Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Xiang Chen,Hongyan Liu,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu

DOI: https://doi.org/10.1109/tnet.2023.3281449

2024-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating distributed denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernelbased tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools incur unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for evaluating DDoS defense solutions. The key idea is to leverage the emerging programmable switch to empower testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur offers intent-based primitives to enable academic researchers to customize testing tasks on demand. Moreover, in view of switch resource limitations, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. We have implemented Excalibur on a 64 x 100 Gbps Tofino switch. Our experiments on a 64 x 100 Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Bo Xu,Yaxuan Qi,Fei He,Zongwei Zhou,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/ICDCS.2008.33

2008-01-01

Abstract:The security gateways today are required not only to block unauthorized accesses by authenticating packet headers, but also by inspecting connection states to defend against malicious intrusions. Hence session creation rate plays a key role in determining the overall performance of stateful intrusion prevention systems. In this paper, we propose a high-speed session creation scheme optimized for network processors. Main contribution includes: a) A high-performance flow classification algorithm on network processors; b) An efficient TCP three-way handshake scheme designed for fast-path processing using a two-stage intelligent hashing. Experimental results show that: a) The presented parallel optimized flow classification algorithm, Parallel Search Cross-Producting, outperforms the original Cross-Producting and Binary Search Cross-Producting algorithms with 300% and 60% increase of classification speed; b) The proposed fast path three-way handshake scheme, IntelliHash, achieves a TCP connection creation rate over 2M connections per second.

zhen chen,chuang lin,jia ni,donghua ruan,bo zheng,yixin jiang,xuehai peng,yang wang,anan luo,bing zhu,yao yue,fengyuan ren

DOI: https://doi.org/10.1109/LCN.2005.31

2005-01-01

Abstract:TCP/IP protocol suite carries most application data in Internet. TCP flow retrieval has more security meanings than the IP packet payload. Hence, monitoring the TCP flow has more strength than only monitoring the IP packet payload in the AntiWorm system. The main idea of this paper is to use the flexibility and high performance of network processors to scan TCP flow for locating worm's binary codes, and cut off their propagation. A stateful TCP flow inspection engine is implemented based on IXP network processor, which can monitor about 512K flows. The performance issues about IXP network processors are evaluated and collected, and an analysis is made for further optimizing the system performance. The system is also demonstrated and proved by using the Internet traces and real assaults of Worms. Software Package TCPScanner 1.0 is also given as a software release of the research

Xiaofeng Lin,Yu Chen,Xiaodong Li,Junjie Mao,Jiaquan He,Wei Xu,Yuanchun Shi

DOI: https://doi.org/10.1145/2872362.2872391

2016-01-01

ACM SIGPLAN Notices

Abstract:With the rapid growth of network bandwidth, increases in CPU cores on a single machine, and application API models demanding more short-lived connections, a scalable TCP stack is performance-critical. Although many clean-state designs have been proposed, production environments still call for a bottom-up parallel TCP stack design that is backward-compatible with existing applications. We present Fastsocket, a BSD Socket-compatible and scalable kernel socket design, which achieves table-level connection partition in TCP stack and guarantees connection locality for both passive and active connections. Fastsocket architecture is a ground up partition design, from NIC interrupts all the way up to applications, which naturally eliminates various lock contentions in the entire stack. Moreover, Fastsocket maintains the full functionality of the kernel TCP stack and BSD-socket-compatible API, and thus applications need no modifications. Our evaluations show that Fastsocket achieves a speedup of 20.4x on a 24-core machine under a workload of short-lived connections, outperforming the state-of-the-art Linux kernel TCP implementations. When scaling up to 24 CPU cores, Fastsocket increases the throughput of Nginx and HAProxy by 267% and 621% respectively compared with the base Linux kernel. We also demonstrate that Fastsocket can achieve scalability and preserve BSD socket API at the same time. Fastsocket is already deployed in the production environment of Sina WeiBo, serving 50 million daily active users and billions of requests per day.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Ling Ruilin,Li Junfeng,Li Dan

