Beruflich Dokumente
Kultur Dokumente
9, SEPTEMBER 2012
1327
I. INTRODUCTION
Network intrusion detection system requirements have
been steadily increasing over the past few years.
Organizations need security systems that are flexible and
adaptable in order to fight against the increasing threats,
which are from virus attacks, software vulnerabilities and
other malicious code, in addition to internal attacks [13].
Most network security architectures like firewalls and
intrusion detection system detect the system attacking by
monitoring both the incoming and outgoing network
packets [21]. Rule set is used to compare against the
network packets in many intrusion detection system.
Rules usually have a filter specification based on the
header fields of a network packet. If one packet matches
one or more rules in the rule set, the system will send an
alert message and log this event to the log files.
Its about 75 percent of the total CPU processing time
that used for signatures match in modern NIDS [2].
Because every byte in each packet need to be matched to
Corresponding author: Gang Liang, lianggang@cs.scu.edu.cn,
Manuscript received September 23, 2011.
a large set of strings from all rules in the rule set by the
string matching algorithms. Take the open-source IDS
snort [18] for example; it has more than 10000 strings
need to be matched for each packet, memory also needed
to store the rules. Signature matches slow down the
process rate and reduce the IDS systems throughput.
Many research have been done to improve the packetprocessing throughput [4, 7, 8, 11, 17, 25, 23]. Special
hardware devices were used to deal with many packets
concurrently. Such as ASIC, Network processors and
GPU, they are very efficient and perform well, but they
are too complex to modify and program. More- over,
some of them are usually tied to one specific
implementation.
Multi-core processing is widely used in modern
network applications. MIPS are one kind of the most
scalable, highest-performance, and lowest-power solution
for intelligent networking applications, which ranges
from 100Mbps to 10Gbps as full duplex. IN this paper,
we explore how MIPS multi-core is used to speed up the
processing throughput of intrusion detection system. We
have implemented a prototype intrusion detection system
that effectively utilizes multi-core for pattern matching
operations in real time.
The paper is organized as follows: In the remainder of
the Introduction we will give an overview of the MIPS
multi-core architecture that we used for this research. In
Section 2 we will briefly present a survey of related work.
Section 3 and 4 presents our prototype architecture and
the implementation details respectively. IN Section 5 we
evaluate and analysis our implementation. Finally, in
Section 6 we present some conclusions.
A. Overview of the MIPS multi-core Architecture
We briefly describe the architecture of CAVIUM
Networks OCTEON MIPS multi-core processor in this
section. There are up to 16 MIPS cores integrated onto
each OCTEON MIPS processor, each core supports a
superset of the industry standard MIPS 64 and MIPS 32
ISA. Cache hierarchy and memory sub-system is
optimized for multi-core programming and it provides
efficient data sharing and minimal access latencies.
1328
1329
A.
1330
the out reports from the output buffer which has been
allocated in the shared memory and send them to the
systems display.
The Snort rules are stored in the flash memory before
the system starting. The state change graphs that are used
for each group are stored in the systems shared memory
after they are created in the initialization phase. The
system doesnt support dynamic modification for the state
graph. Thus, we should change the rules in the flash
memory firstly, then, we can modify the state change
graphs by restarting the system.
There are four parts in a Snort detecting system: packet
decoder, preprocessor, detection engine and event output
module.
The packet decoder takes packets from different types
of network interfaces, and then prepares the packets to be
preprocessed or to be sent to the detection engine. The
inter- faces may be Ethernet or SLIP. Our system gets the
network packets from the Ethernet interface.
Preprocessors are components or plug-ins, which can
be used with Snort to arrange or change data packets
before the detection engine does some operation to find
out if an intruder is using the packet. Some preprocessors
also perform detection by finding anomalies in packet
headers and generating alerts. Preprocessors are very
important for any IDS to prepare data packets to be
analyzed against rules in the detection engine.
Preprocessors are also used for packet defragmentation.
When a big data chunk is transferred to a host, the
packet is usually fragmented. Preprocessors in Snort
can defragment packets, re-assemble TCP streams and
so on.
The detection engine is the most important part of an
intrusion detection system. Its responsibility is to detect if
any intrusion activity reside in a packet. The detection
engine use Snort rules for this purpose. The rules are read
into internal data structures or chains where they are
matched against all packets. If a packet matches any rule,
appropriate action is trigged; otherwise the packet is pass.
Appropriate actions may be logging the packet or
generating alerts. The detection engine stops further
processing of a packet when a rule is matched.
Depending upon the rule, the detection engine takes
appropriate action by logging the packet or generating an
alert. This means that if a packet matches criteria defined
in multiple rules, only the first rule is applied to the
packet without looking for other matches.
Event output modules can do different operations
depending on how you want to save output generated
by the logging and alerting system of Snort. It can log
the activity or generate an alert. Logs are stored in
simple text files, TCP dump style files or some other
form. Basically this modules control the type of output
generated by the logging and alerting system.
We assume the four parts workload is T1, T2, T3 and
T4. The process rate of MIPS core is V, the DFA engines
process rate is Vdfa. If we use MIPS core instead of the
DFA engines to do the pattern match, the process time for
a group work units T is define as:
1331
1332
[3]
[4]
[5]
[6]
Figure 4: Measured processing Performance for different size
packets
[7]
[8]
[9]
[10]
[11]
VI. SUMMARY
We have introduced an intrusion detection system that
utilizes MIPS multi-core structure to offload patternmatching computation. We have implemented this
structure to the OCTEON MIPS multi-core platform. Our
system was able to achieve a maximum throughput of 8
Gbit/s using the 64 bytes small size packets. Moreover,
the systems throughput is more than 10 Gbit/s if the
packet size is larger than 128 bytes.
VII. ACKNOWLEDGMENTS
[12]
[13]
[14]
[15]
1333