kargus a highly scalable software based intrusion
play

Kargus: A Highly scalable Software based Intrusion Detection System - PowerPoint PPT Presentation

Sep 17, 2022 •353 likes •776 views

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * , Jihyung Lee , Sangwoo Moon , InsuYun * , Deokjin Kim , Sungryoul Lee , Yung Yi , KyoungSoo Park * * Networked & Distributed

  1. Kargus: A Highly ‐ scalable Software ‐ based Intrusion Detection System M. Asim Jamshed * , Jihyung Lee † , Sangwoo Moon † , InsuYun * , Deokjin Kim ‡ , Sungryoul Lee ‡ , Yung Yi † , KyoungSoo Park * * Networked & Distributed Computing Systems Lab, KAIST † Laboratory of Network Architecture Design & Analysis, KAIST ‡ Cyber R&D Division, NSRI

  2. Network Intrusion Detection Systems (NIDS) Detect known malicious activities • – Port scans, SQL injections, buffer overflows, etc. Deep packet inspection • – Detect malicious signatures (rules) in each packet Desirable features • – High performance (> 10Gbps) with precision – Easy maintenance • Frequent ruleset updates NIDS NIDS Attack Internet Internet 2

  3. Hardware vs. Software H/W ‐ based NIDS IDS/IPS Sensors • (10s of Gbps) – Specialized hardware ~ US$ 20,000 ‐ 60,000 • ASIC, TCAM, etc. – High performance IDS/IPS M8000 – Expensive (10s of Gbps) • Annual servicing costs ~ US$ 10,000 ‐ 24,000 – Low flexibility S/W ‐ based NIDS • – Commodity machines – High flexibility – Low performance Open ‐ source S/W ≤ ~2 Gbps • DDoS/packet drops 3

  4. Goals – High performance S/W ‐ based NIDS • – Commodity machines – High flexibility 4

  5. Typical Signature ‐ based NIDS Architecture alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 ( msg:“possible attack attempt BACKDOOR optix runtime detection"; content:"/whitepages/page_me/100.html"; pcre:"/body=\x2521\x2521\x2521Optix\s+Pro\s+v\d+\x252E\d+\S+sErver\s+Online\x2521\x2521\x2521/" ) Multi ‐ string Match Rule Options Evaluation Packet Output Preprocessing Success Success Pattern Matching Evaluation Acquisition Decode Match Failure Evaluation Failure Malicious Flow management (Innocent Flow) (Innocent Flow) Flow Reassembly Bottlenecks * PCRE: Perl Compatible Regular Expression 5

  6. Contributions Goal Goal A highly ‐ scalable software ‐ based NIDS for high ‐ speed network A highly ‐ scalable software ‐ based NIDS for high ‐ speed network Slow software NIDS Fast software NIDS Bottlenecks Solutions Inefficient packet acquisition Multi ‐ core packet acquisition Expensive string & Parallel processing & PCRE pattern matching GPU offloading Fastest S/W signature ‐ based IDS: 33Gbps Fastest S/W signature ‐ based IDS: 33Gbps Outcome Outcome 100% malicious traffic: 10 Gbps 100% malicious traffic: 10 Gbps Real network traffic: ~24 Gbps Real network traffic: ~24 Gbps 6

  7. Challenge 1: Packet Acquisition Default packet module: Packet CAPture (PCAP) library • – Unsuitable for multi ‐ core environment Packet RX bandwidth * – Low performing 0.4 ‐ 6.7 Gbps – More power consumption Multi ‐ core packet capture library is required • CPU utilization 100 % [Core 1] [Core 1] [Core 2] [Core 2] [Core 3] [Core 3] [Core 4] [Core 4] [Core 5] [Core 5] [Core 7] [Core 7] [Core 8] [Core 8] [Core 9] [Core 9] [Core 10] [Core 10] [Core 11] [Core 11] 10 Gbps NIC A 10 Gbps NIC A 10 Gbps NIC B 10 Gbps NIC B 10 Gbps NIC C 10 Gbps NIC C 10 Gbps NIC D 10 Gbps NIC D * Intel Xeon X5680, 3.33 GHz, 12 MB L3 Cache 7

