research-article

Kargus: a highly-scalable software-based intrusion detection system

Authors:

Muhammad Asim Jamshed,

KyoungSoo ParkAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 317 - 328

https://doi.org/10.1145/2382196.2382232

Published: 16 October 2012 Publication History

Abstract

As high-speed networks are becoming commonplace, it is increasingly challenging to prevent the attack attempts at the edge of the Internet. While many high-performance intrusion detection systems (IDSes) employ dedicated network processors or special memory to meet the demanding performance requirements, it often increases the cost and limits functional flexibility. In contrast, existing software-based IDS stacks fail to achieve a high throughput despite modern hardware innovations such as multicore CPUs, manycore GPUs, and 10 Gbps network cards that support multiple hardware queues.

We present Kargus, a highly-scalable software-based IDS that exploits the full potential of commodity computing hardware. First, Kargus batch processes incoming packets at network cards and achieves up to 40 Gbps input rate even for minimum-sized packets. Second, it exploits high processing parallelism by balancing the pattern matching workloads with multicore CPUs and heterogeneous GPUs, and benefits from extensive batch processing of multiple packets per each IDS function call. Third, Kargus adapts its resource usage depending on the input rate, significantly saving the power in a normal situation. Our evaluation shows that Kargus on a 12-core machine with two GPUs handles up to 33 Gbps of normal traffic and achieves 9 to 10 Gbps even when all packets contain attack signatures, a factor of 1.9 to 4.3 performance improvements over the existing state-of-the-art software IDS. We design Kargus to be compatible with the most popular software IDS, Snort.

References

[1]

Intelligent Networks Powered by Cavium Octeon and Nitrox Processors: IDS/IPS Software Toolkit. http://www.cavium.com/css_ids_ips_stk.html.

[2]

Libzero for DNA. http://www.ntop.org/products/pf_ring/libzero-for-dna/.

[3]

McAfee Network Security Platform. http://www.mcafee.com/us/products/network-security-platform.aspx.

[4]

More about Suricata multithread performance. https://home.regit.org/2011/02/more-about-suricata-multithread-performance/.

[5]

Optimizing Suricata on multicore CPUs. http://home.regit.org/?p=438.

[6]

PCRE (Perl Compatible Regular Expressions). http://pcre.org.

[7]

Single Threaded Data Processing Pipelines and the Intel Architecture. http://vrt-blog.snort.org/2010/06/single-threaded-data-processing.html.

[8]

SnortSP (Security Platform). http://www.snort.org/snort-downloads/snortsp/.

[9]

Suricata Intrusion Detection System. http://www.openinfosecfoundation.org/index.php/download-suricata.

[10]

The Programming Language Lua. http://www.lua.org/.

[11]

A. V. Aho and M. J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM, 18:333--340, June 1975.

Digital Library

[12]

Z. K. Baker and V. K. Prasanna. Time and Area Efficient Pattern Matching on FPGAs. In Proceedings of ACM International Symposium on Field-Programmable Gate Arrays (FPGA), 2004.

Digital Library

[13]

M. Becchi and P. Crowley. A Hybrid Finite Automaton for Practical Deep Packet Inspection. In Proceedings of CoNEXT, 2007.

Digital Library

[14]

X. Chen, Y. Wu, L. Xu, Y. Xue, and J. Li. Para-Snort: A Multi-thread Snort on Multi-core IA Platform. In Proceedings of Parallel and Distributed Computing and Systems (PDCS), 2009.

[15]

Y. H. Cho and W. H. Mangione-Smith. A Pattern Matching Co-processor for Network Security. In Proceedings of the 42nd annual Design Automation Conference (DAC), 2005.

Digital Library

[16]

Y. H. Cho, S. Navab, and W. H. Mangione-Smith. Specialized Hardware for Deep Network Packet Filtering. In Proceedings of the 12th International Conference on Field-Programmable Logic and Applications (FPL), 2002.

Digital Library

[17]

C. Clark, W. Lee, D. Schimmel, D. Contis, M. Koné, and A. Thomas. A Hardware Platform for Network Intrusion Detection and Prevention. In Proceedings of the Workshop on Network Processors and Applications (NP3), 2004.

[18]

C. R. Clark and D. E. Schimmel. Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns. In In Proceedings of 13th International Conference on Field Programmable Logic and Applications (FPL), 2003.

[19]

L. Deri. Improving Passive Packet Capture: Beyond Device Polling. In Proceedings of the International System Administration and Network Engineering Conference (SANE), 2004.

[20]

M. Dobrescu, N. Egi, K. Argyraki, B.-G. Chun, K. Fall, G. Iannaccone, A. Knies, M. Manesh, and S. Ratnasamy. RouteBricks: Exploiting Parallelism To Scale Software Routers. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), 2009.

