MIDeA: A multi-parallel intrusion detection architecture

Giorgos Vasiliadis, Michalis Polychronakis, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

77 Citations (Scopus)

Abstract

Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data processing. In this paper, we present a multi-parallel intrusion detection architecture tailored for high speed networks. To cope with the increased processing throughput requirements, our system parallelizes network traffic processing and analysis at three levels, using multi-queue NICs, multiple CPUs, and multiple GPUs. The proposed design avoids locking, optimizes data transfers between the different processing units, and speeds up data processing by mapping different operations to the processing units where they are best suited. Our experimental evaluation shows that our prototype implementation based on commodity off-the-shelf equipment can reach processing speeds of up to 5.2 Gbit/s with zero packet loss when analyzing traffic in a real network, whereas the pattern matching engine alone reaches speeds of up to 70 Gbit/s, which is an almost four times improvement over prior solutions that use specialized hardware.

Original languageEnglish
Title of host publicationCCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security
Pages297-308
Number of pages12
DOIs
Publication statusPublished - 2011
Externally publishedYes
Event18th ACM Conference on Computer and Communications Security, CCS'11 - Chicago, IL, United States
Duration: 17 Oct 201121 Oct 2011

Other

Other18th ACM Conference on Computer and Communications Security, CCS'11
CountryUnited States
CityChicago, IL
Period17/10/1121/10/11

Fingerprint

Intrusion detection
Processing
HIgh speed networks
Pattern matching
Data transfer
Packet loss
Program processors
Throughput
Engines
Hardware

Keywords

  • Acceleration
  • GPU
  • Intrusion detection
  • NIDS
  • Pattern matching

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Vasiliadis, G., Polychronakis, M., & Ioannidis, S. (2011). MIDeA: A multi-parallel intrusion detection architecture. In CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security (pp. 297-308) https://doi.org/10.1145/2046707.2046741

MIDeA : A multi-parallel intrusion detection architecture. / Vasiliadis, Giorgos; Polychronakis, Michalis; Ioannidis, Sotiris.

CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security. 2011. p. 297-308.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Vasiliadis, G, Polychronakis, M & Ioannidis, S 2011, MIDeA: A multi-parallel intrusion detection architecture. in CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security. pp. 297-308, 18th ACM Conference on Computer and Communications Security, CCS'11, Chicago, IL, United States, 17/10/11. https://doi.org/10.1145/2046707.2046741
Vasiliadis G, Polychronakis M, Ioannidis S. MIDeA: A multi-parallel intrusion detection architecture. In CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security. 2011. p. 297-308 https://doi.org/10.1145/2046707.2046741
Vasiliadis, Giorgos ; Polychronakis, Michalis ; Ioannidis, Sotiris. / MIDeA : A multi-parallel intrusion detection architecture. CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security. 2011. pp. 297-308
@inproceedings{5f01db572deb4a8791045c69f0b914ac,
title = "MIDeA: A multi-parallel intrusion detection architecture",
abstract = "Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data processing. In this paper, we present a multi-parallel intrusion detection architecture tailored for high speed networks. To cope with the increased processing throughput requirements, our system parallelizes network traffic processing and analysis at three levels, using multi-queue NICs, multiple CPUs, and multiple GPUs. The proposed design avoids locking, optimizes data transfers between the different processing units, and speeds up data processing by mapping different operations to the processing units where they are best suited. Our experimental evaluation shows that our prototype implementation based on commodity off-the-shelf equipment can reach processing speeds of up to 5.2 Gbit/s with zero packet loss when analyzing traffic in a real network, whereas the pattern matching engine alone reaches speeds of up to 70 Gbit/s, which is an almost four times improvement over prior solutions that use specialized hardware.",
keywords = "Acceleration, GPU, Intrusion detection, NIDS, Pattern matching",
author = "Giorgos Vasiliadis and Michalis Polychronakis and Sotiris Ioannidis",
year = "2011",
doi = "10.1145/2046707.2046741",
language = "English",
isbn = "9781450310758",
pages = "297--308",
booktitle = "CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - MIDeA

T2 - A multi-parallel intrusion detection architecture

AU - Vasiliadis, Giorgos

AU - Polychronakis, Michalis

AU - Ioannidis, Sotiris

PY - 2011

Y1 - 2011

N2 - Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data processing. In this paper, we present a multi-parallel intrusion detection architecture tailored for high speed networks. To cope with the increased processing throughput requirements, our system parallelizes network traffic processing and analysis at three levels, using multi-queue NICs, multiple CPUs, and multiple GPUs. The proposed design avoids locking, optimizes data transfers between the different processing units, and speeds up data processing by mapping different operations to the processing units where they are best suited. Our experimental evaluation shows that our prototype implementation based on commodity off-the-shelf equipment can reach processing speeds of up to 5.2 Gbit/s with zero packet loss when analyzing traffic in a real network, whereas the pattern matching engine alone reaches speeds of up to 70 Gbit/s, which is an almost four times improvement over prior solutions that use specialized hardware.

AB - Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data processing. In this paper, we present a multi-parallel intrusion detection architecture tailored for high speed networks. To cope with the increased processing throughput requirements, our system parallelizes network traffic processing and analysis at three levels, using multi-queue NICs, multiple CPUs, and multiple GPUs. The proposed design avoids locking, optimizes data transfers between the different processing units, and speeds up data processing by mapping different operations to the processing units where they are best suited. Our experimental evaluation shows that our prototype implementation based on commodity off-the-shelf equipment can reach processing speeds of up to 5.2 Gbit/s with zero packet loss when analyzing traffic in a real network, whereas the pattern matching engine alone reaches speeds of up to 70 Gbit/s, which is an almost four times improvement over prior solutions that use specialized hardware.

KW - Acceleration

KW - GPU

KW - Intrusion detection

KW - NIDS

KW - Pattern matching

UR - http://www.scopus.com/inward/record.url?scp=80755187805&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80755187805&partnerID=8YFLogxK

U2 - 10.1145/2046707.2046741

DO - 10.1145/2046707.2046741

M3 - Conference contribution

AN - SCOPUS:80755187805

SN - 9781450310758

SP - 297

EP - 308

BT - CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security

ER -