Presentation is loading. Please wait.

Presentation is loading. Please wait.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

Published byBruce Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue."— Presentation transcript:

1 Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun Li

2 2 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions *NIDS: Network Intrusion Detection System *IA: Intel Architecture (also known as x86, or x64 for IA-64)

3 3 NIDS on IA platform NIDS looks into both header and payload of packets to identify intrusion IA is not so fast as ASICs or FPGA, but it’s  cheap  easy to develop with  flexible on structure and ruleset Many NIDS on IA is not designed for multi-core processors. *NIDS: Network Intrusion Detection System *IA: Intel Architecture (also known as x86, or x64 for IA-64)

4 4 Our purpose To design NIDS that can utilize multi-core IA platforms.  With modular design  Shouldn’t introduce new bottlenecks Our work is based on Snort.  by Sourcefire Inc.  The most popular open source NIDS on IA platform.  It identifies intrusion by matching the coming packets with the signatures (ruleset)  Single-thread

5 5 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

6 6 The architecture of SnortThe architecture of Para-Snort

7 7 Based on SnortSP 3.0, a new different branch Features:  Modular design  Multifunction processing modules  Memory sharing  Optimization on core algorithms The architecture of Para-Snort

8 8 Detailed module design Processing Module  each is a single thread  preprocessors and detection engine  easy to develop functions other than intrusion detection, such as antivirus or URL filtering  We designed a ClamAV processing module to do antivirus Data Source Module  data acquisition and decoder Load Balance Module  dispatches traffic and makes multi-staged processing Output Module  Generate alert

9 9 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

10 10 Performance Evaluation For tcpdump tracesFor real traffic two quad-core Xeon E5335 at 2.00GHz 4 GB DRAM Ubuntu 8.04 Linux kernel version 2.6.27

11 11 Performance Scaling with increase in Threads

12 12 Speedup of 2~7 threads

13 13 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

14 14 Optimize Load Balancing SnortSP 3.0 provides IP hash algorithm Not balanced when there are few flows Three improve methods: 5-tuple hash Join the Shortest Queue Modified-JSQ Reassign a flow when it has silenced for a long time

15 15 Modified-JSQ Reassign a flow when it has silenced for a long time. We use number of packets instead of time to identify if a flow has silenced for a long time. Flow A Other flows Threshold = n packets

16 16 Performance of different load balancers

17 17 Outline Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions

18 18 Conclusions Multi-thread design fully utilizes multi-core CPU Modular design, multifunction process modules, easy to add modules. Solve the issues in load balancing and other algorithms Good speedup, up to 7. Performance up to 800Mbps

19 19 Questions Thank You

Download ppt "Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.
Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.

Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.
MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.

1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Kamalapurkar Shounak Rajarshi Salil Joshi Rohan Bhavsar Sagar Pai Sandesh Low Latency Publisher-Subscriber Network for Stock Market Application Team WhiteWalkers.

Kamalapurkar Shounak Rajarshi Salil Joshi Rohan Bhavsar Sagar Pai Sandesh Low Latency Publisher-Subscriber Network for Stock Market Application Team WhiteWalkers.

Similar presentations

Ads by Google