Abstract
The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Communications of the ACM 18(6), 333–340 (1975)
Antonatos, S., Anagnostakis, K., Markatos, E.: Generating realistic workloads for network intrusion detection systems. In: Proceedings of the 4th ACM Workshop on Software and Performance (January 2004)
Attig, M., Lockwood, J.: A framework for rule processing in reconfigurable network systems. In: Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2005), Washington, DC, USA, 2005, pp. 225–234. IEEE Computer Society Press, Los Alamitos (2005)
Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Proceedings of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays (FPGA 2004), pp. 223–232. ACM, New York (2004)
Bos, H., Huang, K.: Towards software-based signature detection for intrusion prevention on the network card. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 102–123. Springer, Heidelberg (2006)
Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the Association for Computing Machinery 20(10), 762–772 (1977)
Cabrera, J.B.D., Gosar, J., Lee, W., Mehra, R.K.: On the statistical distribution of processing times in network intrusion detection. In: 43rd IEEE Conference on Decision and Control, December 2004, pp. 75–80 (2004)
Clark, C., Lee, W., Schimmel, D., Contis, D., Kone, M., Thomas, A.: A hardware platform for network intrusion detection and prevention. In: Proceedings of the 3rd Workshop on Network Processors and Applications (NP3) (2004)
Coit, C., Staniford, S., McAlerney, J.: Towards faster string matching for intrusion detection or exceeding the speed of Snort. In: Proceedings of DARPA Information Survivability Conference & Exposition II (DISCEX 2001) (June 2001)
Commentz-Walter, B.: A string matching algorithm fast on the average. In: Proceedings of the 6th International Colloquium on Automata, Languages and Programming, pp. 118–131.
Cook, D.L., Ioannidis, J., Keromytis, A.D., Luck, J.: Cryptographics: Secret key cryptography using graphics cards. In: Proceedings of RSA Conference, Cryptographer’s Track (CT-RSA), pp. 334–350 (2005)
de Bruijn, W., Slowinska, A., van Reeuwijk, K., Hruby, T., Xu, L., Bos, H.: SafeCard: a Gigabit IPS on the network card. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 311–330. Springer, Heidelberg (2006)
Dharmapurikar, S., Krishnamurthy, P., Sproull, T.S., Lockwood, J.W.: Deep packet inspection using parallel bloom filters. IEEE Micro 24(1), 52–61 (2004)
Dharmapurikar, S., Lockwood, J.: Fast and scalable pattern matching for content filtering. In: Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems (ANCS 2005), pp. 183–192. ACM, New York (2005)
Fisk, M., Varghese, G.: Applying fast string matching to intrusion detection. Technical Repor In preparation, successor to UCSD TR CS2001-0670, University of California, San Diego (2002)
C. IOS. IPS deployment guide, http://www.cisco.com
Jacob, N., Brodley, C.: Offloading IDS computation to the GPU. In: Security Applications Conference on Annual Computer Security Applications Conference (ACSAC 2006), Washington, DC, USA, pp. 371–380. IEEE Computer Society, Los Alamitos (2006)
Knuth, D.E., Morris, J., Pratt, V.: Fast pattern matching in strings. SIAM Journal on Computing 6(2), 127–146 (1977)
Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2002, pp. 285–294 (2002)
Lodovico Marziale, G.G.R.I., Roussev, V.: Massive threading: Using GPUs to increase the performance of digital forensics tools. Digital Investigation 1, 73–81 (2007)
McCanne, S., Leres, C., Jacobson, V.: libpcap. Lawrence Berkeley Laboratory, Berkeley, http://www.tcpdump.org/
Norton, M.: Optimizing pattern matching for intrusion detection (July 2004), http://docs.idsresearch.org/OptimizingPatternMatchingForIDS.pdf
NVIDIA. NVIDIA CUDA Compute Unified Device Architecture Programming Guide, version 1.1, http://developer.download.nvidia.com/compute/cuda/1_1/NVIDIA_CUDA_Programming_Guide_1.1.pdf .
Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th conference on USENIX Security Symposium (SSYM 1998), Berkeley, CA, USA, p. 3. USENIX Association (1998)
Paxson, V., Sommer, R., Weaver, N.: An architecture for exploiting multi-core processors to parallelize network intrusion prevention. In: Proceedings of the IEEE Sarnoff Symposium (May 2007)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of the 1999 USENIX LISA Systems Administration Conference (November 1999)
Schaelicke, L., Wheeler, K., Freeland, C.: SPANIDS: a scalable network intrusion detection loadbalancer. In: CF 2005: Proceedings of the 2nd conference on Computing frontiers, pp. 315–322. ACM, New York (2005)
Sidhu, R., Prasanna, V.: Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2001) (2001)
Tan, L., Brotherton, B., Sherwood, T.: Bit-split string-matching engines for intrusion detection and prevention. ACM Transactions on Architecture and Code Optimization 3(1), 3–34 (2006)
The Snort Project. Snort users manual 2.8.0, http://www.snort.org/docs/snort_manual/2.8.0/snort_manual.pdf
Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: Proceedings of the IEEE Infocom Conference, pp. 333–340 (2004)
Turner, A.: Tcpreplay, http://tcpreplay.synfin.net/trac/
Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)
Watanabe, K., Tsuruoka, N., Himeno, R.: Performance of network intrusion detection cluster system. In: Proceedings of The 5th International Symposium on High Performance Computing (ISHPC-V) (2003)
Wood, P.: libpcap-mmap, http://public.lanl.gov/cpw/
Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Technical Report TR-94-17 (1994)
Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit Rate Packet Pattern-Matching Using TCAM. In: Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP 2004), Washington, DC, USA, October 2004, pp. 174–183. IEEE Computer Society, Los Alamitos (2004)
Yusuf, S., Luk, W.: Bitwise optimised CAM for network intrusion detection systems. In: Proceedings of International Conference on Field Programmable Logic and Applications, pp. 444–449 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S. (2008). Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-87403-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)