Resource allocation in network processors for network intrusion prevention systems

Networking applications with high memory access overhead gradually exploit network processors that feature multiple hardware multithreaded processor cores along with a versatile memory hierarchy. Given rich hardware resources, however, the performance depends on whether those resources are properly allocated. In this work, we develop an NIPS (Network Intrusion Prevention System) edge gateway over the Intel IXP2400 by characterizing/mapping the processing stages onto hardware components. The impact and strategy of resource allocation are also investigated through internal and external benchmarks. Important conclusions include: (1) the system throughput is influenced mostly by the total number of threads, namely IxJ, where I and J represent the numbers of processors and threads per processor, respectively, as long as the processors are not fully utilized, (2) given an application, algorithm and hardware specification, an appropriate (I, J) for packet inspection can be derived and (3) the effectiveness of multiple memory banks for tackling the SRAM bottleneck is affected considerably by the algorithms adopted.

[1]  Gilbert Wolrich,et al.  The next generation of Intel IXP network processors , 2002 .

[2]  Youngseok Lee,et al.  Design and Implementation of a Multi-gigabit Intrusion and Virus/Worm Detection System , 2006, 2006 IEEE International Conference on Communications.

[3]  Ying-Dar Lin,et al.  DiffServ edge routers over network processors: implementation and evaluation , 2003 .

[4]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[5]  Herbert Bos,et al.  A network intrusion detection system on IXP1200 network processors with support for large rule sets , 2004 .

[6]  Panos Lekkas,et al.  Network Processors , 2003 .

[7]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[8]  Erik J. Johnson,et al.  IXP2400/2800 Programming: The Complete Microengine Coding Guide , 2003 .

[9]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[10]  Kurt Keutzer,et al.  Network Processors: Origin of Species , 2002 .

[11]  George Varghese,et al.  Applying Fast String Matching to Intrusion Detection , 2001 .

[12]  Nen-Fu Huang,et al.  A fast string-matching algorithm for network processor-based intrusion detection system , 2004, TECS.

[13]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[14]  Evangelos P. Markatos,et al.  Performance analysis of content matching intrusion detection systems , 2004, 2004 International Symposium on Applications and the Internet. Proceedings..

[15]  Michael John Sebastian Smith,et al.  Application-specific integrated circuits , 1997 .

[16]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.