goldeneye stream based network packet
play

GoldenEye: stream-based network packet inspection using GPUs Qian - PowerPoint PPT Presentation

Nov 24, 2022 •215 likes •473 views

FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research

  1. FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

  2. Outline • Motivation of GPU-based traffic analysis • Framework of GPU-based traffic analysis • Performance evaluation • Conclusion & future work ----------------------------- CFermilab 2 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  3. ~ ~ ✓ · Network Traffic Analysis • Network traffic analysis tools provides indispensable information for o Operation & management o Performance troubleshooting o Network security o Statistical purpose Border / - ~ .._ - - ....._ . --..., Router - -- · - - ---,•,i-. - Internal et - 1.. ..... • - ·, _,, n tern 4 -- ~ ii-- ~ __ ; •• 'I) Network ..... ..... _ ___ -·, ._ ,_ .~ r : Porl-mkrored optical , traffic tap : ➔ 11n Analysis : Traffic L. ... System • Basic functions: o Profile traffic activities o Scan traffic content for suspicious patterns signatures CFermilab 3 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  4. Task Overview Stateful packet processing • Track and maintain the states of network functions: o TCP connections o Sub-string matches in intrusion detection systems Timely response • Fast and reliable network data processing at a link speed Protect traffic integrity • Packet shouldn’t be lost in processing cycle Challenges in data and state management ----------------------------- CFermilab 4 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  5. Data Management Challenges and Solutions Challenges: • High-speed networks Millions of packets } o 10/25/40GE-connected serves generated & o 100GE backbone technologies are commonplace transmitted per second • Complex packet analysis algorithms o Algorithms are increasingly complex as security threats become more sophisticated o Need a flexible and programmable computing platform ----------------------------- CFermilab 5 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  6. ✓ ✓ ✓ ✓ ✓ ✓ Data Management Solutions Solutions: • Heterogeneous data management • GPU-centric computing • GPU is specialized for data-parallel, large-throughput computations • Thousands of cores for massively parallelism • Tolerance of memory latency Features X High compute power Varies X High memory bandwidth Varies X Easy programmability X Data-parallel execution model ----------------------------- CFermilab 6 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  7. □ □ DI-­ Packet Processing on Heterogeneous Architectures Data processing flow: • CPU receives packets from NIC, parses headers and batches them in an input buffer. • When a specified batch size or a preset time limit is reached, the input buffer is transferred to the GPU memory via PCIe. • A set of GPU kernels are then launched to perform tasks such as IP address matching, cryptographic operations, and deep packet inspection. • The results are transferred back to the CPU memory to guide further actions. CPU memory GPU memory NIC PCIe bus Stage packets packets back-to-back I ------- … Packet batching can be a feasible way to improve GPU utilization, but it increases difficulties in stateful packet processing … -------------------- CFermilab 7 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  8. State Management Challenges Challenge 1: flow management & stream reassembly • Stateful network functions must both track the states of network connections and scan network packets at a per-flow level. • Flow state management and stream-reassembly require state synchronization when dealing with packets from the same connection. • Limited data parallelism when less simultaneous TCP connections are present. Conventional hash-based approach requires atomic locks with packets from the same TCP flow connection, and is prone to ambiguity caused by hash-key collision. : pre-received packets CFermilab 8 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  9. r : ~ : l □ J □D D State Management Challenges Challenge 2: Inter-batch state connection • Stateful packet inspection must detect signatures that straddle packet boundaries. • GPU’s batch -processing mechanism requires maintaining connection states and tracking potential sub-matches across input batches. sequence gap intra-batch stream reassembly Packet … 1.1 1.3 1.4 2.1 2.2 3.1 3.2 batch 1 Arriving time 7 I I . cross-batch pattern matching I 9 Packet D ODD II … malicious … 1.2 1.5 1.6 1.7 1.8 batch 2 patterns out-of-order packet arrives in subsequent batch Stateful packet inspection must detect and memorize the sub-matches across input batches. -------------------- CFermilab 9 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  10. ◊ State Management Solutions • Parallel flow management and stream processing via GPU sort and prefix-scan o Sort and prefix-scan are extremely fast on GPU (over ten billions of elements/sec). GPU packet analysis modules ,--------,1 ___ [.------ Per-flow state TCP data streams Flow state Payload GPU primitive .____________.I '-----I __ reassembly tracking libraries • Inter-batch network function state connection o Developed a buffer-free, cross-packet/batch pattern matching algorithm. o Combine the state and context information with packets in subsequent batches. Allow on-line packets to come through, States but retain and update the state information. k th batch k-1 th batch processing processing ------------------------ CFermilab 10 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  11. GoldenEye Network Traffic Analysis Framework GoldenEye Modules • • Packet capture & pre-processing Traffic statistic summary • • BPF filter Deep packet inspection • • Stream processor State buffer Traf fic Traf fic Statistic monitoring Analysis ~------------------------------7 I I IPS/IDS I I BPF Packet Capture Stream State Storage I I Network I I Filter Engine Processor I I : ~--------'' Traf fic I I DPI ~-------------------------------' Engineering (string/regex match) . . . '---------------- Network Traffic Source GPU Domain External Applications CFermilab 11 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  12. ~=~ ~□ I □ ~ □ DI □ Packet Capture and Processing on Multicore Systems Logics: • Multithreading packet capturing and pre-processing • Queue packets for batch processing • Dual-buffer for concurrent data transfer and GPU computing Multi-queue Multi-core GPU System NIC host system Packet batches at host RQ 1 core 1 packet capture pre- core n+1 … buffer B engine proc ~ I : ,..____, I ________ J________________ : Traffic Steering RQ 2 -=~~.___ ____ ____. _ __!Qj core 2 packet capture pre- … Network buffer A engine proc Traffic I … … I GPU H __ gggg1 RQ n core n Processing capture pre- … ,, engine proc Analysis results ,,., core n+1 External ..,_J 1- \ ,_/ I Applications ----------------------------- CFermilab 12 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  13. ◊ ◊ ◊ ◊ □ GPU-centric Stream Processor Tasks : • Monitor the states of TCP connections. • Reassemble TCP packets into bi-directional byte-streams. Implementations: • Stream reassembly: sort packets into streams by their TCP 4-tuples and sequences. • Flow state tracking: compare the stream states against existing connections. • Stream normalization: rescan flow-reassembled packets and remove retransmission. I 1 packet in : retransmission: a batch '----------------- I stream reassembly ITD [TI] I [IT] [TI] [IT]~ ·.. I [TI] ~ stream normalization flow reassembled I .. I [TI] ~ [IT] [TI] [IT]~ · OJ]! ....... ! L...a=J I I L...;...J packets update flow state records Hash Table of Flow records :=> C ----------------------------- CFermilab 13 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  14. Traffic Statistical Analysis Main strategy: • Similar to the TCP flow management function, GoldenEye’s statistical aggregation module is built with a set of primitive GPU sort and prefix-scan operations. Example use cases: • Host traffic monitoring Src IP Src Port Dest IP Dest Port Proto Pkt Sent Byte Sent 131.2.3.0 80 10.1.2.4 998 TCP 32 16484 10.1.2.4 998 131.2.3.0 80 TCP 121 179841 • Heavy-hitter Detection DoS detection Capacity Planning 14 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

