Gnort

High performance network intrusion detection using graphics processors

Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

155 Citations (Scopus)

Abstract

The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings
Pages116-134
Number of pages19
Volume5230 LNCS
DOIs
Publication statusPublished - 2008
Externally publishedYes
EventRecent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings - Cambridge, MA
Duration: 15 Sep 200817 Sep 2008

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5230 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

OtherRecent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings
CityCambridge, MA
Period15/9/0817/9/08

Fingerprint

Graphics Processors
Network Intrusion Detection
Intrusion detection
Network performance
High Performance
Pattern matching
Throughput
Processing
Traffic
Intrusion Detection
Pattern Matching
Ethernet
Program processors
Open Source
Monitoring
Speedup
Trace
Prototype

Keywords

  • GPU
  • Intrusion detection systems
  • Network security
  • Parallel programming
  • Pattern matching
  • SIMD

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E. P., & Ioannidis, S. (2008). Gnort: High performance network intrusion detection using graphics processors. In Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings (Vol. 5230 LNCS, pp. 116-134). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5230 LNCS). https://doi.org/10.1007/978-3-540-87403-4_7

Gnort : High performance network intrusion detection using graphics processors. / Vasiliadis, Giorgos; Antonatos, Spiros; Polychronakis, Michalis; Markatos, Evangelos P.; Ioannidis, Sotiris.

Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Vol. 5230 LNCS 2008. p. 116-134 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5230 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Vasiliadis, G, Antonatos, S, Polychronakis, M, Markatos, EP & Ioannidis, S 2008, Gnort: High performance network intrusion detection using graphics processors. in Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. vol. 5230 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5230 LNCS, pp. 116-134, Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings, Cambridge, MA, 15/9/08. https://doi.org/10.1007/978-3-540-87403-4_7
Vasiliadis G, Antonatos S, Polychronakis M, Markatos EP, Ioannidis S. Gnort: High performance network intrusion detection using graphics processors. In Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Vol. 5230 LNCS. 2008. p. 116-134. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-540-87403-4_7
Vasiliadis, Giorgos ; Antonatos, Spiros ; Polychronakis, Michalis ; Markatos, Evangelos P. ; Ioannidis, Sotiris. / Gnort : High performance network intrusion detection using graphics processors. Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Vol. 5230 LNCS 2008. pp. 116-134 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{5634dfcc32034e2e855694628ba94ace,
title = "Gnort: High performance network intrusion detection using graphics processors",
abstract = "The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.",
keywords = "GPU, Intrusion detection systems, Network security, Parallel programming, Pattern matching, SIMD",
author = "Giorgos Vasiliadis and Spiros Antonatos and Michalis Polychronakis and Markatos, {Evangelos P.} and Sotiris Ioannidis",
year = "2008",
doi = "10.1007/978-3-540-87403-4_7",
language = "English",
isbn = "354087402X",
volume = "5230 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "116--134",
booktitle = "Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings",

}

TY - GEN

T1 - Gnort

T2 - High performance network intrusion detection using graphics processors

AU - Vasiliadis, Giorgos

AU - Antonatos, Spiros

AU - Polychronakis, Michalis

AU - Markatos, Evangelos P.

AU - Ioannidis, Sotiris

PY - 2008

Y1 - 2008

N2 - The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

AB - The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

KW - GPU

KW - Intrusion detection systems

KW - Network security

KW - Parallel programming

KW - Pattern matching

KW - SIMD

UR - http://www.scopus.com/inward/record.url?scp=56549099368&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=56549099368&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-87403-4_7

DO - 10.1007/978-3-540-87403-4_7

M3 - Conference contribution

SN - 354087402X

SN - 9783540874027

VL - 5230 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 116

EP - 134

BT - Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings

ER -