Presentation is loading. Please wait.

Presentation is loading. Please wait.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

Published byBerniece Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue."— Presentation transcript:

1 Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun Li

2 2 Outline Introduction of NIDS on IA Some previous work Structure of our system, what’s different? Detailed module design Breaking the bottlenecks Para-Snort Performance Conclusions

3 3 NIDS on IA platform NIDS(Network Intrusion Detection System) looks into both header and payload of packets to identify intrusion Why on IA platform?  low price  easily to develop  flexibility on structure and ruleset But not so fast as ASICs or FPGA!

4 4 The structure of NIDS Snort by Sourcefire Inc. The most popular open source NIDS on IA platform Preprocess and Detect cost most computation power

5 5 Way to speed up? Multicore IA platform Leads the trends of higher processor computation power Need parallel structure of the software Rarely leveraged in existing NIDS Two previous work: Supra-linear and MultiSnort

6 6 Supra-linear Packet Processing Intel Co. in 2006 One data acquisition component Duplicated other components No memory sharing

7 7 MultiSnort Derek L. Schuff, Purdue University. With memory sharing Not a clean-cut modular structure

8 8 Our design – ParaSnort Based on SnortSP 3.0, a new different branch  Modular design  Multifunction processing modules  Memory sharing  Optimization on core algorithms  Sufficient speedup

9 9 Detailed module design Data Source  data acquisition and decoder Load Balance  dispatches traffic and makes multi-staged processing Processing Module  each is a single thread  preprocessors and detection engine  easy to develop functions other than intrusion detection, such as antivirus or URL filtering Output module  Generate alert

10 10 Optimize Load Balancing SnortSP 3.0 provides IP hash algorithm Not so balance when there are few flows Three improve methods: 5-tuple hash Join the Shortest Queue Modified-JSQ Reassign a flow when it has silenced for a long time

11 11 Optimize Multi-pattern Matching SnortSP 3.0 provides AC algorithm AC works fast, and when there are few matches, the cache locality is high. But when there are many matches in the traffic, the cache locality turns bad. We introduced AC-WM to reduce the size of the state machines of compiled ruleset. While costs much less memory, AC-WM is a bit slower than AC for ordinary traffics, so users can decide which to use according to their network environment.

12 12 Para-Snort Performance

13 13 The Setup For tcpdump tracesFor real traffic two quad-core Xeon E5335 at 2.00GHz 4 GB DRAM Ubuntu 8.04 Linux kernel version 2.6.27

14 14

15 15 Performance of 400~800Mbps

16 16 Speedup of 4~7, almost linear for LL

17 17 Performance of different load balancers

18 18 Performance of Different Pattern Matching

19 19 Performance Summary Good speedup, up to 7. Performance up to 800Mbps M-JSQ is fastest AC-WM costs less memory, but slower

20 20 Conclusions Multi-thread design fully utilizes multi-core CPU Modular design, multifunction process modules, easy to add modules. Solve the issues in load balancing and multi-pattern matching Can be NIPS if inline data source module added.

21 21 Questions Thank You

Download ppt "Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue."

Similar presentations

International Symposium on Low Power Electronics and Design Qing Xie, Mohammad Javad Dousti, and Massoud Pedram University of Southern California ISLPED.

International Symposium on Low Power Electronics and Design Qing Xie, Mohammad Javad Dousti, and Massoud Pedram University of Southern California ISLPED.
Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.

Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
MULTICORE PROCESSOR TECHNOLOGY.  Introduction  history  Why multi-core ?  What do you mean by multicore?  Multi core architecture  Comparison of.

MULTICORE PROCESSOR TECHNOLOGY.  Introduction  history  Why multi-core ?  What do you mean by multicore?  Multi core architecture  Comparison of.
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
From Imagery to Map: Digital Photogrammetric Technologies 13 th International Scientific and Technical Conference From Imagery to Map: Digital Photogrammetric.

From Imagery to Map: Digital Photogrammetric Technologies 13 th International Scientific and Technical Conference From Imagery to Map: Digital Photogrammetric.
Spring 2008 Network On Chip Platform Instructor: Yaniv Ben-Itzhak Students: Ofir Shimon Guy Assedou.

Spring 2008 Network On Chip Platform Instructor: Yaniv Ben-Itzhak Students: Ofir Shimon Guy Assedou.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman
CS 732: Advance Machine Learning Usman Roshan Department of Computer Science NJIT.

CS 732: Advance Machine Learning Usman Roshan Department of Computer Science NJIT.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
1b.1 Types of Parallel Computers Two principal approaches: Shared memory multiprocessor Distributed memory multicomputer ITCS 4/5145 Parallel Programming,

1b.1 Types of Parallel Computers Two principal approaches: Shared memory multiprocessor Distributed memory multicomputer ITCS 4/5145 Parallel Programming,
HPCC Mid-Morning Break Dirk Colbry, Ph.D. Research Specialist Institute for Cyber Enabled Discovery Introduction to the new GPU (GFX) cluster.

HPCC Mid-Morning Break Dirk Colbry, Ph.D. Research Specialist Institute for Cyber Enabled Discovery Introduction to the new GPU (GFX) cluster.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.

Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Similar presentations

Ads by Google