DOI: https://doi.org/10.7544/issn1000-1239.2017.20160823

2017-01-01

Journal of Computer Research and Development

Abstract:With the development of Internet application and the increase of network bandwidth,security issues become increasingly serious.In addition to the spread of the virus,spams and DDoS attacks,there have been lots of strongly hidden attack methods.Network probe tools which are deployed as a bypass device at the gateway of the intranet,can collect all the traffic of the current network and analyze them.The most important module of the network probe is packet capture.In Linux network protocol stack,there are many performance bottlenecks in the procedure of packets processing which cannot meet the demand of high speed network environment.In this paper,we introduce several new packet capture engines based on zero-copy and multi-core technology.Further,we design and implement a scalable high performance packet capture framework based on Intel DPDK,which uses RSS (receiver-side scaling) to make packet capture parallelization and customize the packet processing.Additionally,this paper also discusses more effective and fair Hash function by which data packet can be deliveried to different receiving queues.In evaluation,we can see that the system can capture and process the packets in nearly line-speed and balance the load between CPU cores.

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.

P. Födisch,B. Lange,J. Sandmann,A. Büchner,W. Enghardt,P. Kaever

DOI: https://doi.org/10.1088/1748-0221/11/01/P01010

2015-11-24

Abstract:State of the art detector readout electronics require high-throughput data acquisition (DAQ) systems. In many applications, e. g. for medical imaging, the front-end electronics are set up as separate modules in a distributed DAQ. A standardized interface between the modules and a central data unit is essential. The requirements on such an interface are varied, but demand almost always a high throughput of data. Beyond this challenge, a Gigabit Ethernet interface is predestined for the broad requirements of Systems-on-a-Chip (SoC) up to large-scale DAQ systems. We have implemented an embedded protocol stack for a Field Programmable Gate Array (FPGA) capable of high-throughput data transmission and clock synchronization. A versatile stack architecture for the User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) over Internet Protocol (IP) such as Address Resolution Protocol (ARP) as well as Precision Time Protocol (PTP) is presented. With a point-to-point connection to a host in a MicroTCA system we achieved the theoretical maximum data throughput limited by UDP both for 1000BASE-T and 1000BASE-KX links. Furthermore, we show that the random jitter of a synchronous clock over a 1000BASE-T link for a PTP application is below 60 ps.

Instrumentation and Detectors

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

David X. Wei,Cheng Jin,Steven H. Low,Sanjay Hegde

DOI: https://doi.org/10.1109/TNET.2006.886335

2006-12-01

IEEE/ACM Transactions on Networking

Abstract:We describe FAST TCP, a new TCP congestion control algorithm for high-speed long-latency networks, from design to implementation.We highlight the approach taken by FAST TCP to address the four difficulties which the current TCP implementation has at large windows. We describe the architecture and summarize some of the algorithms implemented in our prototype. We characterize its equilibrium and stability properties. We evaluate it experimentally in terms of throughput, fairness, stability, and responsiveness.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Bing Xiong,Kun Yang,Jinyuan Zhao,Keqin Li

DOI: https://doi.org/10.1016/j.jnca.2016.04.013

2017-01-01

Abstract:The continual growth of network traffic rates leads to heavy packet processing overheads, and a typical solution is to partition traffic into multiple network processors for parallel processing especially in emerging software-defined networks. This paper is thus motivated to propose a robust dynamic network traffic partitioning scheme to defend against malicious attacks. After introducing the conceptual framework of dynamic network traffic partitioning based on flow tables, we strengthen its TCP connection management by building a half-open connection separation mechanism to isolate false connections in the initial connection table (ICT). Then, the lookup performance of the ICT table is reinforced by applying counting bloom filters to cope with malicious behaviors such as SYN flooding attacks. Finally, we evaluate the performance of our proposed traffic partitioning scheme with real network traffic traces and simulated malicious traffic by experiments. Experimental results indicate that our proposed scheme outperforms the conventional ones in terms of packet distribution performance especially robustness against malicious attacks.

