《【精品】方案实现(JSQ需要保证同一个流)》由会员分享,可在线阅读,更多相关《【精品】方案实现(JSQ需要保证同一个流)(22页珍藏版)》请在金锄头文库上搜索。
1、Para-Snort : A Multi-thread Snort on Multi-Core IA Platform,Tsinghua UniversityPDCS 2009November 3, 2009,Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun Li,2,Outline,Introduction of NIDS on IASome previous workStructure of our system, whats different? Detailed module designBreaking the bottle
2、necksPara-Snort PerformanceConclusions,3,NIDS on IA platform,NIDS(Network Intrusion Detection System) looks into both header and payload of packets to identify intrusionWhy on IA platform?low priceeasily to developflexibility on structure and rulesetBut not so fast as ASICs or FPGA!,4,The structure
3、of NIDS,Snort by Sourcefire Inc.The most popular open source NIDS on IA platformPreprocess and Detect cost most computation power,5,Way to speed up?,Multicore IA platformLeads the trends of higher processor computation powerNeed parallel structure of the software Rarely leveraged in existing NIDSTwo
4、 previous work: Supra-linear and MultiSnort,6,Supra-linear Packet Processing,Intel Co. in 2006One data acquisition component Duplicated other componentsNo memory sharing,7,MultiSnort,Derek L. Schuff, Purdue University.With memory sharingNot a clean-cut modular structure,8,Our design ParaSnort,Based
5、on SnortSP 3.0, a new different branchModular designMultifunction processing modulesMemory sharingOptimization on core algorithms Sufficient speedup,9,Detailed module design,Data Sourcedata acquisition and decoder Load Balancedispatches traffic and makes multi-staged processingProcessing Moduleeach
6、is a single threadpreprocessors and detection engineeasy to develop functions other than intrusion detection, such as antivirus or URL filtering Output moduleGenerate alert,10,Optimize Load Balancing,SnortSP 3.0 provides IP hash algorithmNot so balance when there are few flowsThree improve methods:,
7、5-tuple hash,Join the Shortest Queue,Modified-JSQReassign a flow when it has silenced for a long time,11,Optimize Multi-pattern Matching,SnortSP 3.0 provides AC algorithmAC works fast, and when there are few matches, the cache locality is high.But when there are many matches in the traffic, the cach
8、e locality turns bad.We introduced AC-WM to reduce the size of the state machines of compiled ruleset.While costs much less memory, AC-WM is a bit slower than AC for ordinary traffics, so users can decide which to use according to their network environment.,12,Para-Snort Performance,13,The Setup,For
9、 tcpdump traces,For real traffic,two quad-core Xeon E5335 at 2.00GHz4 GB DRAMUbuntu 8.04Linux kernel version 2.6.27,14,15,Performance of 400800Mbps,16,Speedup of 47, almost linear for LL,17,Performance of different load balancers,18,Performance of Different Pattern Matching,19,Performance Summary,Go
10、od speedup, up to 7. Performance up to 800MbpsM-JSQ is fastestAC-WM costs less memory, but slower,20,Conclusions,Multi-thread design fully utilizes multi-core CPUModular design, multifunction process modules, easy to add modules.Solve the issues in load balancing and multi-pattern matchingCan be NIPS if inline data source module added.,21,Questions,Thank You,22,
