Para-Snort : A Multi-thread Snort on Multi-Core IA PlatformTsinghua UniversityPDCS 2021November 3, 2021Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun LiOutlinenIntroduction of NIDS on IAnSome previous worknStructure of our system, whats different? nDetailed module designnBreaking the bottlenecksnPara-Snort PerformancenConclusions2NIDS on IA platformnNIDS(Network Intrusion Detection System) looks into both header and payload of packets to identify intrusionnWhy on IA platform?low priceeasily to developflexibility on structure and rulesetBut not so fast as ASICs or FPGA! 3The structure of NIDSnSnort by Sourcefire Inc.nThe most popular open source NIDS on IA platformnPreprocess and Detect cost most computation power 4Way to speed up?nMulticore IA platformnLeads the trends of higher processor computation powernNeed parallel structure of the software nRarely leveraged in existing NIDSnTwo previous work: Supra-linear and MultiSnort5Supra-linear Packet ProcessingnIntel Co. in 2006nOne data acquisition component nDuplicated other componentsnNo memory sharing 6MultiSnortnDerek L. Schuff, Purdue University.nWith memory sharingnNot a clean-cut modular structure7Our design ParaSnortnBased on SnortSP 3.0, a new different branchModular designMultifunction processing modulesMemory sharingOptimization on core algorithms Sufficient speedup8Detailed module designnData Sourcedata acquisition and decoder nLoad Balancedispatches traffic and makes multi-staged processingnProcessing Moduleeach is a single threadpreprocessors and detection engineeasy to develop functions other than intrusion detection, such as antivirus or URL filtering nOutput moduleGenerate alert9Optimize Load BalancingnSnortSP 3.0 provides IP hash algorithmnNot so balance when there are few flowsnThree improve methods: n5-tuple hashnJoin the Shortest QueuenModified-JSQnReassign a flow when it has silenced for a long time10Optimize Multi-pattern MatchingnSnortSP 3.0 provides AC algorithmnAC works fast, and when there are few matches, the cache locality is high.nBut when there are many matches in the traffic, the cache locality turns bad.nWe introduced AC-WM to reduce the size of the state machines of compiled ruleset.nWhile costs much less memory, AC-WM is a bit slower than AC for ordinary traffics, so users can decide which to use according to their network environment.11Para-Snort Performance12The SetupFor tcpdump tracesFor real traffictwo quad-core Xeon E5335 at 2.00GHz4 GB DRAMUbuntu 8.041314Performance of 400800Mbps15Speedup of 47, almost linear for LL16Performance of different load balancers17Performance of Different Pattern Matching18Performance SummarynGood speedup, up to 7. Performance up to 800MbpsnM-JSQ is fastestnAC-WM costs less memory, but slower19ConclusionsnMulti-thread design fully utilizes multi-core CPUnModular design, multifunction process modules, easy to add modules.nSolve the issues in load balancing and multi-pattern matchingnCan be NIPS if inline data source module added.20QuestionsThank You21