- Volume 5 Issue 3
DOI QR Code
Deep Packet Inspection Time-Aware Load Balancer on Many-Core Processors for Fast Intrusion Detection
- Choi, Yoon-Ho ;
- Park, Woojin ;
- Choi, Seok-Hwan ;
- Seo, Seung-Woo
- Received : 2016.04.21
- Accepted : 2016.06.13
- Published : 2016.06.30
To realize high-speed intrusion detection by accommodating many regular expression (regex)-based signatures and growing network link capacities, we propose the Service TimE-Aware Load-balancing (STEAL) algorithm. This work is motivated from the observation that utilization of a many-core network intrusion detection system (NIDS) is influenced by unfair computational distribution among many-core NIDS nodes. To avoid such unfair computational distribution, STEAL is designed to dynamically distribute a large volume of traffic among many-core NIDS nodes based on packet service time, which is represented by the deep packet time in many-core NIDS nodes. From experiments, we show that compared to the commonly used load-balancing algorithm based on arrival rate, STEAL increases the number of received packets (i.e., decreases the number of dropped packets) in many-core NIDS. Specifically, by integrating an open source NIDS (i.e. Bro) with STEAL, we show that even under attack-dominant traffic and with many signatures, STEAL can rapidly improve the performance of many-core NIDS to realize high-speed intrusion detection.
Service-time aware;Intrusion detection;Dynamic load balancing;Many-core processors
- R. Bace and P. Mell, "Intrusion Detection Systems," National Institute of Standards and Technology (NIST), Special Publication, 800-31, 2001.
- The snort project, "Snort users manual 22.214.171.124", August 2015.
- Open information security foundation, "Suricata, open source IDSIPSNSM engine",
- The bro project, "The Bro Network Security Monitor"
- N. Hua, H. Song and T.V. Lakshman, "VariableStride Multi-Pattern Matching For Scalable Deep Packet Inspection," The 28th Conference on Computer Communications(INFOCOM 2009), Apr. 2009.
- Y.-H. Choi and S.-W. Seo, "BLAST: Using BLAyered Bad-Character SHIFT Tables for HighSpeed Packet Filtering," IET Information Security, vol. 7, no. 3, pp. 195-202, Sep. 2013. https://doi.org/10.1049/iet-ifs.2011.0305
- C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer, "Stateful Intrusion Detection for High-Speed Networks," In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2002.
- M. Colajanni and M. Marchetti, "A parallel architecture for stateful intrusion detection in high traffic networks", IEEE IST Workshop on Monitoring, Attack Detection and Mitigation, Sep. 2006.
- K. Xinidis, I. Charitakis, S. Antonatos, K.-G. Anagnostakis and E.-P. Markatos, "An Active Splitter Architecture for Intrusion Detection and Prevention," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 1, pp. 31-44, 2006. https://doi.org/10.1109/TDSC.2006.6
- Intel Corporation, "Supra-linear packet processing performance with intel multi-core processors," white paper, Intel Corporation, 2006.
- Intel Corporation, "Removing System Bottlenecks in Multi-threaded Applications," white paper, Intel Corporation, 2008.
- D.-L. Schuff, Y.-R. Choe, and V.-S. Pai, "Conservative vs. optimistic parallelization of stateful network intrusion detection," IEEE International Symposium on Performance Analysis of Systems and Software, 2008.
- X. Chen, Y. Wu, .L. Xu, Y. Xue and J. Li, "Para-snort: A multi- thread snort on multi-core ia platform," 2009 Proceedings of Parallel and Distributed Computing and Systems (PDCS), 2009.
- G. Vasiliadis, M. Polychronakis and S. Ioannidis, "MIDeA: A Multi-Parallel Intrusion Detection Architecture," In proceedings of the ACM conference on computer and communications security (CCS), 2011.
- T. Limmer and F. Dressler, "Adaptive Load Balancing for Parallel IDS on Multi-Core Systems Using Prioritized Flows," 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1-8, 2011.
- M.A. Jamshed, J.-H. Lee , S.-W. Moon, I.-S. Yun, D.-J. Kim, S.-R Lee, Y Yi, K.-S Park, "Kargus: a highly-scalable software-based intrusion detection system," Proceedings of the 2012 ACM conference on computer and communications security (CCS'12), Oct. 2012.
- J. Haiyang, Z. Guangxing, X. Gaogang, S. Kave and M. Laurent, " Scalable high-performance parallel design for Network Intrusion Detection Systems on many-core processors," 2013 ACM/IEEE symposium on architectures for networking and communications systems (ANCS), pp. 137-146, Oct. 2013.
- H. Jiang, G. Xie and K. Salamatian, "Load Balancing by Ruleset Partition for Parallel IDS on Multi-Core Processors," 2013 International Conference on Computer Communications and Networks (ICCCN), 2013.
- W. Wu and P. DeMar, "WireCAP: a novel packet capture engine for commodity NICs in high-speed networks," Proceedings of the 2014 conference on internet measurement conference, Nov. 2014.
- ntop, "PF RING: High-speed packet capture, filtering and analysis,"
- The MAWI Working Group, "201212021400.dump.gz,"
- The MAWI Working Group, "201212011400.dump.gz,"
- snaketrap, "hbot trace: hbot.pcap",
- moyix, "Regin malware PCAP files: 0cc299c0-632a-4cdd-a471- 623a10f46575.pcap"
- Aaron Turner, "tcpreplay: pcap editing and reply tools for unix,"
Supported by : National Research Foundation (NRF)