FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.
Outline • Motivation of GPU-based traffic analysis • Framework of GPU-based traffic analysis • Performance evaluation • Conclusion & future work ----------------------------- CFermilab 2 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
~ ~ ✓ · Network Traffic Analysis • Network traffic analysis tools provides indispensable information for o Operation & management o Performance troubleshooting o Network security o Statistical purpose Border / - ~ .._ - - ....._ . --..., Router - -- · - - ---,•,i-. - Internal et - 1.. ..... • - ·, _,, n tern 4 -- ~ ii-- ~ __ ; •• 'I) Network ..... ..... _ ___ -·, ._ ,_ .~ r : Porl-mkrored optical , traffic tap : ➔ 11n Analysis : Traffic L. ... System • Basic functions: o Profile traffic activities o Scan traffic content for suspicious patterns signatures CFermilab 3 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
Task Overview Stateful packet processing • Track and maintain the states of network functions: o TCP connections o Sub-string matches in intrusion detection systems Timely response • Fast and reliable network data processing at a link speed Protect traffic integrity • Packet shouldn’t be lost in processing cycle Challenges in data and state management ----------------------------- CFermilab 4 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
Data Management Challenges and Solutions Challenges: • High-speed networks Millions of packets } o 10/25/40GE-connected serves generated & o 100GE backbone technologies are commonplace transmitted per second • Complex packet analysis algorithms o Algorithms are increasingly complex as security threats become more sophisticated o Need a flexible and programmable computing platform ----------------------------- CFermilab 5 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
✓ ✓ ✓ ✓ ✓ ✓ Data Management Solutions Solutions: • Heterogeneous data management • GPU-centric computing • GPU is specialized for data-parallel, large-throughput computations • Thousands of cores for massively parallelism • Tolerance of memory latency Features X High compute power Varies X High memory bandwidth Varies X Easy programmability X Data-parallel execution model ----------------------------- CFermilab 6 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
□ □ DI- Packet Processing on Heterogeneous Architectures Data processing flow: • CPU receives packets from NIC, parses headers and batches them in an input buffer. • When a specified batch size or a preset time limit is reached, the input buffer is transferred to the GPU memory via PCIe. • A set of GPU kernels are then launched to perform tasks such as IP address matching, cryptographic operations, and deep packet inspection. • The results are transferred back to the CPU memory to guide further actions. CPU memory GPU memory NIC PCIe bus Stage packets packets back-to-back I ------- … Packet batching can be a feasible way to improve GPU utilization, but it increases difficulties in stateful packet processing … -------------------- CFermilab 7 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
State Management Challenges Challenge 1: flow management & stream reassembly • Stateful network functions must both track the states of network connections and scan network packets at a per-flow level. • Flow state management and stream-reassembly require state synchronization when dealing with packets from the same connection. • Limited data parallelism when less simultaneous TCP connections are present. Conventional hash-based approach requires atomic locks with packets from the same TCP flow connection, and is prone to ambiguity caused by hash-key collision. : pre-received packets CFermilab 8 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
r : ~ : l □ J □D D State Management Challenges Challenge 2: Inter-batch state connection • Stateful packet inspection must detect signatures that straddle packet boundaries. • GPU’s batch -processing mechanism requires maintaining connection states and tracking potential sub-matches across input batches. sequence gap intra-batch stream reassembly Packet … 1.1 1.3 1.4 2.1 2.2 3.1 3.2 batch 1 Arriving time 7 I I . cross-batch pattern matching I 9 Packet D ODD II … malicious … 1.2 1.5 1.6 1.7 1.8 batch 2 patterns out-of-order packet arrives in subsequent batch Stateful packet inspection must detect and memorize the sub-matches across input batches. -------------------- CFermilab 9 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
◊ State Management Solutions • Parallel flow management and stream processing via GPU sort and prefix-scan o Sort and prefix-scan are extremely fast on GPU (over ten billions of elements/sec). GPU packet analysis modules ,--------,1 ___ [.------ Per-flow state TCP data streams Flow state Payload GPU primitive .____________.I '-----I __ reassembly tracking libraries • Inter-batch network function state connection o Developed a buffer-free, cross-packet/batch pattern matching algorithm. o Combine the state and context information with packets in subsequent batches. Allow on-line packets to come through, States but retain and update the state information. k th batch k-1 th batch processing processing ------------------------ CFermilab 10 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
GoldenEye Network Traffic Analysis Framework GoldenEye Modules • • Packet capture & pre-processing Traffic statistic summary • • BPF filter Deep packet inspection • • Stream processor State buffer Traf fic Traf fic Statistic monitoring Analysis ~------------------------------7 I I IPS/IDS I I BPF Packet Capture Stream State Storage I I Network I I Filter Engine Processor I I : ~--------'' Traf fic I I DPI ~-------------------------------' Engineering (string/regex match) . . . '---------------- Network Traffic Source GPU Domain External Applications CFermilab 11 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
~=~ ~□ I □ ~ □ DI □ Packet Capture and Processing on Multicore Systems Logics: • Multithreading packet capturing and pre-processing • Queue packets for batch processing • Dual-buffer for concurrent data transfer and GPU computing Multi-queue Multi-core GPU System NIC host system Packet batches at host RQ 1 core 1 packet capture pre- core n+1 … buffer B engine proc ~ I : ,..____, I ________ J________________ : Traffic Steering RQ 2 -=~~.___ ____ ____. _ __!Qj core 2 packet capture pre- … Network buffer A engine proc Traffic I … … I GPU H __ gggg1 RQ n core n Processing capture pre- … ,, engine proc Analysis results ,,., core n+1 External ..,_J 1- \ ,_/ I Applications ----------------------------- CFermilab 12 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
◊ ◊ ◊ ◊ □ GPU-centric Stream Processor Tasks : • Monitor the states of TCP connections. • Reassemble TCP packets into bi-directional byte-streams. Implementations: • Stream reassembly: sort packets into streams by their TCP 4-tuples and sequences. • Flow state tracking: compare the stream states against existing connections. • Stream normalization: rescan flow-reassembled packets and remove retransmission. I 1 packet in : retransmission: a batch '----------------- I stream reassembly ITD [TI] I [IT] [TI] [IT]~ ·.. I [TI] ~ stream normalization flow reassembled I .. I [TI] ~ [IT] [TI] [IT]~ · OJ]! ....... ! L...a=J I I L...;...J packets update flow state records Hash Table of Flow records :=> C ----------------------------- CFermilab 13 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
Traffic Statistical Analysis Main strategy: • Similar to the TCP flow management function, GoldenEye’s statistical aggregation module is built with a set of primitive GPU sort and prefix-scan operations. Example use cases: • Host traffic monitoring Src IP Src Port Dest IP Dest Port Proto Pkt Sent Byte Sent 131.2.3.0 80 10.1.2.4 998 TCP 32 16484 10.1.2.4 998 131.2.3.0 80 TCP 121 179841 • Heavy-hitter Detection DoS detection Capacity Planning 14 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
Stream-based Deep Packet Inspection Tasks: • Intra-batch pattern matching: o Perform pattern matching over stream-reassembled packets in the same batches. • Inter-batch pattern matching: o Detect and reconstruct signature patterns that straddle batch boundaries. ----------------------------- CFermilab 15 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018
Recommend
More recommend