1 / 24

MIDeA :A Multi-Parallel Instrusion Detection Architecture

MIDeA :A Multi-Parallel Instrusion Detection Architecture. Author : Giorgos Vasiliadis , Michalis Polychronakis ,Sotiris Ioannidis Publisher: CCS’11, October 17–21, 2011, Chicago, Illinois, USA. Presenter: Ye- Zhi Chen Date: 2012/05/09. Introduction.

india
Download Presentation

MIDeA :A Multi-Parallel Instrusion Detection Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: GiorgosVasiliadis , MichalisPolychronakis ,Sotiris Ioannidis Publisher: • CCS’11, October 17–21, 2011, Chicago, Illinois, USA. Presenter: Ye-Zhi Chen Date: 2012/05/09

  2. Introduction • MIDeA, a new model for network intrusion detection systems, which combines commodity, general purpose hardware components in a single-node design, tailored for high-performance network traffic analysis.

  3. Design Principle • traffic has to be separated at the network flow level using existing, commodity solutions, without incurring any serialization on the processing path • per-flow traffic processing should be parallelized beyond simple per-flow load balancing across different CPU cores • a pipelining scheme that allows CPU and GPU execution to overlap, and consequently hides the added latencies

  4. Architecture

  5. Architecture • This design has a number of benefits: • it does not require any synchronization or lock mechanisms since different cores process different data in isolation. • having several smaller data structures (such as the TCP reassembly tables) instead of sharing a few large ones, not only reduces the number of table look-ups required to find a matching element, but also reduces the size of the working set in each cache, increasing overall cache efficiency.

  6. Architecture • Packet Capturing :Multiqueue NICs • Receive-Side Scaling (RSS) : a Microsoft Scalable Networking initiative technology that enables receive processing to be balanced across multiple processors in the system while maintaining in-order delivery of the data • The Rx-queues are not shared between the CPU cores, eliminating the need of synchronization • To avoid costly packet copies and context switches between user and kernel space, we use the PF_RING network socket . The most efficient way to integrate a PF_RING socket with a multiqueue NIC is to dedicate a separate ring buffer for each available Rx-queue. Network packets of each Rx-queue are stored into a separate ring buffer and are pulled by the user-level process

  7. Architecture • Load Balancing :Hash-based • The hash function, computed on the typical 5-tuple <ip_src, ip_dst, • port_src, port_dst, protocol> achieves good distribution among the different queues.

  8. Processing Engine • Preprocessing: • Flow reassembly :TCP packets are reassembled into TCP streams to build the entire application dialog before they are forwarded to the pattern matching engine.

  9. Processing Engine • Parallel Multi-Pattern Engine: • Unfortunately, in the CUDA runtime system , on which MIDeA is based, each CPU thread is executed in its own CUDA context. In other words, a different memory space has to be allocated in the GPU for each process, since they cannot share memory on the GPU device

  10. Processing Engine

  11. OPTIMIZATION • GPU Memory Access : • Batch • Page-locked memory • Int4 • Texture memory

  12. OPTIMIZATION • Pipelined Execution :

  13. EXPERIMENTAL EVALUATION • Hardware : • Our base system has two processor sockets, each with one Intel Xeon E5520 Quad-core CPU at 2.27GHz and 8192KB of L3-cache. Each socket has an integrated memory controller, connected to memory via a memory bus • two PCIe 2.0 ×16 slots, which we populated withtwoGeForce GTX480 graphics cards, and one PCIe 2.0 ×8 slot holding one Intel 82599EB 10GbE NIC • Each NVIDIA GeForceGTX 480 is equipped with 480 cores, organized in 15 multiprocessors, and 1.5GB of GDDR5 memory.

  14. EXPERIMENTAL EVALUATION

  15. EXPERIMENTAL EVALUATION • Software : • OS : Linux 2.6.32 with the ioatdma and dca modules loaded • The ioatdma driver is required for supporting QuickPathInterconnect architecture of recent Intel processors. DCA (Direct Cache Access) is a NIC technology that directly places incoming packets into the cache of the CPU core for immediate access by the application. • default rule set of Snort 2.8.6, which consists of 8,192 rules, comprising about 193,000 substrings for string searching

  16. EXPERIMENTAL EVALUATION

  17. EXPERIMENTAL EVALUATION

  18. EXPERIMENTAL EVALUATION

  19. EXPERIMENTAL EVALUATION

  20. EXPERIMENTAL EVALUATION

  21. EXPERIMENTAL EVALUATION

  22. EXPERIMENTAL EVALUATION

More Related