Digital Library

[21]

G. Vasiliadis, S. Antonatos, M. Polychronakis, E. P. Markatos, and S. Ioannidis. Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), 2008.

Digital Library

[22]

S. Han, K. Jang, K. Park, and S. Moon. PacketShader: a GPU-accelerated Software Router. In Proceedings of ACM SIGCOMM, 2010.

Digital Library

[23]

N.-F. Huang, H.-W. Hung, S.-H. Lai, Y.-M. Chu, and W.-Y. Tsai. A GPU-Based Multiple-Pattern Matching Algorithm for Network Intrusion Detection Systems. In Proceedings of the 22nd International Conference on Advanced Information Networking and Applications Workshops, 2008.

Digital Library

[24]

Intel, Inc. Intel Xeon Processor X5680 Specifications. http://ark.intel.com/products/47916/Intel-Xeon-Processor-X5680-(12M-Cache-3_33-GHz-6_40-GTs-Intel-QPI).

[25]

IPFW: FreeBSD Handbook. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html.

[26]

K. Jang, S. Han, S. Han, S. Moon, and K. Park. SSLShader: Cheap SSL Acceleration with Commodity Processors. In Proceedings of the 8th USENIX conference on Networked Systems Design and Implementation (NSDI), 2011.

Digital Library

[27]

K. Thompson. Programming techniques: Regular expression search algorithm. Communications of the ACM, 11:419--422, 1968.

Digital Library

[28]

C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2002.

Digital Library

[29]

J. Lee, S. H. Hwang, N. Park, S.-W. Lee, S. Jun, and Y. S. Kim. A High Performance NIDS using FPGA-based Regular Expression Matching. In Proceedings of the ACM symposium on Applied computing, 2007.

Digital Library

[30]

C. R. Meiners, J. Patel, E. Norige, E. Torng, and A. X. Liu. Fast Regular Expression Matching using Small TCAMs for Network Intrusion Detection and Prevention Systems. In Proceedings of the USENIX Security Symposium, 2010.

Digital Library

[31]

Microsoft. Scalable Networking: Eliminating the Receive Processing Bottleneck--Introducing RSS. In WinHEC (White paper), 2004.

[32]

A. Mitra, W. Najjar, and L. Bhuyan. Compiling PCRE to FPGA for accelerating Snort IDS. In Proceedings of the ACM/IEEE Symposium on Architecture for Networking and Communications Systems, 2007.

Digital Library

[33]

M. Norton. Optimizing Pattern Matching for Intrusion Detection, 2004. http://docs.idsresearch.org/OptimizingPatternMatchingForIDS.pdf.

[34]

NVIDIA, Inc. GeForce GTX 580 Specifications. http://www.geforce.com/hardware/desktop-gpus/geforce-gtx-580/specifications.

[35]

R. Smith, C. Estan, and S. Jha. XFA: Faster Signature Matching with Extended Automata. In Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakload), 2008.

Digital Library

[36]

R. Smith, N. Goyal, J. Ormont, K. Sankaralingam, and C. Estan. Evaluating GPUs for Network Packet Signature Matching. In Proceedings of the International Symposium on Performance Analysis of Systems and Software (ISPASS), 2009.

[37]

Ricciulli, Livio and Covel, Timothy. Inline Snort multiprocessing with PF_RING. http://www.snort.org/assets/186/PF_RING_Snort_Inline_Instructions.pdf.

[38]

L. Rizzo. netmap: A Novel Framework for Fast Packet I/O. In Proceedings of the USENIX Annual Technical Conference, 2012.

Digital Library

[39]

Robert S. Boyer, and J Strother Moore. A Fast String Searching Algorithm. Communications of the ACM, 20:762--772, October 1977.

Digital Library

[40]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX Systems Administration Conference (LISA), 1999.

Digital Library

[41]

S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner. Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection. In Proceedings of ACM SIGCOMM, 2006.

Digital Library

[42]

San Wu, and Udi Manber. A Fast Algorithm for Multi-Pattern Searching. Technical report, 1994.

[43]

L. Schaelicke, K. Wheeler, and C. Freeland. SPANIDS: A Scalable Network Intrusion Detection Loadbalancer. In Proceedings of the 2nd Conference on Computing Frontiers, CF '05, pages 315--322, 2005.

Digital Library

[44]

L. Tan and T. Sherwood. A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In Proceedings of the 32nd Annual International Symposium on Computer Architecture (ISCA), 2005.

Digital Library

[45]

TCPDUMP. http://www.tcpdump.org/.

