Deep Packet Inspection Time-Aware Load Balancer on Many-Core Processors for Fast Intrusion Detection

  • Choi, Yoon-Ho ;
  • Park, Woojin ;
  • Choi, Seok-Hwan ;
  • Seo, Seung-Woo
  • Received : 2016.04.21
  • Accepted : 2016.06.13
  • Published : 2016.06.30


To realize high-speed intrusion detection by accommodating many regular expression (regex)-based signatures and growing network link capacities, we propose the Service TimE-Aware Load-balancing (STEAL) algorithm. This work is motivated from the observation that utilization of a many-core network intrusion detection system (NIDS) is influenced by unfair computational distribution among many-core NIDS nodes. To avoid such unfair computational distribution, STEAL is designed to dynamically distribute a large volume of traffic among many-core NIDS nodes based on packet service time, which is represented by the deep packet time in many-core NIDS nodes. From experiments, we show that compared to the commonly used load-balancing algorithm based on arrival rate, STEAL increases the number of received packets (i.e., decreases the number of dropped packets) in many-core NIDS. Specifically, by integrating an open source NIDS (i.e. Bro) with STEAL, we show that even under attack-dominant traffic and with many signatures, STEAL can rapidly improve the performance of many-core NIDS to realize high-speed intrusion detection.


Service-time aware;Intrusion detection;Dynamic load balancing;Many-core processors


  1. R. Bace and P. Mell, "Intrusion Detection Systems," National Institute of Standards and Technology (NIST), Special Publication, 800-31, 2001.
  2. The snort project, "Snort users manual", August 2015.
  3. Open information security foundation, "Suricata, open source IDSIPSNSM engine",
  4. The bro project, "The Bro Network Security Monitor"
  5. N. Hua, H. Song and T.V. Lakshman, "VariableStride Multi-Pattern Matching For Scalable Deep Packet Inspection," The 28th Conference on Computer Communications(INFOCOM 2009), Apr. 2009.
  6. Y.-H. Choi and S.-W. Seo, "BLAST: Using BLAyered Bad-Character SHIFT Tables for HighSpeed Packet Filtering," IET Information Security, vol. 7, no. 3, pp. 195-202, Sep. 2013.
  7. C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer, "Stateful Intrusion Detection for High-Speed Networks," In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2002.
  8. M. Colajanni and M. Marchetti, "A parallel architecture for stateful intrusion detection in high traffic networks", IEEE IST Workshop on Monitoring, Attack Detection and Mitigation, Sep. 2006.
  9. K. Xinidis, I. Charitakis, S. Antonatos, K.-G. Anagnostakis and E.-P. Markatos, "An Active Splitter Architecture for Intrusion Detection and Prevention," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 1, pp. 31-44, 2006.
  10. Intel Corporation, "Supra-linear packet processing performance with intel multi-core processors," white paper, Intel Corporation, 2006.
  11. Intel Corporation, "Removing System Bottlenecks in Multi-threaded Applications," white paper, Intel Corporation, 2008.
  12. D.-L. Schuff, Y.-R. Choe, and V.-S. Pai, "Conservative vs. optimistic parallelization of stateful network intrusion detection," IEEE International Symposium on Performance Analysis of Systems and Software, 2008.
  13. X. Chen, Y. Wu, .L. Xu, Y. Xue and J. Li, "Para-snort: A multi- thread snort on multi-core ia platform," 2009 Proceedings of Parallel and Distributed Computing and Systems (PDCS), 2009.
  14. G. Vasiliadis, M. Polychronakis and S. Ioannidis, "MIDeA: A Multi-Parallel Intrusion Detection Architecture," In proceedings of the ACM conference on computer and communications security (CCS), 2011.
  15. T. Limmer and F. Dressler, "Adaptive Load Balancing for Parallel IDS on Multi-Core Systems Using Prioritized Flows," 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1-8, 2011.
  16. M.A. Jamshed, J.-H. Lee , S.-W. Moon, I.-S. Yun, D.-J. Kim, S.-R Lee, Y Yi, K.-S Park, "Kargus: a highly-scalable software-based intrusion detection system," Proceedings of the 2012 ACM conference on computer and communications security (CCS'12), Oct. 2012.
  17. J. Haiyang, Z. Guangxing, X. Gaogang, S. Kave and M. Laurent, " Scalable high-performance parallel design for Network Intrusion Detection Systems on many-core processors," 2013 ACM/IEEE symposium on architectures for networking and communications systems (ANCS), pp. 137-146, Oct. 2013.
  18. H. Jiang, G. Xie and K. Salamatian, "Load Balancing by Ruleset Partition for Parallel IDS on Multi-Core Processors," 2013 International Conference on Computer Communications and Networks (ICCCN), 2013.
  19. W. Wu and P. DeMar, "WireCAP: a novel packet capture engine for commodity NICs in high-speed networks," Proceedings of the 2014 conference on internet measurement conference, Nov. 2014.
  20. ntop, "PF RING: High-speed packet capture, filtering and analysis,"
  21. The MAWI Working Group, "201212021400.dump.gz,"
  22. The MAWI Working Group, "201212011400.dump.gz,"
  23. snaketrap, "hbot trace: hbot.pcap",
  24. moyix, "Regin malware PCAP files: 0cc299c0-632a-4cdd-a471- 623a10f46575.pcap"
  25. Aaron Turner, "tcpreplay: pcap editing and reply tools for unix,"


Supported by : National Research Foundation (NRF)