《方案实现JSQ需要保证同一个流》由会员分享,可在线阅读,更多相关《方案实现JSQ需要保证同一个流(21页珍藏版)》请在金锄头文库上搜索。
1、Para-Snort : A Multi-thread Snort on Multi-Core IA PlatformTsinghua UniversityPDCS 2021November 3, 2021Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun LiOutlinenIntroduction of NIDS on IAnSome previous worknStructure of our system, whats different? nDetailed module designnBreaking the bottlen
2、ecksnPara-Snort PerformancenConclusions2NIDS on IA platformnNIDS(Network Intrusion Detection System) looks into both header and payload of packets to identify intrusionnWhy on IA platform?low priceeasily to developflexibility on structure and rulesetBut not so fast as ASICs or FPGA! 3The structure o
3、f NIDSnSnort by Sourcefire Inc.nThe most popular open source NIDS on IA platformnPreprocess and Detect cost most computation power 4Way to speed up?nMulticore IA platformnLeads the trends of higher processor computation powernNeed parallel structure of the software nRarely leveraged in existing NIDS
4、nTwo previous work: Supra-linear and MultiSnort5Supra-linear Packet ProcessingnIntel Co. in 2006nOne data acquisition component nDuplicated other componentsnNo memory sharing 6MultiSnortnDerek L. Schuff, Purdue University.nWith memory sharingnNot a clean-cut modular structure7Our design ParaSnortnBa
5、sed on SnortSP 3.0, a new different branchModular designMultifunction processing modulesMemory sharingOptimization on core algorithms Sufficient speedup8Detailed module designnData Sourcedata acquisition and decoder nLoad Balancedispatches traffic and makes multi-staged processingnProcessing Modulee
6、ach is a single threadpreprocessors and detection engineeasy to develop functions other than intrusion detection, such as antivirus or URL filtering nOutput moduleGenerate alert9Optimize Load BalancingnSnortSP 3.0 provides IP hash algorithmnNot so balance when there are few flowsnThree improve metho
7、ds: n5-tuple hashnJoin the Shortest QueuenModified-JSQnReassign a flow when it has silenced for a long time10Optimize Multi-pattern MatchingnSnortSP 3.0 provides AC algorithmnAC works fast, and when there are few matches, the cache locality is high.nBut when there are many matches in the traffic, th
8、e cache locality turns bad.nWe introduced AC-WM to reduce the size of the state machines of compiled ruleset.nWhile costs much less memory, AC-WM is a bit slower than AC for ordinary traffics, so users can decide which to use according to their network environment.11Para-Snort Performance12The Setup
9、For tcpdump tracesFor real traffictwo quad-core Xeon E5335 at 2.00GHz4 GB DRAMUbuntu 8.041314Performance of 400800Mbps15Speedup of 47, almost linear for LL16Performance of different load balancers17Performance of Different Pattern Matching18Performance SummarynGood speedup, up to 7. Performance up t
10、o 800MbpsnM-JSQ is fastestnAC-WM costs less memory, but slower19ConclusionsnMulti-thread design fully utilizes multi-core CPUnModular design, multifunction process modules, easy to add modules.nSolve the issues in load balancing and multi-pattern matchingnCan be NIPS if inline data source module added.20QuestionsThank You21