  8. Solution: PacketShader I/O PacketShader I/O • – Uniformly distributes packets based on flow info by RSS hashing • Source/destination IP addresses, port numbers, protocol ‐ id – 1 core can read packets from RSS queues of multiple NICs – Reads packets in batches (32 ~ 4096) Symmetric Receive ‐ Side Scaling (RSS) Packet RX bandwidth • 0.4 ‐ 6.7 Gbps – Passes packets of 1 connection to the same queue 40 Gbps [Core 1] [Core 1] [Core 2] [Core 2] [Core 3] [Core 3] [Core 4] [Core 4] [Core 5] [Core 5] CPU utilization Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q 100 % A1 A1 A1 B1 B1 B1 A2 A2 A2 B2 B2 B2 A3 A3 A3 B3 B3 B3 A4 A4 A4 B4 B4 B4 A5 A5 A5 B5 B5 B5 16 ‐ 29% 10 Gbps NIC A 10 Gbps NIC A 10 Gbps NIC A 10 Gbps NIC B 10 Gbps NIC B 10 Gbps NIC B * S. Han et al., “PacketShader: a GPU ‐ accelerated software router”, ACM SIGCOMM 2010 8

  9. Challenge 2: Pattern Matching CPU intensive tasks for serial packet scanning • Major bottlenecks • – Multi ‐ string matching (Aho ‐ Corasick phase) – PCRE evaluation (if ‘pcre’ rule option exists in rule) On an Intel Xeon X5680, 3.33 GHz, 12 MB L3 Cache • – Aho ‐ Corasick analyzing bandwidth per core: 2.15 Gbps – PCRE analyzing bandwidth per core: 0.52 Gbps 9

  10. Solution: GPU for Pattern Matching GPUs Aho ‐ Corasick bandwidth • 2.15 Gbps – Containing 100s of SIMD processors 39 Gbps • 512 cores for NVIDIA GTX 580 – Ideal for parallel data processing without branches DFA ‐ based pattern matching on GPUs • PCRE bandwidth – Multi ‐ string matching using Aho ‐ Corasick algorithm 0.52 Gbps – PCRE matching 8.9 Gbps Pipelined execution in CPU/GPU • – Concurrent copy and execution Engine Thread Engine Thread GPU GPU Packet Packet Packet Multi ‐ string Multi ‐ string Multi ‐ string Rule Option Rule Option Rule Option Multi ‐ string Multi ‐ string Multi ‐ string Preprocess Preprocess Preprocess Acquisition Acquisition Acquisition Matching Matching Matching Evaluation Evaluation Evaluation Matching Matching Matching Offloading Offloading Offloading Offloading Offloading Offloading PCRE PCRE PCRE Matching Matching Matching GPU Dispatcher Thread GPU Dispatcher Thread Multi ‐ string Matching Queue PCRE Matching Queue Multi ‐ string Matching Queue PCRE Matching Queue 10

  11. Optimization 1: IDS Architecture How to best utilize the multi ‐ core architecture? • Pattern matching is the eventual bottleneck • Function Time % Module acsmSearchSparseDFA_Full 51.56 multi ‐ string matching List_GetNextState 13.91 multi ‐ string matching mSearch 9.18 multi ‐ string matching in_chksum_tcp 2.63 preprocessing * GNU gprof profiling results Run entire engine on each core • 11

  12. Solution: Single ‐ process Multi ‐ thread Runs multiple IDS engine threads & GPU dispatcher threads concurrently • – Shared address space GPU memory usage – Less GPU memory consumption 1/6 – Higher GPU utilization & shorter service latency Core 6 Core 6 Single thread pinned at core 1 Single thread pinned at core 1 GPU Dispatcher Thread GPU Dispatcher Thread GPU Dispatcher Thread Rule Rule Rule Rule Rule Rule Rule Rule Rule Rule Rule Rule Rule Rule Rule Option Option Option Option Option Option Option Option Option Option Option Option Option Option Option Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Evaluation Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Multi ‐ string Matching Matching Matching Matching Matching Matching Matching Matching Matching Matching Matching Matching Matching Matching Matching Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Preprocess Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Core 1 Core 1 Core 1 Core 2 Core 2 Core 2 Core 3 Core 3 Core 3 Core 4 Core 4 Core 4 Core 5 Core 5 Core 5 12

