Overcoming performance collapse for 100Gbps cyber security

In this paper, we present a series of performance tests carried out on R-Scope Dominate-T (RDT), a 1U network security appliance configured with four Tilera Gx-36 processors and with an aggregated network IO capacity of 160Gbps. RDT is optimized with several high-performance computing techniques. On the software side, RDT runs Linux and a modified version of Bro--the open source network security monitor developed by the International Computer Science Institute--optimized with (1) intelligent IDS-aware packet queuing, (2) Bro-programmable packet shunting, (3) zero-locking IPC data structures, and (4) layer-4 packet prioritization. On the hardware side, the system leverages a many-core architecture with (1) 144 cores servicing 16 x 10Gbps network interfaces, (2) an on-chip ASIC-assisted engine delivering packets directly to Bro at wire rates, and (3) core-programmable zero-overhead/zero-interrupt Linux. The objective of this work is to make a contribution towards maximizing the amount of cyber security intelligence that a system can detect per unit of cost, where cost includes the processing time, space, energy, and capital equipment expenses incurred to perform such detection.

[1]  Vern Paxson,et al.  Empirically derived analytic models of wide-area TCP connections , 1994, TNET.

[2]  Jason Lee,et al.  Intrusion detection at 100G , 2011, 2011 International Conference for High Performance Computing, Networking, Storage and Analysis (SC).

[3]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[4]  Eitan Frachtenberg,et al.  Many-core key-value store , 2011, 2011 International Green Computing Conference and Workshops.

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  Richard A. Lethin,et al.  Scalable Cyber-Security for Terabit Cloud Computing , 2012, 2012 SC Companion: High Performance Computing, Networking Storage and Analysis.

[7]  Vern Paxson,et al.  Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention , 2007, CCS '07.

[8]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[9]  L. Deri Improving Passive Packet Capture : Beyond Device Polling , 2003 .