A Capability-Based Hybrid CPU/GPU Pattern Matching Algorithm for Deep Packet Inspection

Network applications have been developed quickly during recent years, and communications between these applications involve a large quantity of data transfer through high speed networks. Deep packet inspection (DPI) becomes indispensable to ensure network application-aware security. One of the DPI services is the signature-based network intrusion detection system (NIDS), in which the implementation on software platforms has become a trend due to the advantages of high programmability and low cost. Recently, the graphic processing units (GPU) is commonly used to accelerate the packet processing because of its superior parallel processing power. Since delivering all packets to GPU causes high data transfer latency and consequently restricts the overall performance, our previous study proposed a mechanism, HPMA, to reduce the effect of transfer bottleneck and achieve higher processing speed. In this paper, we introduce an enhancement of HPMA, a capability-based hybrid CPU/GPU pattern matching algorithm (CHPMA). A preliminary experiment shows that the CHPMA not only performs as efficient as the HPMA in most cases, but also obtains higher performance gain than the HPMA under unfavorable conditions.

[1]  Laxmi N. Bhuyan,et al.  Compiling PCRE to FPGA for accelerating SNORT IDS , 2007, ANCS '07.

[2]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[3]  En Zhu,et al.  An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection Based on Many-Core GPU , 2009, FGIT-SecTech.

[4]  J.B.D. Cabrera,et al.  On the statistical distribution of processing times in network intrusion detection , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[5]  Yaw-Chung Chen,et al.  A Hybrid CPU/GPU Pattern-Matching Algorithm for Deep Packet Inspection , 2015, PloS one.

[6]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[7]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[8]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[9]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[10]  David F. Bacon,et al.  FPGA Programming for the Masses , 2013, ACM Queue.

[11]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[12]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[13]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[14]  Nen-Fu Huang,et al.  A fast string-matching algorithm for network processor-based intrusion detection system , 2004, TECS.