  15. Stream-based Deep Packet Inspection Tasks: • Intra-batch pattern matching: o Perform pattern matching over stream-reassembled packets in the same batches. • Inter-batch pattern matching: o Detect and reconstruct signature patterns that straddle batch boundaries. ----------------------------- CFermilab 15 4/18/2019 GoldenEye: stream-based network packet inspection using GPUs, IEEE LCN 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's network Interface card, which then filters packets based on the MAC address. A network packet has multiple concatenated components. 2 How Packets

625 views • 39 slides
General Packet Radio System (GPRS) Overview Overview Introduction Introduction General Packet

General Packet Radio System (GPRS) Overview Overview Introduction Introduction General Packet

General Packet Radio System (GPRS) Overview Overview Introduction Introduction General Packet Radio Service (GRPS) today Packet overlay network on top of the existing GSM (Digital) circuit switched voice-based network TCP/IP-based:

351 views • 14 slides
Class- -based Traffic Aggregation In Optical Packet based Traffic Aggregation In Optical Packet

Class- -based Traffic Aggregation In Optical Packet based Traffic Aggregation In Optical Packet

Class- -based Traffic Aggregation In Optical Packet based Traffic Aggregation In Optical Packet Class Switched WDM Networks Switched WDM Networks Reza Nejabati, Dimitra Simeonidou Photonic Network Research Center Department of Electronic

