enterprises and campus networks adopting 10GBps+ connections  This presents a number of challenges for intrusion detection:  Required to monitor at a line rate to identify potential intrusion attempts by executing pattern matching against a large database of attack patterns  Reassembling segmented packets flow-level payload reconstruction and handling a large number of concurrent flows also needs to be implemented efficiently  Needs to protect against network attacks (e.g. DoS) on itself

Related work – hardware based  A common approach is to meet these challenges with dedicated network processors:  [1] Cavium is an off the shelf product which uses between 4-16 specialist cores and other hardware including: Hyper Access Memory Controller I/O Bus  [2] McAfee Network Security Platform uses purpose-built hardware  Others use special Pattern Matching Memory  And Regular Expression Matching on FPGA

Limitations of hardware-based systems  Maintenance and Upgrades on such hardware can be expensive  Decreased operational flexibility, as low-level code is required to configure hardware to integrate with other systems  Movement of organisations towards a cloud infrastructure means that they no longer want/need to support hardware

Related work – software-based Snort [3]  libpcap-based packet sniffer and logger, that can be used as a cross- platform lightweight network intrusion detection system  [4] High performance, but started to experience packet loss at 1.0GBps. However this did not impact the ability of the system to detect network intrusions Snort is one of the best performing open source NIDS solutions available, however is unable to cope with the line rates available in modern networks

Contributions  The authors present a highly-scalable software-based intrusion detection system architecture  IDS architecture that fully utilizes modern hardware innovations including: 1.Multiple CPU cores 2.non-uniform memory access (NUMA) architecture 3.Multiqueue 10 Gbps network interface cards (NICs) 4.Heterogeneous processors like graphics processing units (GPUs)  Two techniques used to get optimum performance are 1.batch processing and 2.parallel execution with an intelligent load balancing algorithm.

Kargus – Architecture An Overview

Kargus – Architecture EMPLOYING GPU FOR PATTERN MATCHING  One thread is started and affinitised to each CPU Core. This reduces overhead of thread switching.  Threads are divided into IDS engine threads and GPU dispatcher threads.  IDS Engine threads read incoming traffic from the Network Interface Controller queues, and is responsible for the entire IDS tasks for that piece of information  IDS Engine threads: 1.Pre-process the network traffic data 2.Perform multi-string matching to determine if it is likely that a packet is an attack 3.If necessary, performs rule option evaluation  If the CPU of the thread is overloaded, it hands off the pattern matching work load to the GPU-dispatcher

Kargus – Methodology PACKET ACQUISITION AND PRE-PROCESSING  To reduce allocation and deallocation overheads Kargus batch processes multiple packets at a time, allocating large buffers for packet payloads and metadata, using the PacketShader I/O Engine (PSIO).  The large buffers are recycled for subsequent packet reading  Each RX queue affinitised to a CPU core, removing thread switching overheads  Receive-side scaling (RSS) distributes incoming packets by hashing the 5-tuple (Source IP, Source Port, Destination IP, Destination IP, protocol). This allows traffic that is part of the same flow to be enqeued to the same NIC in order  Processing of each flow of packets can occur completely in parallel, therefore RSS reduces the impact of locking and thread safety on performance

Kargus – Methodology PREPARATION FOR MATCHING  IP packet fragments are reassembled and the checksum of the TCP packet verified  Manages the flow content for each TCP connection  Identifies the application protocol that each packet belongs to  Extracts the pattern rules to match against the packet payload

Kargus – Methodology ATTACK SIGNATURE MATCHING  Precondition is that each packet payload is reassembled and normalised  Packet payload is forwarded to the attack signature detection engine,  Two phased approach to Attack-Signature matching by the detection engine  Step 1: Multi-string pattern matching  Matches a set of simple strings (e.g Snort is organised into port groups based on source and destination port numbers of the packet)  Port group used to reduce the pattern matching space. Only attack signatures with the relevant port group are matched against the packet content  Pattern matching implemented using Aho-Corasick, which has the same average case and worst case efficiency scenarios  Step Two: Rule Option Evaluation  If packets are caught in the string matching phase, they are evaluated further against a full attack signature

Results  Analysis of the packet capture methods shows that PSIO can handle much greater throughput (GBps) whilst maintaining a low CPU utilisation through batch processing

Results  Processing of innocent traffic speed has almost doubled, whilst malicious traffic speed up is significantly less. This is because Kargus’ architecture is geared towards efficient processing of innocent traffic

Results  Throughput and performance for Kargus is significantly greater across all packet sizes. For small packet sizes, the CPU only version of Kargus is more effective  For large packet sizes, the cost of initialisation and overhead of maintaining GPU thread does not maintain its usefulness

Conclusion  Robust architecture aims to optimise the performance using a number of strategies at each stage of the network intrusion detection  Kargus appears to dramatically improve performance using batch processing for normal traffic. However, the speed up for attack traffic is a lot less. This does not discount the validity of the solution as it is reasonable to expect most network traffic is normal  GPU Kargus is more effective on larger packet sizes due to overhead involved in allocating tasks to the GPU

Appreciative and Critical Analysis Appreciative  Seemingly robust architecture for systems with large CPU power  Investigated the possibility of task parallelisation or pipelining, in addition to data parallelisation, however suboptimal performance exists in pipelining Critical  Would be interesting to compare performance with hardware based systems on the same infrastructure  Would like to see other performance measures such as detection accuracy, packet loss as packet loss erodes system effectiveness  Although most traffic is likely to be normal, solution doesn’t focus on reducing the complexity associated with malicious traffic. Heavily attacked networks using Kargus may experience less than ideal results as CPU and GPU become overloaded.  May be susceptible to Denial-of-Service (DoS) attacks

References  [1] Intelligent Networks Powered by Cavium Octeon and Nitrox Processors: IDS/IPS Software Toolkit.  [2] McAfee Network Security Platform. com/us/products/network-security-platform.aspx.  [3] M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX Systems Administration Conference (LISA),  [4] A. Alhomoud, R. Munir, J. Pagna Disso, I. Awan, and A. Al-Dhelaan, "Performance evaluation study of intrusion detection systems," Procedia Computer Science, Vol. 5, pp , [Online]. Available: