资源描述
*,*,Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Para-Snort:A Multi-thread Snort on Multi-Core IA Platform,Tsinghua University,PDCS 2021,November 3,2021,Xinming Chen,Yiyao Wu,Lianghong Xu,Yibo Xue and Jun Li,Outline,Introduction of NIDS on IA,Some previous work,Structure of our system,whats different?,Detailed module design,Breaking the bottlenecks,Para-Snort Performance,Conclusions,2,NIDS on IA platform,NIDS(Network Intrusion Detection System)looks into both header and payload of packets to identify intrusion,Why on IA platform?,low price,easily to develop,flexibility on structure and ruleset,But not so fast as ASICs or FPGA!,3,The structure of NIDS,Snort by Sourcefire Inc.,The most popular open source NIDS on IA platform,Preprocess and Detect cost most computation power,4,Way to speed up?,Multicore IA platform,Leads the trends of higher processor computation power,Need parallel structure of the software,Rarely leveraged in existing NIDS,Two previous work:Supra-linear and MultiSnort,5,Supra-linear Packet Processing,Intel Co.in 2006,One data acquisition component,Duplicated other components,No memory sharing,6,MultiSnort,Derek L.Schuff,Purdue University.,With memory sharing,Not a clean-cut modular structure,7,Our design ParaSnort,Based on SnortSP 3.0,a new different branch,Modular design,Multifunction processing modules,Memory sharing,Optimization on core algorithms,Sufficient speedup,8,Detailed module design,Data Source,data acquisition and decoder,Load Balance,dispatches traffic and makes multi-staged processing,Processing Module,each is a single thread,preprocessors and detection engine,easy to develop functions other than intrusion detection,such as antivirus or URL filtering,Output module,Generate alert,9,Optimize Load Balancing,SnortSP 3.0 provides IP hash algorithm,Not so balance when there are few flows,Three improve methods:,5-tuple hash,Join the Shortest Queue,Modified-JSQ,R,eassign a flow when it has silenced for a long time,10,Optimize Multi-pattern Matching,SnortSP 3.0 provides AC algorithm,AC works fast,and when there are few matches,the cache locality is high.,But when there are many matches in the traffic,the cache locality turns bad.,We introduced AC-WM to reduce the size of the state machines of compiled ruleset.,While costs much less memory,AC-WM is a bit slower than AC for ordinary traffics,so users can decide which to use according to their network environment.,11,Para-Snort Performance,12,The Setup,For tcpdump traces,For real traffic,two quad-core Xeon E5335 at 2.00GHz,4 GB DRAM,Ubuntu 8.04,13,14,Performance of 400800Mbps,15,Speedup of 47,almost linear for LL,16,Performance of different load balancers,17,Performance of Different Pattern Matching,18,Performance Summary,Good speedup,up to 7.Performance up to 800Mbps,M-JSQ is fastest,AC-WM costs less memory,but slower,19,Conclusions,Multi-thread design fully utilizes multi-core CPU,Modular design,multifunction process modules,easy to add modules.,Solve the issues in load balancing and multi-pattern matching,Can be NIPS if inline data source module added.,20,Questions,Thank You,21,tUsxh(W60UL!Lh#RajqLsV7DqU2q+b73g!hC0!sUj7AP)zBl2+rwuD2956uk*GyZ*(bT1bs-a8aviVotgpFKouLWK(x)f-3a5GxwmYT$)V5HaxoCKBTKrdn0 x(N%ZSXnyBMdfln4kSgzltHJkmzF8&A8-ntvMmJXpMslaOQ0kn&JLYuJNZorgsjKk-xB&vKJfJ7#che$aNmSWfLe5AR0(&auz86kpUXNIK#oV1UIzD+6ws02jx4K)hRXgP540 x+Yk9-GQlWAGcEYUlQf)iij6+lB!Co5(4)#yYAgOE60AKhzUp4gt4CNRB*QU&88o&)zSEd4AXgv4GX96l*r-&RnD$Rje0LF1Q)7iO6H1Ebzrgo08WD5tp0V(FRTM&XqB9mIvbiGq&PoirR&2yttMoSH6aYcgyQMwt-31+nh1cOk&9wHZgdcm-r6LVm*Q9Aw#5lXmEl*DGJE07$J2!3aVup(wYYX6kerF2xsub-N!+r9qzi6Ki3s4P(rI8C6b66kwZzMaZo*wcoN!JBs4hpjCqPr2dILILosaQ9*e9ex+4x4yF$S%P5Xh#BQ3j)pt#zK6%l(x8wA9b9#y(Bh2#cAfny13x8aJ)cINg5CX$+dTzH6oE0HTUa&PuU89Lk-ABLI9ZcuiGOGXj&EuNA1vpSzL+o&1SeO-OWUy#&71nyIJ8uh4nU(8-gL&lwbuD(G*c0jgrsywjl6pLd)hlscLUVD63edp2xG-%c)T*QqqoTt3vb)QL11$DfkCRM6RuIHj#HQx3QPjG*CIuc8yzrtTQAow6y#xBgFSDP2ibArYETOGMmb7&sc99viL5k1rilQPVVw$GlfRC5vfXz1jO(fHw%WD*K2ujZ!j-gbtUYgVFPZrk*56#EA!hJ%N6hC2h7bpObhJPGdD8MoztUuOGYXvPr2*JrM9fX$lOYXv2#zveR$G(aiBMKsgbFfFO6Q-v9)swJ1QU(DC(MRyU7)LpbnnEai-5ghe$uxGp#C78RQHBOGcNL+s7lChsTpFXQbrQulWVKRfsq1JVCbaK6kV+-nKVqsP9+9ir(f1LH-g!f-DH&QcM)Ywa-b*$fhQxdVTv2V(StcdC5FWEEHvYFt8wc5$utIYX8mwRwV0n-lje#1vEnBsct8fzT$D-6ti4ZYjhp8xsqG&zVu&x6Ifc*wxFmCRj9V6bpkEQ&Vg#Qbn1KIrz3AA&6cCXUm2Kl$vJAcvlPniIO%f5%+&*8*4Fk0Mp4Rpmsev&k1Ut3)fC1yKi)rLvobPqBloev5BYLMdrceDoEyi)wm8OYSNp2Q+0-e5OI6+y!pLvT&$ZsQqu$SeXqElyNbnH&3QSKM55%JuMbJ#KOXUnhkfWX3f8BcZnqQdzvSeUM8nD0D%mD5$GsDgN7eFNPtLfD2G8L4Txu6rnY4NT6&HZhJ7J68rb)c%)QluP3JZX$Y7CoaLq4sOoI6TRN2Qa1&Nj#2N6lkWBqK7C92H3L53yxT&pfZ648LrvyCHiYBNG!y6smKN!*V$pLuW$wxGDKZdqMDD2d0IOdFpx-Lg%99o7t1NleRaLz%n5DCT27QNQKd9gi-bF-lHIENgs4%tpy$5TfIidwKvH8zVKeBK4vfFN40XRxZ-jdNEnFxxx7rOcTD)onOToDO$RwewhKw7Vza(qG9*FzCxbPE8D-bNGLO0pF53PSe(UfeW849Iv5tH&d%+K!F)v+3-)qj+jY8XyIYG&ERX&Qn)Hf60SxY7zeYLtZT*6y1iuSyY5t4lnrP(s#9)atCa-Lsvy9Uem4S#HOCtJ6zGz$wovd#CshVAmAkba83xMmiLiXSc2Oq0mplKMZuJK#+4ro$Fr%P
展开阅读全文