276 views • 14 slides
Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
Typical Network Traffic Using Redundancy and Interleaving to Ameliorate the Majority is

Typical Network Traffic Using Redundancy and Interleaving to Ameliorate the Majority is

Typical Network Traffic Using Redundancy and Interleaving to Ameliorate the Majority is text-based Effects of Packet Loss in a Video File transfer, Email, Web Reliability is critical Stream Latency is not critical

423 views • 8 slides
Tiny%Packet%Programs% for%low4latency%network%control% Vimal %

Tiny%Packet%Programs% for%low4latency%network%control% Vimal %

Tiny%Packet%Programs% for%low4latency%network%control% Vimal % Mohammad%Alizadeh,%Yilong%Geng,%Changhoon%Kim,%David%Mazires% Timescales%of%Network%FuncFons% Network% Load%Balancing% Virtual%Network% CongesFon% Forwarding%% Provisioning%

567 views • 29 slides
Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed Network A Approaches for High Speed Network A h h f f Hi h S Hi h S d N t d N t k k Security Security Security Security APAN 32 nd Meeting

459 views • 21 slides
Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

IN3210 Network Security Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general): Packet forwarding incl. routing Properties: Connection-less Adressing: source + destination IP address No

725 views • 47 slides
Modeling IEEE 802.15.4 based Wireless Sensor Network with Packet Retry Limits Prasan Kumar Sahoo

Modeling IEEE 802.15.4 based Wireless Sensor Network with Packet Retry Limits Prasan Kumar Sahoo

Modeling IEEE 802.15.4 based Wireless Sensor Network with Packet Retry Limits Prasan Kumar Sahoo Vanung University, Taiwan Jang-Ping Sheu National Tsing Hua University, Taiwan Outline Introduction Objectives System Model

834 views • 38 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
Routing in packet-switching networks Circuit switching vs. Packet switching Most of WANs based on

Routing in packet-switching networks Circuit switching vs. Packet switching Most of WANs based on

Routing in packet-switching networks Circuit switching vs. Packet switching Most of WANs based on circuit or packet switching Circuit switching designed for voice Resources dedicated to a particular call Much of the time a data connection is

358 views • 14 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
Packet Spraying in Geneve Overlay Network draft-xiang-nvo3-geneve-packet-spray-00 Haizhou Xiang ,

Packet Spraying in Geneve Overlay Network draft-xiang-nvo3-geneve-packet-spray-00 Haizhou Xiang ,

Packet Spraying in Geneve Overlay Network draft-xiang-nvo3-geneve-packet-spray-00 Haizhou Xiang , Huawei Yolanda Yu, Huawei Paul Congdon , Tallac Networks Jianglong Wang , China Telecom IETF 101, March 2018, London In In-netwo work rk

259 views • 10 slides
Packet Classification Omid Mashayekhi Vaibhav Chidrewar What is Packet Classification?

Packet Classification Omid Mashayekhi Vaibhav Chidrewar What is Packet Classification?

Packet Classification Omid Mashayekhi Vaibhav Chidrewar What is Packet Classification? Definition: The function of identifying and categorizing packets of data moving across the network Rule Source IP Dest IP Action R1 152.163.190.69/

574 views • 15 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber Security Practice 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

593 views • 14 slides
t rt sr P

t rt sr P

r t rst Pr t r tr

653 views • 27 slides
Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate School {rbeverly,xie}@nps.edu February 8, 2012 CAIDA Workshop on Active Internet Measurements R. Beverly et al. (NPS) Opportunistic IPv6 Insight

568 views • 34 slides
S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada Gavrilovska Georgia Institute of Technology Network Function Virtualization (NFV) Virtualized Network Functions (VNFs) NAT IDS Web Caching VNF NF OS

542 views • 16 slides
Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by: Chris Crawford (DoD) - @zachtenenbaum and @srini are TAs What is Packet Analysis? - Packet Analysis is the capture and interpretation of the

814 views • 22 slides
Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011 Network Intrusion Detection Systems

548 views • 34 slides
Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California, Berkeley, CA Paul Thompson, CS Dept. Dartmouth College, Hanover, NH W2SP2007 Oakland, CA May 24, 2007 Outline 1.Motivation and Terminology

334 views • 30 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides

More recommend