Skip to main content
SpringerLink
Log in

Gnort: High Performance Network Intrusion Detection Using Graphics Processors

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

Abstract

The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Communications of the ACM 18(6), 333–340 (1975)

    Article  MATH  MathSciNet  Google Scholar 

  2. Antonatos, S., Anagnostakis, K., Markatos, E.: Generating realistic workloads for network intrusion detection systems. In: Proceedings of the 4th ACM Workshop on Software and Performance (January 2004)

    Google Scholar 

  3. Attig, M., Lockwood, J.: A framework for rule processing in reconfigurable network systems. In: Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2005), Washington, DC, USA, 2005, pp. 225–234. IEEE Computer Society Press, Los Alamitos (2005)

    Chapter  Google Scholar 

  4. Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Proceedings of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays (FPGA 2004), pp. 223–232. ACM, New York (2004)

    Chapter  Google Scholar 

  5. Bos, H., Huang, K.: Towards software-based signature detection for intrusion prevention on the network card. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 102–123. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  6. Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the Association for Computing Machinery 20(10), 762–772 (1977)

    Google Scholar 

  7. Cabrera, J.B.D., Gosar, J., Lee, W., Mehra, R.K.: On the statistical distribution of processing times in network intrusion detection. In: 43rd IEEE Conference on Decision and Control, December 2004, pp. 75–80 (2004)

    Google Scholar 

  8. Clark, C., Lee, W., Schimmel, D., Contis, D., Kone, M., Thomas, A.: A hardware platform for network intrusion detection and prevention. In: Proceedings of the 3rd Workshop on Network Processors and Applications (NP3) (2004)

    Google Scholar 

  9. Coit, C., Staniford, S., McAlerney, J.: Towards faster string matching for intrusion detection or exceeding the speed of Snort. In: Proceedings of DARPA Information Survivability Conference & Exposition II (DISCEX 2001) (June 2001)

    Google Scholar 

  10. Commentz-Walter, B.: A string matching algorithm fast on the average. In: Proceedings of the 6th International Colloquium on Automata, Languages and Programming, pp. 118–131.

    Google Scholar 

  11. Cook, D.L., Ioannidis, J., Keromytis, A.D., Luck, J.: Cryptographics: Secret key cryptography using graphics cards. In: Proceedings of RSA Conference, Cryptographer’s Track (CT-RSA), pp. 334–350 (2005)

    Google Scholar 

  12. de Bruijn, W., Slowinska, A., van Reeuwijk, K., Hruby, T., Xu, L., Bos, H.: SafeCard: a Gigabit IPS on the network card. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 311–330. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Dharmapurikar, S., Krishnamurthy, P., Sproull, T.S., Lockwood, J.W.: Deep packet inspection using parallel bloom filters. IEEE Micro 24(1), 52–61 (2004)

    Article  Google Scholar 

  14. Dharmapurikar, S., Lockwood, J.: Fast and scalable pattern matching for content filtering. In: Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems (ANCS 2005), pp. 183–192. ACM, New York (2005)

    Chapter  Google Scholar 

  15. Fisk, M., Varghese, G.: Applying fast string matching to intrusion detection. Technical Repor In preparation, successor to UCSD TR CS2001-0670, University of California, San Diego (2002)

    Google Scholar 

  16. C. IOS. IPS deployment guide, http://www.cisco.com

  17. Jacob, N., Brodley, C.: Offloading IDS computation to the GPU. In: Security Applications Conference on Annual Computer Security Applications Conference (ACSAC 2006), Washington, DC, USA, pp. 371–380. IEEE Computer Society, Los Alamitos (2006)

    Chapter  Google Scholar 

  18. Knuth, D.E., Morris, J., Pratt, V.: Fast pattern matching in strings. SIAM Journal on Computing 6(2), 127–146 (1977)

    Article  MathSciNet  Google Scholar 

  19. Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2002, pp. 285–294 (2002)

    Google Scholar 

  20. Lodovico Marziale, G.G.R.I., Roussev, V.: Massive threading: Using GPUs to increase the performance of digital forensics tools. Digital Investigation 1, 73–81 (2007)

    Article  Google Scholar 

  21. McCanne, S., Leres, C., Jacobson, V.: libpcap. Lawrence Berkeley Laboratory, Berkeley, http://www.tcpdump.org/

  22. Norton, M.: Optimizing pattern matching for intrusion detection (July 2004), http://docs.idsresearch.org/OptimizingPatternMatchingForIDS.pdf

  23. NVIDIA. NVIDIA CUDA Compute Unified Device Architecture Programming Guide, version 1.1, http://developer.download.nvidia.com/compute/cuda/1_1/NVIDIA_CUDA_Programming_Guide_1.1.pdf .

  24. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th conference on USENIX Security Symposium (SSYM 1998), Berkeley, CA, USA, p. 3. USENIX Association (1998)

    Google Scholar 

  25. Paxson, V., Sommer, R., Weaver, N.: An architecture for exploiting multi-core processors to parallelize network intrusion prevention. In: Proceedings of the IEEE Sarnoff Symposium (May 2007)

    Google Scholar 

  26. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of the 1999 USENIX LISA Systems Administration Conference (November 1999)

    Google Scholar 

  27. Schaelicke, L., Wheeler, K., Freeland, C.: SPANIDS: a scalable network intrusion detection loadbalancer. In: CF 2005: Proceedings of the 2nd conference on Computing frontiers, pp. 315–322. ACM, New York (2005)

    Chapter  Google Scholar 

  28. Sidhu, R., Prasanna, V.: Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2001) (2001)

    Google Scholar 

  29. Tan, L., Brotherton, B., Sherwood, T.: Bit-split string-matching engines for intrusion detection and prevention. ACM Transactions on Architecture and Code Optimization 3(1), 3–34 (2006)

    Article  Google Scholar 

  30. The Snort Project. Snort users manual 2.8.0, http://www.snort.org/docs/snort_manual/2.8.0/snort_manual.pdf

  31. Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: Proceedings of the IEEE Infocom Conference, pp. 333–340 (2004)

    Google Scholar 

  32. Turner, A.: Tcpreplay, http://tcpreplay.synfin.net/trac/

  33. Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  34. Watanabe, K., Tsuruoka, N., Himeno, R.: Performance of network intrusion detection cluster system. In: Proceedings of The 5th International Symposium on High Performance Computing (ISHPC-V) (2003)

    Google Scholar 

  35. Wood, P.: libpcap-mmap, http://public.lanl.gov/cpw/

  36. Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Technical Report TR-94-17 (1994)

    Google Scholar 

  37. Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit Rate Packet Pattern-Matching Using TCAM. In: Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP 2004), Washington, DC, USA, October 2004, pp. 174–183. IEEE Computer Society, Los Alamitos (2004)

    Google Scholar 

  38. Yusuf, S., Luk, W.: Bitwise optimised CAM for network intrusion detection systems. In: Proceedings of International Conference on Field Programmable Logic and Applications, pp. 444–449 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Computer Science, Foundation for Research and Technology – Hellas, N. Plastira 100, Vassilika Vouton, GR-700 13, Heraklion, Crete, Greece

    Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos P. Markatos & Sotiris Ioannidis

Authors
  1. Giorgos Vasiliadis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Spiros Antonatos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Evangelos P. Markatos
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sotiris Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S. (2008). Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation