A Hybrid CPU/GPU Pattern-Matching Algorithm for Deep Packet Inspection

The large quantities of data now being transferred via high-speed networks have made deep packet inspection indispensable for security purposes. Scalable and low-cost signature-based network intrusion detection systems have been developed for deep packet inspection for various software platforms. Traditional approaches that only involve central processing units (CPUs) are now considered inadequate in terms of inspection speed. Graphic processing units (GPUs) have superior parallel processing power, but transmission bottlenecks can reduce optimal GPU efficiency. In this paper we describe our proposal for a hybrid CPU/GPU pattern-matching algorithm (HPMA) that divides and distributes the packet-inspecting workload between a CPU and GPU. All packets are initially inspected by the CPU and filtered using a simple pre-filtering algorithm, and packets that might contain malicious content are sent to the GPU for further inspection. Test results indicate that in terms of random payload traffic, the matching speed of our proposed algorithm was 3.4 times and 2.7 times faster than those of the AC-CPU and AC-GPU algorithms, respectively. Further, HPMA achieved higher energy efficiency than the other tested algorithms.

[1]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[2]  Nen-Fu Huang,et al.  A GPU-Based Multiple-Pattern Matching Algorithm for Network Intrusion Detection Systems , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[3]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[4]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[5]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[6]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[7]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[8]  Jianfa Wu,et al.  Network Intrusion Detection Based on a General Regression Neural Network Optimized by an Improved Artificial Immune Algorithm , 2015, PloS one.

[9]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[10]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[11]  Rachid Beghdad,et al.  Critical study of neural networks in detecting intrusions , 2008, Comput. Secur..

[12]  Eric Torng,et al.  Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems , 2010, USENIX Security Symposium.

[13]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[14]  Nick Knupffer Intel Corporation , 2018, The Grants Register 2019.

[15]  HuangNen-Fu,et al.  A fast string-matching algorithm for network processor-based intrusion detection system , 2004 .

[16]  David F. Bacon,et al.  FPGA programming for the masses , 2013, CACM.

[17]  Carla E. Brodley,et al.  Offloading IDS Computation to the GPU , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[18]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[19]  En Zhu,et al.  An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection Based on Many-Core GPU , 2009, FGIT-SecTech.

[20]  Seong-Won Lee,et al.  A high performance NIDS using FPGA-based regular expression matching , 2007, SAC '07.

[21]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[22]  Kevin Skadron,et al.  Scalable parallel programming , 2008, 2008 IEEE Hot Chips 20 Symposium (HCS).

[23]  Sun UltraSPARC,et al.  A closer look at GPUs , 2008, Commun. ACM.

[24]  J.B.D. Cabrera,et al.  On the statistical distribution of processing times in network intrusion detection , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[25]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[26]  Fabrizio Petrini,et al.  Exact multi-pattern string matching on the cell/b.e. processor , 2008, CF '08.

[27]  Laxmi N. Bhuyan,et al.  Compiling PCRE to FPGA for accelerating SNORT IDS , 2007, ANCS '07.

[28]  Daxin Tian,et al.  Large-scale network intrusion detection based on distributed learning algorithm , 2008, International Journal of Information Security.

[29]  Yung Ryn Choe,et al.  Conservative vs. Optimistic Parallelization of Stateful Network Intrusion Detection , 2007, ISPASS 2008 - IEEE International Symposium on Performance Analysis of Systems and software.

[30]  Evangelos P. Markatos,et al.  : A DOMAIN-SPECIFIC STRING MATCHING ALGORITHM FOR INTRUSION DETECTION , 2003 .

[31]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[32]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[33]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.