[46]

M. Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, and B. Tierney. The NIDS Cluster: Scalable, Stateful Network Intrusion Detection. In Proceedings of the 10th international conference on Recent advances in intrusion detection, RAID'07, pages 107--126, 2007.

Digital Library

[47]

G. Vasiliadis, M. Polychronakis, and S. Ioannidis. MIDeA: A Multi-Parallel Intrusion Detection Architecture. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[48]

S. Woo and K. Park. Scalable TCP Session Monitoring with Symmetric Receive-side Scaling. Technical report, KAIST, 2012. http://www.ndsl.kaist.edu/~shinae/papers/TR-symRSS.pdf.

[49]

F. Yu, R. H. Katz, and T. V. Lakshman. Gigabit Rate Packet Pattern-Matching Using TCAM. In Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP'04), 2004.

Digital Library

Cited By

Le Glaunec AKong LMamouras K(2024)HybridSA: GPU Acceleration of Multi-pattern Regex Matching using Bit ParallelismProceedings of the ACM on Programming Languages10.1145/36897718:OOPSLA2(1699-1728)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689771
Zhang KHong JHe ZJing YWang X(2024)AdaptChain: Adaptive Data Sharing and Synchronization for NFV Systems on Heterogeneous ArchitecturesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2024.340059435:7(1281-1292)Online publication date: Jul-2024
https://doi.org/10.1109/TPDS.2024.3400594
Hu ZHasegawa HYamaguchi YShimada H(2024)Enhancing Detection of Malicious Traffic Through FPGA-Based Frequency Transformation and Machine LearningIEEE Access10.1109/ACCESS.2023.334823412(2648-2659)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3348234
Show More Cited By

Index Terms

Kargus: a highly-scalable software-based intrusion detection system
1. Security and privacy
  1. Network security

Recommendations

MIDeA: a multi-parallel intrusion detection architecture
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data ...
Gnort: High Performance Network Intrusion Detection Using Graphics Processors
RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection

The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an ...
A high-throughput DPI engine on GPU via algorithm/implementation co-optimization

The Graphics Processing Unit (GPU) is a promising platform to implement Deep Packet Inspection (DPI) due to the GPU's rich parallelism and programmability for high performance and frequent pattern update requirements. However, it is a great challenge to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

119
Total Citations
View Citations
1,145
Total Downloads

Downloads (Last 12 months)58
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Le Glaunec AKong LMamouras K(2024)HybridSA: GPU Acceleration of Multi-pattern Regex Matching using Bit ParallelismProceedings of the ACM on Programming Languages10.1145/36897718:OOPSLA2(1699-1728)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689771
Zhang KHong JHe ZJing YWang X(2024)AdaptChain: Adaptive Data Sharing and Synchronization for NFV Systems on Heterogeneous ArchitecturesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2024.340059435:7(1281-1292)Online publication date: Jul-2024
https://doi.org/10.1109/TPDS.2024.3400594
Hu ZHasegawa HYamaguchi YShimada H(2024)Enhancing Detection of Malicious Traffic Through FPGA-Based Frequency Transformation and Machine LearningIEEE Access10.1109/ACCESS.2023.334823412(2648-2659)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3348234
Luo XLiu CGou GXiong GLi ZFang B(2024)Identifying malicious traffic under concept drift based on intraclass consistency enhanced variational autoencoderScience China Information Sciences10.1007/s11432-023-4010-467:8Online publication date: 23-Jul-2024
https://doi.org/10.1007/s11432-023-4010-4
Zhang LDeep SFloratou AGruenheid APatel JZhu Y(2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
https://dl.acm.org/doi/10.1145/3589297
Baksi RNalka VUpadhyaya S(2023)Apt Detection of Ransomware - An Approach to Detect Advanced Persistent Threats Using System Call Information2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00221(1621-1630)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00221
Zeng YQu ZGuo STang BYe BLi JZhang J(2023)RuleDRL: Reliability-Aware SFC Provisioning With Bounded Approximations in Dynamic EnvironmentsIEEE Transactions on Services Computing10.1109/TSC.2023.328175916:5(3651-3664)Online publication date: Sep-2023
https://doi.org/10.1109/TSC.2023.3281759
Wang SZhang MLi GLiu CWang ZLiu YXu M(2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3202523
Fu CLi QShen MXu K(2023)Frequency Domain Feature Based Robust Malicious Traffic DetectionIEEE/ACM Transactions on Networking10.1109/TNET.2022.319587131:1(452-467)Online publication date: Feb-2023
https://doi.org/10.1109/TNET.2022.3195871
Wu YXie YLiao XZhou PFeng DWu LLi XWildani ALong D(2023)Paradise: Real-Time, Generalized, and Distributed Provenance-Based Intrusion DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316087920:2(1624-1640)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3160879
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents