Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Tian Daxin,Xiang Yang

DOI: https://doi.org/10.1109/npc.2008.19

2008-01-01

Abstract:Integrated multi-core processors with on-chip application acceleration have established themselves as the most efficient method of powering next-generation networking platforms. New research has been conducted for addressing the issues of multi-core supported network and system security. This paper put forward an asymmetrical multiprocessing architecture multi-core supported anomaly intrusion detection system. The key idea is to use an independent core to run the intrusion detection system to monitor the host system. The detection method is based on the Hebb rule and uses libpcap to grab the network transmission packages. In the experiments, we use VMware which is configured to run the Ubuntu to simulate the IDS core. The results show that when the intrusion threshold is 0.3-0.5 the system performs best.

Ziqian Wan,Gang Liang,Tao Li

DOI: https://doi.org/10.4304/jnw.7.9.1327-1333

2012-01-01

Journal of Networks

Abstract:It is becoming increasingly hard to build an intrusion detection system (IDS), because of the higher traffic throughput and the rising sophistication of attacking. Scale will be an important issue to address in the intrusion detection area. For hardware, tomorrow’s performance gains will come from multi-core architectures in which a number of CPU executes concurrently. We take the advantage of multi-core processors’ full power for intrusion detection in this work. We present an intrusion detection system based on the Snort open-source IDS that exploits the computational power of MIPS multi-core architecture to offload the costly pattern matching operations from the CPU, and thus increase the system’s processing throughput. A preliminary experiment demonstrates the potential of this system. The experiment results indicate that this method can be used effectively to speed up intrusion detection systems.

YAO Jun-Xi,LIANG Gang,GONG Xun,HAN Zhong-Qiu

DOI: https://doi.org/10.3969/j.issn.0490-6756.2010.02.010

2010-01-01

Abstract:Requirements for a high-quality Intrusion Prevention System(IPS)are becoming more and more demanding with the wide use of high speed Ethernet and increasing complexity of network intrusion. By the analysis of the working principles in the traditional IPS,a improved IPS based on the multicore processor is designed and implemented.In this system,multicore processing units are divided into groups among which the data can be transmitted by building shared cache queues.In this way,IPS can work parallelized with a multicore processor.The results of our experiments demonstrate that the efficiency is greatly enhanced and that the packet loss ratio decreases.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

CHEN Hong-tao,CHEN De-ren,GU Xue-fei

2005-01-01

Abstract:Content filtering is an indispensable important part in the network security field.It analyses the information transported in application layer content protocol and controls the forwarding of the information based on the filtering rules.Network Processor is a new generation programmable processor of high speed for carrying out data processing and transmitting.With its obvious advantages in network data processing,the network processor becomes the essential component in high-speed network equipment which supports network functions,such as operation management、security and network monitoring,etc.Based on the advantage of network processor,this paper presented an implementation of an Intel IXP2400 network processor-based content filtering system.

Zhuojun Zhuang,Yuan Luo,Minglu Li,Chuliang Weng

DOI: https://doi.org/10.1109/chinagrid.2008.27

2008-01-01

Abstract:The processing speed of conventional network-based intrusion detection systems (NIDSs) is incompetent as to the rapid increase in network link speed. This problem imposes an emerging need for new detection technologies. In this paper, we introduce a multi-core technique which opens up another way for fast intrusion detection by proper workload partitioning and parallel detection on high-speed link. We present an abstract model of NIDS on multi-core platform and discuss the optimal solution when minimum memory occupation achieves. A preliminary example shows the model configuration and presents a first experimental evaluation.

Xu Kefu,Qi Deyu,Qian Zhengping,Zheng Weiping

DOI: https://doi.org/10.1109/icnsc.2008.4525325

2008-01-01

Abstract:High-speed packet content inspection and filtering devices rely on a fast multi-pattern matching algorithm which is used to detect predefined keywords or signatures in the packets. These signature sets are large (e.g., thousands) and complex. Multi-pattern matching is known to require intensive memory accesses and is often a performance bottleneck. Another problem is how to update the inconstant rule set from new attacks without halting the inspection. Hence, specialized fast dynamic pattern matching algorithms scalable for long rules are required for on-line speed deep packet inspection. We proposed a fast dynamic deep packet inspection algorithm using two pipelines which was flexible loosely coupled framework. In the fast pipeline, multiple parallel Counting Bloom filter engines which can perform fast dynamic query were adopted to achieve high throughput. Based on the principle of locality of programs, we set a threshold length for the scalability for long rules. In the relatively slow pipeline, we adopted dynamic pattern matching algorithm to distinguish the suspicious packet came from the fast pipeline. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed dynamic inspection requirement when the low resource consumption further improves the scalability.

Wang Xiang,Qi Yaxuan,Wang Kai,Xue Yibo,Li Jun

DOI: https://doi.org/10.1109/cc.2015.7224697

2015-01-01

China Communications

Abstract:Modern network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation on many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.