  13. Architecture Non Uniform Memory Access (NUMA) ‐ aware • Core framework as deployed in dual hexa ‐ core system • Can be configured to various NUMA set ‐ ups accordingly • ▲ Kargus configuration on a dual NUMA hexanode machine having 4 NICs, and 2 GPUs 13

  14. Optimization 2: GPU Usage Caveats • – Long per ‐ packet processing latency: • Buffering in GPU dispatcher – More power consumption • NVIDIA GTX 580: 512 cores Use: • – CPU when ingress rate is low (idle GPU) – GPU when ingress rate is high 14

  15. Solution: Dynamic Load Balancing Load balancing between CPU & GPU • – Reads packets from NIC queues per cycle – Analyzes smaller # of packets at each cycle ( a < b < c ) – Increases analyzing rate if queue length increases – Activates GPU if queue length increases Packet latency with GPU : 640 μ secs CPU: 13 μ secs a b c Internal packet queue (per engine) CPU GPU CPU GPU Queue Length α β γ a b c 15

  16. Optimization 3: Batched Processing Huge per ‐ packet processing overhead • – > 10 million packets per second for small ‐ sized packets at 10 Gbps – reduces overall processing throughput Function call batching • – Reads group of packets from RX queues at once – Pass the batch of packets to each function Decode(p)  Preprocess(p)  Multistring_match(p) 2x faster processing rate Decode(list ‐ p)  Preprocess(list ‐ p)  Multistring_match(list ‐ p) 16

  17. Kargus Specifications Intel X5680 3.33 GHz (hexacore) 12 GB DRAM (3GB x 4) 12 MB L3 NUMA ‐ Shared Cache $100 $1,210 NUMA node 2 NUMA node 1 NVIDIA GTX 580 GPU $370 $512 Total Cost Intel 82599 Gigabit Ethernet Adapter (dual port) (incl. serverboard) = ~$7,000 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Highly Scalable Highly Scalable Ethernets Ethernets Paul Bottorff, Chief Architect, Carrier

Highly Scalable Highly Scalable Ethernets Ethernets Paul Bottorff, Chief Architect, Carrier

I nternational Telecom m unication Union ITU-T Highly Scalable Highly Scalable Ethernets Ethernets Paul Bottorff, Chief Architect, Carrier Ethernet, Nortel MEF VP, S ecretary, and Board Member IEEE P802.1ah Editor pbottorf@ nortel.com

237 views • 21 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
A Highly Scalable Graph Clustering Library based on Parallel Union-Find Karthik Senthil Parallel

A Highly Scalable Graph Clustering Library based on Parallel Union-Find Karthik Senthil Parallel

A Highly Scalable Graph Clustering Library based on Parallel Union-Find Karthik Senthil Parallel Programming Laboratory University of Illinois at Urbana-Champaign 12 April 2018 16 th Annual Workshop on Charm ++ and its Applications 2018

386 views • 28 slides
The Scalable Commutativity Rule: Designing Scalable Software for Multicore Processors Austin T.

The Scalable Commutativity Rule: Designing Scalable Software for Multicore Processors Austin T.

The Scalable Commutativity Rule: Designing Scalable Software for Multicore Processors Austin T. Clements M. Frans Kaashoek Nickolai Zeldovich Robert Morris Eddie Kohler MIT CSAIL and Harvard Current approach to scalable software

1.48k views • 55 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
National Energy Research Scientific Computing Center (NERSC) Highly Scalable Networking

National Energy Research Scientific Computing Center (NERSC) Highly Scalable Networking

National Energy Research Scientific Computing Center (NERSC) Highly Scalable Networking Configuration Management For Highly Scalable Systems Nicholas P. Cardo NERSC Center Division, LBNL CUG 2008, Helsinki N ATIONAL E NERGY R ESEARCH S

877 views • 14 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Designing a Web of Highly-Configurable Designing a Web of Highly-Configurable Intrusion Detection

Designing a Web of Highly-Configurable Designing a Web of Highly-Configurable Intrusion Detection

Designing a Web of Highly-Configurable Designing a Web of Highly-Configurable Intrusion Detection Sensors Intrusion Detection Sensors Giovanni Vigna Vigna, Richard A. Kemmerer, and Per , Richard A. Kemmerer, and Per Blix Blix Giovanni RAID