Supachai Thongprasit,Vasaka Visoottiviseth,Ryousei Takano

DOI: https://doi.org/10.1145/2837030.2837036

2015-11-18

Abstract:Key-Value Stores (KVS) are wildly prevalent in Web systems and services, and it is well-known that KVS systems exchange huge amount of small messages. Such workload unveils a new performance issue for TCP/IP processing. User-space networking such as Intel DPDK is a promising technology that addresses this issue by leveraging multi-core architecture and application specific processing without the intervention of the kernel. This paper shows the effects of user-space TCP/IP stack that works on top of Intel DPDK for high performance KVS systems. We have compared the performance of short message processing on an HTTP server and two KVS servers, Redis and memcached, between the Linux kernel TCP/IP stack and a user-space TCP stack over 10 Gigabit Ethernet link. We have used mTCP with Intel DPDK as a user-space TCP/IP stack. Our experimental results show that an mTCP-based KVS server with a single thread improves the performance by up to 35 %; the performance of an mTCP-based server increases as the number of threads increases and an mTCP server finally outperforms up to 5.5 times faster than a standard TCP server. Our observation leads to optimistic conclusions on the feasibility of a fast and scalable KVS server utilizing a user-space TCP/IP stack.

Xiaohui Luo,Dong Liu,Xing Wu,Xunli Fan,Fengyuan Ren

DOI: https://doi.org/10.1109/bdcloud.2018.00100

2018-01-01

Abstract:Previous studies have shown that userspace TCP stacks have higher performance than the kernel version. One conventional wisdom is that using native APIs instead of system calls can reduce the context switching overheads. However, due to the non-compatible APIs, countless existing BSD-based applications have not benefited from the userspace TCP stacks yet. There is a gap between existing BSD-based applications and the userspace TCP stack. We propose a transparent socket layer (TSL) that allows applications transparently using the userspace TCP stacks. TSL consists of three components: (i) The transplant layer redirects original system calls into TSL's customized versions. (ii) The function call entry table holds the immediate state of function calls. (iii) The backend interacts with the table and executes the rest of TCP processing. In our evaluation, TSL has 2.3X~2.8X request rate compared with the kernel. We also show that TSL can benefit real applications, such as Netperf and Nginx.

Xiao-ning KANG,Dong-xing JIANG,Cheng ZHANG,Qi-xin LIU,Lin ZHOU,Hai-yan WU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.11.014

2005-01-01

Abstract:Network security is getting more important as the Internet evolves.Attacks like DoS,DDoS have become major attack methods on gigabit networks,not to mention the worms have used up network bandwidth.Traditional IDSes could not handle massive network data efficiently or block detected attacks in time.Focusing on those problems,this paper designed a distributed intrusion detection and blocking system which can run on high-speed networks efficiently,which is also known as IPS(Intrusion Prevention System).

LI Kai,XUE Yi-bo,WANG Chun-lu,WANG Dong-sheng

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.09.018

2006-01-01

Abstract:The Gigabit Network IPS(Intrusion Prevention System)is strongly required with the popularization of Gigabit Ethernet and the complication of network intrusion behavior.The key technologies of Gigabit Network IPS are introduced in this paper,and a new total solution of Gigabit Network IPS is addressed,then the detailed design and implementation of a hardware platform for high-speed packet processing is presented,and its work flow is analyzed,finally,the test performance of the system and its performance evaluation is also provided.

Dong Liu,Xiaohui Luo,Fengyuan Ren

DOI: https://doi.org/10.1109/iscc.2018.8538626

2018-01-01

Abstract:Network applications are widely distributed nowadays, most of which have steep demand on response time. Deploying multi-threaded design on multicore systems is beneficial of scaling applications' performance, but also requires an efficient TCP stack to support. mTCP is a highly scalable userlevel TCP stack fruitful in promoting scalability and improving performance, therefore adopted by more and more applications. However, the original mTCP APIs are not compatible with the in-kernel function calls in form, thus impeding the transparent employment as well as the convenient transplant of mTCP stack for users. To overcome the deficiency, we propose a transparent socket layer for mTCP (mTSL), which overrides the native mTCP APIs and redirects original system calls to our customized versions. Finally, mTSL not only achieves mTCP stack's thorough transparency to applications, but maintains the high performance of mTCP and outperforms Linux kernel stack by 8.9× with respect to throughput on a message benchmark as well as 1.44×~6.49× in terms of transaction rate for a real application.