detection architecture
play

Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis - PowerPoint PPT Presentation

Mar 28, 2023 •204 likes •548 views

MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011 Network Intrusion Detection Systems

  1. MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011

  2. Network Intrusion Detection Systems • Typically deployed at ingress/egress points – Inspect all network traffic – Look for suspicious activities – Alert on malicious actions 10 GbE Internal Internet Network NIDS gvasil@ics.forth.gr 2

  3. Challenges • Traffic rates are increasing – 10 Gbit/s Ethernet speeds are common in metro/enterprise networks – Up to 40 Gbit/s at the core • Keep needing to perform more complex analysis at higher speeds – Deep packet inspection – Stateful analysis – 1000s of attack signatures gvasil@ics.forth.gr 3

  4. Designing NIDS • Fast – Need to handle many Gbit/s – Scalable • Moore’s law does not hold anymore • Commodity hardware – Cheap – Easily programmable gvasil@ics.forth.gr 4

  5. Today: fast or commodity • Fast “hardware” NIDS – FPGA/TCAM/ASIC based – Throughput: High • Commodity “software” NIDS – Processing by general-purpose processors – Throughput: Low gvasil@ics.forth.gr 5

  6. MIDeA • A NIDS out of commodity components – Single-box implementation – Easy programmability – Low price Can we build a 10 Gbit/s NIDS with commodity hardware? gvasil@ics.forth.gr 6

  7. Outline • Architecture • Implementation • Performance Evaluation • Conclusions gvasil@ics.forth.gr 7

  8. Single-threaded performance Pattern NIC Preprocess Output matching • Vanilla Snort: 0.2 Gbit/s gvasil@ics.forth.gr 8

  9. Problem #1: Scalability • Single-threaded NIDS have limited performance – Do not scale with the number of CPU cores gvasil@ics.forth.gr 9

  10. Multi-threaded performance Pattern Preprocess Output matching Pattern NIC Preprocess Output matching Pattern Preprocess Output matching • Vanilla Snort: 0.2 Gbit/s • With multiple CPU-cores: 0.9 Gbit/s gvasil@ics.forth.gr 10

  11. Problem #2: How to split traffic cores  Synchronization overheads NIC  Cache misses  Receive-Side Scaling (RSS) 11

  12. Multi-queue performance Pattern Preprocess Output matching RSS Pattern Preprocess Output NIC matching Pattern Preprocess Output matching • Vanilla Snort: 0.2 Gbit/s • With multiple CPU-cores: 0.9 Gbit/s • With multiple Rx-queues: 1.1 Gbit/s 12

  13. Problem #3: Pattern matching is the bottleneck > 75% Pattern NIC Preprocess Output matching  Offload pattern matching on the GPU Pattern NIC Preprocess Output matching gvasil@ics.forth.gr 13

  14. Why GPU? • General-purpose computing – Flexible and programmable • Powerful and ubiquitous – Constant innovation • Data-parallel model – More transistors for data processing rather than data caching and flow control gvasil@ics.forth.gr 14

  15. Offloading pattern matching to the GPU Pattern Preprocess Output matching RSS Pattern Preprocess Output NIC matching Pattern Preprocess Output matching • Vanilla Snort: 0.2 Gbit/s • With multiple CPU-cores: 0.9 Gbit/s • With multiple Rx-queues: 1.1 Gbit/s • With GPU: 5.2 Gbit/s 15

  16. Outline • Architecture • Implementation • Performance Evaluation • Conclusions gvasil@ics.forth.gr 16

  17. Multiple data transfers PCIe PCIe GPU CPU NIC • Several data transfers between different devices Are the data transfers worth the computational gains offered? gvasil@ics.forth.gr 17

  18. Capturing packets from NIC Ring buffers User space Kernel space Rx Rx Rx Rx Network Interface Rx Queue Assigned • Packets are hashed in the NIC and distributed to different Rx-queues • Memory-mapped ring buffers for each Rx-queue gvasil@ics.forth.gr 18

  19. CPU Processing • Packet capturing is performed by different CPU-cores in parallel – Process affinity • Each core normalizes and reassembles captured packets to streams – Remove ambiguities – Detect attacks that span multiple packets • Packets of the same connection always end up to the same core – No synchronization – Cache locality • Reassembled packet streams are then transferred to the GPU for pattern matching – How to access the GPU? gvasil@ics.forth.gr 19

  20. Accessing the GPU • Solution #1: Master/Slave model Thread 2 Thread 1 PCIe Thread 3 GPU 64 Gbit/s Thread 4 • Execution flow example 14.6 Gbit/s P1 P1 Transfer to GPU: GPU execution: P1 P1 Transfer from GPU: P1 P1 gvasil@ics.forth.gr 20

  21. Accessing the GPU • Solution #2: Shared execution by multiple threads Thread 1 Thread 2 PCIe GPU 64 Gbit/s Thread 3 Thread 4 • Execution flow example 48.1 Gbit/s Transfer to GPU: P1 P2 P3 P1 GPU execution: P1 P2 P3 P1 Transfer from GPU: P1 P2 P3 P1 gvasil@ics.forth.gr 21