660 views • 29 slides
Scalable and Cost-Effective Model-Based Software Verification and Testing University of

Scalable and Cost-Effective Model-Based Software Verification and Testing University of

Scalable and Cost-Effective Model-Based Software Verification and Testing University of Luxembourg Interdisciplinary Centre for Security, Reliability and Trust Software Verification and Validation Lab (www.svv.lu) May 17th, 2013 University of

1.03k views • 72 slides
The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU Mnchen 2 Lawrence Berkeley National

409 views • 25 slides
Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1 Talk loosely based on following publications Han et al. SIGL: Securing Software Installations Through Deep Graph Learning ,

635 views • 41 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Highly-Scalable Algorithms for Ensemble Data Assimila8on Jeffrey

Highly-Scalable Algorithms for Ensemble Data Assimila8on Jeffrey

Highly-Scalable Algorithms for Ensemble Data Assimila8on Jeffrey Anderson, Nancy Collins, and Helen Kershaw Ins$tute for Mathema$cs Applied to Geophysics,

775 views • 63 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
A A SITUATION SITUATION A A SITUATION SITUATION 1 A A SITUATION SITUATION A A Remove

A A SITUATION SITUATION A A SITUATION SITUATION 1 A A SITUATION SITUATION A A Remove

Communication Rx: Why Your Chapter Communications Need a Check-up A A SITUATION SITUATION A A SITUATION SITUATION 1 A A SITUATION SITUATION A A Remove the clutter. Focus on SITUATION what really matters and you can SITUATION stand

255 views • 10 slides
Experience with MARQUIS II Luigi Brunetti, PharmD, MPH RWJUH Somerset 355 bed community

Experience with MARQUIS II Luigi Brunetti, PharmD, MPH RWJUH Somerset 355 bed community

RWJUH Somerset: Experience with MARQUIS II Luigi Brunetti, PharmD, MPH RWJUH Somerset 355 bed community teaching hospital 50,000 Emergency Department visits annually Member of RWJ Barnabas Health: the largest health system in

450 views • 8 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
CISC 323 Intro to Software Engineering Week 6: Design Patterns CISC 323 Intro to Software

CISC 323 Intro to Software Engineering Week 6: Design Patterns CISC 323 Intro to Software

CISC 323 Intro to Software Engineering Week 6: Design Patterns CISC 323 Intro to Software Engineering Lecture 6-1 Introduction to Design Patterns

1.13k views • 101 slides
Opportunistic Routing in Multi-hop Wireless Networks Sanjit Biswas and Robert Morris MIT CSAIL

Opportunistic Routing in Multi-hop Wireless Networks Sanjit Biswas and Robert Morris MIT CSAIL

Opportunistic Routing in Multi-hop Wireless Networks Sanjit Biswas and Robert Morris MIT CSAIL http://pdos.csail.mit.edu/roofnet/ ExOR: a new approach to routing in multi-hop wireless networks 1 kilometer Dense 802.11-based mesh

740 views • 26 slides
Rx: Curing your Asynchronous Programming Blues Bart J.F. De

Rx: Curing your Asynchronous Programming Blues Bart J.F. De

Rx: Curing your Asynchronous Programming Blues Bart J.F. De Smet Microso' Corpora,on bartde@microso'.com Why Should I Care? GPS RSS

705 views • 58 slides
Charm: Exploiting Geographical Diversity Through Coherent Combining in LPWANs OR When They Go

Charm: Exploiting Geographical Diversity Through Coherent Combining in LPWANs OR When They Go

Charm: Exploiting Geographical Diversity Through Coherent Combining in LPWANs OR When They Go Low, We Go Lower (Power) IPSN 2018, Porto Adwait Dongare , Revathy Narayanan, Akshay Gadre, Anh Luong, Artur Balanuta, Swarun Kumar, Bob Iannucci,

419 views • 24 slides
Q4 2017 Supplementary Slides February 22, 2018 1 Forward-looking Statements This presentation

Q4 2017 Supplementary Slides February 22, 2018 1 Forward-looking Statements This presentation

Q4 2017 Supplementary Slides February 22, 2018 1 Forward-looking Statements This presentation for Loblaw Companies Limited (Loblaw or the Company) contains forward-looking statements about the Companys objectives, plans, goals,

491 views • 6 slides

More recommend