Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,"— Presentation transcript:

1 Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos, Sotiris Ioannidis Institute of Computer Science Foundation for Research and Technology Hellas

2 General Idea How to speed up the processing throughput of intrusion detection systems by offloading the pattern matching operations to the GPU. 2Giorgos Vasiliadis ICS-FORTH

3 Introduction The problem – Network Intrusion Detection Systems (NIDS) are based on String Matching for detecting and preventing from well-known attacks – String Matching process accounts up to 75% of the total CPU processing String Matching Algorithms –Aho-Corasick Specialized hardware devices (NP, FPGAs, ASICs) –Complex to modify and program –Poor flexibility Graphics Cards –Easy to program –Powerful and ubiquitous –Researches have begun exploring ways to tap their power for non-graphics applications 3Giorgos Vasiliadis ICS-FORTH

4 Why use the GPU ? The GPU is specialized for compute-intensive, highly parallel computation 4Giorgos Vasiliadis ICS-FORTH

5 NVIDIA GeForce SIMD Architecture Many Multiprocessors Each multiprocessor contains many Stream Processors Memory model – Shared On-Chip Memory 1 cycle – Constant Memory 400-600 cycles; 1 cycle if cached – Texture Memory 400-600 cycles; 1 cycle if cached – Global Device Memory 400-600 cycles Size Giorgos Vasiliadis ICS-FORTH GPU can be used as a general purpose processor, capable of executing many threads in parallel

6 The Aho-Corasick Algorithm Used in most modern NIDSes  Scans for multiple patterns simultaneously Preprocess all patterns to build a state machine The state machine is used to scan for multiple patterns simultaneously at linear time  Complexity is independent of the number of patterns Example: P={he, she, his, hers} 6Giorgos Vasiliadis ICS-FORTH

7 Mapping Aho-Corasick on GPU How to represent the State Machine ? Snort represent each state as an array of pointers – It is difficult to map them on the GPU memory  Transform to a 2D array – Can easily bind to Texture Memory Texture fetches are cached Aho-Corasick exhibits strong locality of references Random access memory read  The usage of Texture Memory boosts GPU execution time about 19 % 7Giorgos Vasiliadis ICS-FORTH

8 Parallelizing Packet Searching (1/2) Assigning a Single Packet to each Multiprocessor  Each packet is copied to the shared memory of the Multiprocessor  Stream Processors search different parts of the packet concurrently  Overlapping computation Matching patterns may span consecutive chunks of the packet  Same amount of work per Stream Processor Stream Processors will be synchronized 8Giorgos Vasiliadis ICS-FORTH

9 Parallelizing Packet Searching (2/2) Assigning a Single Packet to each Stream Processor  Each packet is processed by a different Stream Processor  No overlapping computation  Different amount of work per Stream Processor Stream processors of the same Multiprocessor will have to wait until all have finished 9Giorgos Vasiliadis ICS-FORTH

10 Software Mapping Packets are transferred to the GPU in batches – Performs much better than making each transfer separately  Packets are stored to a buffer that is copied to the GPU when gets full Use page-locked memory to store the packets – Higher transfer throughput from host to device – Copies are performed using DMA, without occupying the CPU CPU and GPU execution can overlap 10Giorgos Vasiliadis ICS-FORTH

11 Evaluation (1/2) Scalability as a function of the number of patterns 11Giorgos Vasiliadis ICS-FORTH We ran Snort using random generated patterns All patterns are matched against every packet Payload trace contained UDP 800-bytes packets of random payload  Throughput remains constant when #patterns increases  2.4x faster than the CPU

12 Evaluation (2/2) Throughput as a function of the packets size 12Giorgos Vasiliadis ICS-FORTH Ran Snort using 1000 random patterns All patterns are matched against every packet  2.3 Gbit/s for full packets  3.2x faster compared to the CPU  Both GPU implementations do not present significant differences in performance

13 Evaluation with real input and rules Experimental setup – Two PCs connected via a 1 Gbit/s Ethernet switch To directly compare with prior work [Jacob et al], we re-implemented the Knuth-Morris-Pratt (KMP) and Boyer-Moore (BM) algorithms on the GPU. Giorgos Vasiliadis ICS-FORTH13

14 Evaluation with real input and rules 14Giorgos Vasiliadis ICS-FORTH Snort loaded about 8000 patterns. Preprocessors and PCRE were disabled  Original Snort (AC) cannot process all packets in rates higher than 300 Mbit/s  GPU-assisted Snort (AC1, AC2) begins to loose packets at 600 Mbit/s  200% improvement  KMP and BM algorithms used from [Jacob et al] perform worse in all cases

15 Conclusion Graphics cards can be used effectively to speed up Network Intrusion Detection Systems. – Low-cost – Easy programming Future work includes – Transfer the packets directly from the NIC to the GPU – Utilize multiple GPUs on multi-slot motherboards 15Giorgos Vasiliadis ICS-FORTH

16 Thank you Any questions? gvasil@ics.forth.gr Giorgos Vasiliadis ICS-FORTH16

Download ppt "Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,"

Similar presentations

Multiprocessors— Large vs. Small Scale Multiprocessors— Large vs. Small Scale.

Multiprocessors— Large vs. Small Scale Multiprocessors— Large vs. Small Scale.
Lecture 38: Chapter 7: Multiprocessors Today’s topic –Vector processors –GPUs –An example 1.

Lecture 38: Chapter 7: Multiprocessors Today’s topic –Vector processors –GPUs –An example 1.
Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.

Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Efficient Packet Pattern Matching for Gigabit Network Intrusion Detection using GPUs Date:102/1/9 Publisher:IEEE HPCC 2012 Author:Che-Lun Hung, Hsiao-hsi.

Efficient Packet Pattern Matching for Gigabit Network Intrusion Detection using GPUs Date:102/1/9 Publisher:IEEE HPCC 2012 Author:Che-Lun Hung, Hsiao-hsi.
CSC457 Seminar YongKang Zhu December 6 th, 2001 About Network Processor.

CSC457 Seminar YongKang Zhu December 6 th, 2001 About Network Processor.
CS 345 Computer System Overview

CS 345 Computer System Overview
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
Acceleration of the Smith– Waterman algorithm using single and multiple graphics processors Author : Ali Khajeh-Saeed, Stephen Poole, J. Blair Perot. Publisher:

Acceleration of the Smith– Waterman algorithm using single and multiple graphics processors Author : Ali Khajeh-Saeed, Stephen Poole, J. Blair Perot. Publisher:
1 Threading Hardware in G80. 2 Sources Slides by ECE 498 AL : Programming Massively Parallel Processors : Wen-Mei Hwu John Nickolls, NVIDIA.

1 Threading Hardware in G80. 2 Sources Slides by ECE 498 AL : Programming Massively Parallel Processors : Wen-Mei Hwu John Nickolls, NVIDIA.
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Multiprocessors ELEC 6200: Computer Architecture and Design Instructor : Agrawal Name: Nam.

Multiprocessors ELEC 6200: Computer Architecture and Design Instructor : Agrawal Name: Nam.
Improving the Performance of Network Intrusion Detection Using Graphics Processors Giorgos Vasiliadis Master Thesis Presentation Computer Science Department.

Improving the Performance of Network Intrusion Detection Using Graphics Processors Giorgos Vasiliadis Master Thesis Presentation Computer Science Department.
Chapter 1 and 2 Computer System and Operating System Overview

Chapter 1 and 2 Computer System and Operating System Overview
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Similar presentations

Ads by Google