  22. Transferring to GPU Push CPU-core Push Scan Push GPU • Small transfer results to PCIe throughput degradation  Each core batches many reassembled packets into a single buffer gvasil@ics.forth.gr

  23. Pattern Matching on GPU Packet Buffer GPU GPU GPU core core core GPU GPU GPU core core core Matches • Uniformly, one GPU core for each reassembled packet stream gvasil@ics.forth.gr 23

  24. Pipelining CPU and GPU CPU Packet buffers • Double-buffering – Each CPU core collects new reassembled packets, while the GPUs process the previous batch – Effectively hides GPU communication costs gvasil@ics.forth.gr 24

  25. Recap Data-parallel GPUs: content matching Reassembled packet streams Per-flow CPUs: protocol analysis Packet streams NIC: Demux 1-10Gbps Packets gvasil@ics.forth.gr 25

  26. Outline • Architecture • Implementation • Performance Evaluation • Conclusions gvasil@ics.forth.gr 26

  27. Setup: Hardware CPU-0 CPU-1 Memory Memory IOH IOH GPU GPU NIC • NUMA architecture, QuickPath Interconnect Model Specs 2 x CPU Intel E5520 2.27 GHz x 4 cores 2 x GPU NVIDIA GTX480 1.4 GHz x 480 cores 1 x NIC 82599EB 10 GbE gvasil@ics.forth.gr 27

  28. Pattern Matching Performance Bounded by PCIe capacity GPU Throughput 48.1 42.5 26.7 14.6 1 2 4 8 #CPU-cores • The performance of a single GPU increases, as the number of CPU-cores increases gvasil@ics.forth.gr 28

  29. Pattern Matching Performance 70.7 GPU Throughput 48.1 42.5 Adding a second GPU 26.7 14.6 1 2 4 8 #CPU-cores • The performance of a single GPU increases, as the number of CPU-cores increases gvasil@ics.forth.gr 29

  30. Setup: Network 10 GbE Traffic MIDeA Generator/Replayer gvasil@ics.forth.gr 30

  31. Synthetic traffic 7.2 MIDeA Gbit/s Snort (8x cores) 4.8 2.4 2.1 1.5 1.1 200b 800b 1500b Packet size • Randomly generated traffic gvasil@ics.forth.gr 31

  32. Real traffic MIDeA 5.2 Gbit/s Snort (8x cores) 1.1 • 5.2 Gbit/s with zero packet-loss – Replayed trace captured at the gateway of a university campus gvasil@ics.forth.gr 32

  33. Summary • MIDeA: A multi-parallel network intrusion detection architecture – Single-box implementation – Based on commodity hardware – Less than $1500 • Operate on 5.2 Gbit/s with zero packet loss – 70 Gbit/s pattern matching throughput gvasil@ics.forth.gr 33

  34. Thank you! gvasil@ics.forth.gr gvasil@ics.forth.gr 34

Recommend

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Event-driven Architecture for Health Event Detection from Multiple Sources Dr. Kerstin Denecke

Event-driven Architecture for Health Event Detection from Multiple Sources Dr. Kerstin Denecke

Event-driven Architecture for Health Event Detection from Multiple Sources Dr. Kerstin Denecke Oslo, 31.08.2011 1 Agenda Motivation Event-driven Architectures Architecture for Health Event Detection Conclusions and Future Work

366 views • 11 slides
A scalable quantum architecture for dark matter detection Daniel Carney JQI/QuICS, University of

A scalable quantum architecture for dark matter detection Daniel Carney JQI/QuICS, University of

A scalable quantum architecture for dark matter detection Daniel Carney JQI/QuICS, University of Maryland/NIST Theory Division, Fermilab Based on Gravitational direct detection of dark matter DC , S. Ghosh, G. Krnjaic, J. M. Taylor,

387 views • 36 slides
Scalable Architecture for Anomaly Detection and Visualization in Power Generating Assets

Scalable Architecture for Anomaly Detection and Visualization in Power Generating Assets

Scalable Architecture for Anomaly Detection and Visualization in Power Generating Assets Paras Jain, Chirag Tailor , Sam Ford, Liexiao (Richard) Ding, Michael Phillips, Fang (Cherry) Liu, Nagi Gabraeel, Polo Chau 1/13 Background

325 views • 13 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
CNN-LSTM Architecture for Detection of Intracranial Hemorrhage on CT scans Nhan T. Nguyen, Dat Q.

CNN-LSTM Architecture for Detection of Intracranial Hemorrhage on CT scans Nhan T. Nguyen, Dat Q.