Chuan Xu -,Weiren Shi -,Qingyu Xiong -

DOI: https://doi.org/10.4156/jcit.vol6.issue4.27

2011-01-01

Journal of Convergence Information Technology

Abstract:Recently, it is becoming increasingly difficult to implement effective systems for real-time network monitoring for large variety of applications including accounting, traffic identification and abnormal detection. The current solutions have to resort to custom capturing hardware that usually comes with high cost, and software-based capturing solutions, such as libpcap, cannot cope with 10Gbps link rates. In this article, we propose an architecture customized for parallel execution of packet analysis using commodity multi-core processor which now broadly implemented in personal computer. On our approach, the packets are dispatched with similar properties to same core and partitioned into several parts, which allows threads maintained in each core for concurrent execution. Numerical results based on real Campus network traffic data are presented to demonstrate the good performance and effectiveness of our system.

Jia Ni,Chuang Lin,Zhen Chen,Peter Ungsunan

DOI: https://doi.org/10.1109/ICPP.2007.7

2007-01-01

Abstract:Deep Packet Inspection (DPI) is a critical function in network security applications such as Firewalls and Intrusion Detection Systems (IDS). Signature based scanners used in DPI apply multi-pattern matching algorithms to check whether the packet payload or flow content contains a specified signature in a signature set. Existing multi-pattern matching algorithms sacrifice memory space to achieve better performance. In this paper a novel fast multi-pattern matching algorithm, the Hash Boyer-Moore (HBM) Algorithm, is presented, which reduces the memory footprint of the heuristic table using a hash function and adds another heuristic table to reduce the false-positive ratio. Analyses and simulations show HBM offers higher speed and lower memory cost than some existing algorithms. The HBM algorithm was implemented on the Intel IXP 2400 Network Processor (NP) platform and experiments show suitable performance results in a Gigabit Ethernet LAN environment.

Meiting Xue,Kainuo Ni,Yan Zeng,Yuyu Yin,Baokang Zhao

DOI: https://doi.org/10.1109/ngdn61651.2024.10744179

2024-01-01

Abstract:Deep Packet Inspection (DPI) serves as a critical tool for application-layer traffic detection and control, utilized extensively for the identification and prevention of cyberattacks, the interception of malware, and the monitoring of network traffic. With the rapid development of towards the integration of various network technologies through programmable technologies, the exploration of polymorphic network architectures has intensified and has been an important research directions. Nevertheless, existing DPI approaches are faced with significant challenges in dealing with the complexities of heterogenous networks and achieving timely detection in intricate environments. This paper introduces an innovative, efficient DPI methodology tailored for polymorphic networks. It incorporates a multi-set search algorithm, which hybridizes hash tables and cuckoo filters, enhancing search efficiency. Furthermore, an attack detection mechanism is developed, grounded in the concept of overload attacks, to accurately identify and respond to such threats. A mitigation strategy is proposed, leveraging the power of DPI, to effectively counteract the adverse effects of flow table overload attacks. Empirical evaluations confirm the proposed detection method suitability for networks, demonstrating a 2x-3x improvement in performance compared to conventional algorithms, along with a superior false positive rate. The attack detection and mitigation approach presented herein successfully withstands the onslaught of flow table overload attacks, reinforcing the resilience of polymorphic network environments.

Junchang Wang,Haipeng Cheng,Bei Hua,Xinan Tang

DOI: https://doi.org/10.1145/1542275.1542307

2009-01-01

Abstract:The industry wide shift to multi-core architectures arouses great interests in parallelizing sequential applications. However, it I S very difficult to parallelize fine-grained applications for multicore architectures due to insufficient hardware support of fast communication and synchronization. Fortunately, network applications can be decomposed into pipelined structures that are amenable to streaming based parallel processing. To realize the potential of pipelining on multi-core architectures, it requires reevaluating the basic tradeoffs in parallel processing, including the ones between load balance and data locality and between general lock mechanisms and special lock-free data structures. This paper presents the practice of building a high-performance multi-core based network processing platform in which connection-affinity and lock-free design principles are applied effectively for better data locality and faster core-to-core synchronization and communication.We parallelize a complete Layer 2 to Layer 7 (L2-L7) network processing system on an Intel Core 2 Quad processor, including a TCP/IP stack based on Libnids (L2-L4) and a port-independent protocol identification engine by deep packet inspection (L7+). Furthermore, we develop a compiling method to transform sequential network applications to parallel ones to enable those applications to run on multi-core architectures. Our experience suggests that (1) fine-grained pipelining can be a good software solution for parallelizing network applications on multi-core architectures if connection-affinity and lock-free are used as the first design principles; (2) a delicate partitioning scheme is required to map pipelined structures onto specific multi-core architecture; (3) an automatic parallelization approach can work if domain knowledge is considered in the parallelizing process. Our multi-core based network processing platform can deliver not only 6Gbps processing speed for large packet sizes but also more challenging 2Gbps speed for smaller packets.

