SF-TAP: Scalable and Flexible Traffic Analysis Platform Running on - - PowerPoint PPT Presentation

SF-TAP: Scalable and Flexible Traffic Analysis Platform Running on Commodity Hardware

Yuuki Takano, Ryosuke Miura, Shingo Yasuda Kunio Akashi, Tomoya Inoue

1

in USENIX LISA 2015 NICT, JAIST (Japan)

Table of Contents

• 1. Motivation
• 2. Related Work
• 3. Design of SF-TAP
• 4. Implementation of SF-TAP
• 5. Performance Evaluation
• 6. Conclusion

2

Motivation (1)

• Programmable application level traffic analyzer
• We want …
• to write traffic analyzers in any languages such

as Python, Ruby, C++, for many purposes (IDS/ IPS, forensic, machine learning).

• **not** to write codes handling TCP stream

reconstruction (quite complex).

• modularity for many application protocols.

3

Motivation (2)

• High speed application level traffic analyzer
• We want …
• to handle high bandwidth traffic.
• to handle high connections per second.
• horizontal and CPU core scalable analyzer.

4

Motivation (3)

• Running on Commodity Hardware
• We want …
• open source software.
• not to use expensive appliances.

5

Related Work

6

BPF [USENIX ATC 1993] netmap [USENIX ATC 2012] DPDK pcap GASPP [USENIX ATC 2014] SCAP [IMC 2012] libnids libprotoident nDPI l7-filter

(low level traffic capture) (flow oriented analyzer) (application traffic detector)

SF-TAP

+ modularity and scalability

High-level Architecture

• f SF-TAP

7

CPU CPU CPU CPU Flow Abstractor CPU CPU CPU CPU Flow Abstractor CPU CPU CPU CPU Flow Abstractor CPU CPU CPU CPU Flow Abstractor

Cell Incubator

The Internet

SF-TAP Cell SF-TAP Cell SF-TAP Cell SF-TAP Cell Intra Network Core Scaling Core Scaling Core Scaling Core Scaling

Horizontal Scaling

Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer Analyzer

10GbE 10GbE

Design Principle (1)

• Flow Abstraction
• abstract flows by application level protocols
• provide flow abstraction interfaces like /dev, /proc or BPF
• for multiple programming languages
• Modular Architecture
• separate analyzing and capturing logic
• easily replace analyzing logic

8

Design Principle (2)

• Horizontal Scalable
• analyzing logic tends to require many

computer resources

• volume effect should solve the problem
• CPU Core Scalable
• both analyzing and capturing logic should

be core scalable for efficiency

9

Design of SF-TAP (1)

10

NW I/F

HTTP I/F TLS I/F

Flow Abstractor Flow Classifier

TLS Analyzer HTTP Analyzer

HTTP Proxy TCP and UDP Handler

filter and classifier rule

L7 Loopback I/F

DB Forensic IDS/IPS etc... Application Protocol Analyzer etc...

TCP Default I/F UDP Default I/F

Analyzer Plane Abstractor Plane Capturer Plane

SF-TAP Cell Incubator

Flow Identifier Flow Separator

Separator Plane

separated traffic

SF-TAP Cell

L3/L7 Sniffer SSL Proxy etc...

• ther SF-TAP cells

IP Packet Defragmenter

L2 Bridge mirroring traffic

Packet Forwarder

IP Fragment Handler

defined 4 planes

Analyzer Plane

application level analyzers Forensic, IDS/IPS, etc…

Abstractor Plane

flow abstraction

Separator Plane

flow separation

Capturer Plane

traffic capturing

(ordinary tech.) (users of SF-TAP implements here) (we implemented) (we implemented)

Design of SF-TAP (2) SF-TAP Cell Incubator

11

SF-TAP Cell Incubator

Flow Separator separated traffic

• ther SF-TAP cells

L2 Bridge

Packet Forwarder

IP Fragment Handler

Packet Forwarder

layer 2 bridge layer 2 frame capture

IP Fragment Handler

handle fragmented packets

Flow Separator

separate flows to multiple Ifs

Design of SF-TAP (3) SF-TAP Flow Abstractor

12

NW I/F

HTTP I/F TLS I/F

Flow Abstractor Flow Classifier

TCP and UDP Handler

filter and classifier rule

L7 Loopback I/F TCP Default I/F UDP Default I/F Flow Identifier IP Packet Defragmenter

TCP and UDP Handler Flow Identifier IP Packet Defragmenter

reconstruct TCP flows identify flows by IP and port nothing to do for UDP defragment IP packets if needed

Design of SF-TAP (4) SF-TAP Flow Abstractor

13

NW I/F

HTTP I/F TLS I/F

Flow Abstractor Flow Classifier

TCP and UDP Handler

filter and classifier rule

L7 Loopback I/F TCP Default I/F UDP Default I/F Flow Identifier IP Packet Defragmenter

Flow Classifier

classify flows by regular expressions

• utput to abstraction IFs

Implementation

• SF-TAP cell incubator
• C++11
• it uses netmap, available on FreeBSD
• SF-TAP flow abstractor
• C++11
• it uses pcap or netmap
• available on Linux, *BSD, and MacOS
• Source Code
• https://github.com/SF-TAP
• License
• 3-clauses BSD

14

(updated from the paper)

Performance Evaluation (1)

15

packet drop against connections per second (pcap) 4K 10K 50K

Performance Evaluation (1)

16

forwarding performance of SF-TAP cell incubator

Mpps

4 8 12 16

fragment size (bytes)

64 128 256 512 1024 ideal (1) α->γ (2) α->β (3) α->β (3) α->γ

1 GbE x 12 10 GbE x 2

α β γ

cell incubator

to γ to β to β and γ

α β γ

Other Features

• L7 Loopback interface for encapsulated flows
• Load balancing mechanism for application

protocol analysers

• Separating and mirroring modes of SF-TAP cell

incubator

• See more detains in our paper

17

Conclusion

• We proposed SF-TAP for application level traffic

analysis.

• SF-TAP has following features.
• flow abstraction
• running on commodity hardware
• modularity
• scalability
• We showed SF-TAP has achieved high performance

in our experiments.

18