CNN-LSTM Architecture for Detection of Intracranial Hemorrhage on CT scans Nhan T. Nguyen, Dat Q. Tran , Nghia T. Nguyen, Ha Q. Nguyen Medical Imaging Team, Vingroup Big Data Institute, Hanoi, Vietnam MIDL2020 1 Motivation Classifying

418 views • 5 slides
Bubble Razor An Architecture-Independent Approach to Timing-Error Detection and Correction

Bubble Razor An Architecture-Independent Approach to Timing-Error Detection and Correction

1 Bubble Razor An Architecture-Independent Approach to Timing-Error Detection and Correction Matthew Fojtik, David Fick, Yejoong Kim, Nathaniel Pinckney, David Harris, David Blaauw, Dennis Sylvester mfojtik@umich.edu Electrical Engineering

886 views • 34 slides
Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
A Big Data Architecture for the Detection of Anomalies within Database Connection Logs Swapneel

A Big Data Architecture for the Detection of Anomalies within Database Connection Logs Swapneel

A Big Data Architecture for the Detection of Anomalies within Database Connection Logs Swapneel Mehta, Prasanth Kothuri, Daniel Lanza Garcia European Organisation for Nuclear Research Meyrin, Geneva {swapneel.sundeep.mehta, prasanth.kothuri,

253 views • 6 slides
Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What this talk is about? Automotive intrusion detection Automotive cyber-security architecture From the highest viewpoint J 3 Outline Quick

926 views • 63 slides
Peer-to-peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale

Peer-to-peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale

UNIVERSITY OF MODENA AND REGGIO EMILIA Peer-to-peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale Mirco Marchetti, Michele Messori and Michele Colajanni WebLab, University of Modena and Reggio Emilia, Italy

297 views • 19 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Frankie Pike Advisor: Franz Kurfess The Goal EEG Headset Control Autonomous Mode Architecture

Frankie Pike Advisor: Franz Kurfess The Goal EEG Headset Control Autonomous Mode Architecture

Frankie Pike Advisor: Franz Kurfess The Goal EEG Headset Control Autonomous Mode Architecture and Complications User Commands Obstacle GPS Path Detection Plotting Consensus The Plan User Commands Obstacle GPS Path Detection

48 views • 4 slides
1 Where does architecture come from? What order? Use an architecture youve seen before

1 Where does architecture come from? What order? Use an architecture youve seen before

Architecture 2 1 Announcements What is Architecture? Final project hand-in and documentation Big picture Structure or structures that support the system Early design decisions Architecture is the design decisions you

275 views • 5 slides
Domestic Nuclear Detection Office (DNDO) Detecting Nuclear Threats 18 November 2008 Thomas

Domestic Nuclear Detection Office (DNDO) Detecting Nuclear Threats 18 November 2008 Thomas

Domestic Nuclear Detection Office (DNDO) Detecting Nuclear Threats 18 November 2008 Thomas McIlvain Architecture Directorate Domestic Nuclear Detection Office Mission and Objectives DNDO was founded on April 15, 2005 with the signing of NSPD

345 views • 20 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views • 20 slides
GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors perspectives in France Giovanni Calderini (LPNHE Paris) Journes Prospectives IN2P3/IRFU Giens 2012 1 Huge subject in terms of detection principles /

319 views • 30 slides
Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 | info@detection-technologies.com | www.detection-technologies.com Mikro Tek Key Advantages One analyzer - up to 300m detection range! A single Mikro Tek

874 views • 6 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
Listening to Infrastructure Early detection of seepage-induced internal erosion using acoustic

Listening to Infrastructure Early detection of seepage-induced internal erosion using acoustic

School of Architecture, Building and Civil Engineering Listening to Infrastructure Early detection of seepage-induced internal erosion using acoustic emission monitoring Supervisors : PhD candidate Dr Alister Smith Tiago Biller Prof Neil

399 views • 14 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
A Novel Parallel Deadlock Detection Algorithm and Architecture 2 , 2 , Pun H. Shiu 2 , Yudong

A Novel Parallel Deadlock Detection Algorithm and Architecture 2 , 2 , Pun H. Shiu 2 , Yudong

A Novel Parallel Deadlock Detection Algorithm and Architecture 2 , 2 , Pun H. Shiu 2 , Yudong Yudong Tan Tan 2 , Pun H. Shiu 1 Vincent J. Mooney III 1 Vincent J. Mooney III {ship, ydtan {ship, ydtan, , mooney mooney}@ece.gatech.ed

505 views • 34 slides
Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

# These slides should give an overview of the sofware architecture, and what its role is. # Why and when is sofware architecture important. # In other words: sofware architecture in a nutshell ! Overview of Sofware Architecture Sofware

207 views • 7 slides
SE2: Introduction to Software Architecture Mei Nagappan What is Architecture? Encyclopedia

SE2: Introduction to Software Architecture Mei Nagappan What is Architecture? Encyclopedia

Material and some slide content from: - Emerson Murphy-Hill - Reid Holmes - Mehdi Mirakhorli - Software Architecture: Foundations, Theory, and Practice - Essential Software Architecture SE2: Introduction to Software Architecture Mei Nagappan

341 views • 31 slides

More recommend