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

Xie Da-bin,Liang Gang

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.03.003

2013-01-01

Abstract:With the popularization of high-speed network,the traditional intrusion prevention system in high speed packet capture and real-time processing,has already can't meet the requirements of the performance.The paper proposed a kind of high performance intrusion prevention system,PF_RING DNA Intrusion Prevention System: PDIPS.PDIPS run on general multi-core platform,it used the PF_RING DNA technology to realize the packet capture in wire speed,at the same time,multithreading and CPU binding technology is used for parallel packets processing,to improve the overall performance.The test results show that under the same test environ-ment,PDIPS compared to traditional intrusion prevention scheme in performance has preferably improved,can adapt to the needs of the gigabit environment.

Liang CHEN,Jian WANG,Yong ZHAO

DOI: https://doi.org/10.3778/j.issn.1002-8331.1606-0006

2017-01-01

Abstract:In order to meet the security requirements of modern high bandwidth Internet application environment, an IPSec VPN architecture based on Tilera GX36 multi-core network processor is proposed, and program function modules of control plane and data plane are designed according to SDN architecture to achieve flexible security control on network traffic. To meet the security strategy retrieval performance requirement, a three-level security policy flow-table structure based on Hash algorithm is put forward, and a security policy search method is designed using security association flow-table cached on tile CPUs as fast retrieval data source. The test results show that the system can achieve the processing performance in 40 Gb/s Internet applications under the typical short, medium and long package-length circumstance.

Xu Bo,He Fei,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(09)70003-3

2009-01-01

Abstract:Today's firewalls and security gateways are required to not only block unauthorized accesses by authenticating packet headers, but also inspect flow payloads against malicious intrusions. Deep inspection emerges as a seamless integration of packet classification for access control and pattern matching for intrusion prevention. The two function blocks are linked together via well-designed session lookup schemes. This paper presents an architecture-aware session lookup scheme for deep inspection on network processors (NPs). Test results show that the proposed session data structure and integration approach can achieve the OC-48 line rate (2.5 Gbps) with inline stateful content inspection on the Intel IXP2850 NP. This work provides an insight into application design and implementation on NPs and principles for performance tuning of NP-based programming such as data allocation, task partitioning, latency hiding, and thread synchronization.

Haipeng Cheng,Zheng Chen,Bei Hua,Xinan Tang

DOI: https://doi.org/10.1145/1345206.1345214

2008-01-01

Abstract:Packet classification is an enabling technology to support advanced Internet services. It is still a challenge for a software solution to achieve 10Gbps (line-rate) classification speed. This paper presents a classification algorithm that can be efficiently implemented on a multi-core architecture with or without cache. The algorithm embraces the holistic notion of exploiting application characteristics, considering the capabilities of the CPU and the memory hierarchy, and performing appropriate data partitioning. The classification algorithm adopts two stages: searching on a reduction tree and searching on a list of ranges. This decision is made based on a classification heuristic: the size of the range list is limited after the first stage search. Optimizations are then designed to speed up the two-stage execution. To exploit the speed gap (1) between the CPU and external memory; (2) between internal memory (cache) and external memory, an interpreter is used to trade the CPU idle cycles with demanding memory access requirements. By applying the CISC style of instruction encoding to compress the range expressions, it not only significantly reduces the total memory requirement but also makes effective use of the internal memory (cache) bandwidth. We show that compressing data structures is an effective optimization across the multi-core architectures.We implement this algorithm on both Intel IXP2800 network processor and Core 2 Duo X86 architecture, and experiment with the classification benchmark, ClassBench. By incorporating architecture-awareness in algorithm design and taking into account the memory hierarchy, data partitioning, and latency hiding in algorithm implementation, the resulting algorithm shows a good scalability on Intel IXP2800. By effectively using the cache system, the algorithm also runs faster than the previous fastest RFC on the Core 2 Duo architecture.

Ling Ruilin,Li Junfeng,Li Dan

DOI: https://doi.org/10.7544/issn1000-1239.2017.20160823

2017-01-01

Journal of Computer Research and Development

Abstract:With the development of Internet application and the increase of network bandwidth,security issues become increasingly serious.In addition to the spread of the virus,spams and DDoS attacks,there have been lots of strongly hidden attack methods.Network probe tools which are deployed as a bypass device at the gateway of the intranet,can collect all the traffic of the current network and analyze them.The most important module of the network probe is packet capture.In Linux network protocol stack,there are many performance bottlenecks in the procedure of packets processing which cannot meet the demand of high speed network environment.In this paper,we introduce several new packet capture engines based on zero-copy and multi-core technology.Further,we design and implement a scalable high performance packet capture framework based on Intel DPDK,which uses RSS (receiver-side scaling) to make packet capture parallelization and customize the packet processing.Additionally,this paper also discusses more effective and fair Hash function by which data packet can be deliveried to different receiving queues.In evaluation,we can see that the system can capture and process the packets in nearly line-speed and balance the load between CPU cores.

Likun Liu,Jiantao Shi,Hongli Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1109/bdcloud.2018.00113

2018-01-01

Abstract:Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.