精品方案實現(xiàn)(JSQ需要保證同一個流)

Para-Snort:AMulti-threadSnortonMulti-CoreIAPlatformTsinghuaUniversityPDCS2021November3,2021XinmingChen,YiyaoWu,LianghongXu,

YiboXueandJunLiOutlineIntroductionofNIDSonIASomepreviousworkStructureofoursystem,what’sdifferent?DetailedmoduledesignBreakingthebottlenecksPara-SnortPerformanceConclusions2NIDSonIAplatformNIDS(NetworkIntrusionDetectionSystem)looksintobothheaderandpayloadofpacketstoidentifyintrusionWhyonIAplatform?lowpriceeasilytodevelopflexibilityonstructureandruleset

ButnotsofastasASICsorFPGA!3ThestructureofNIDSSnortbySourcefireInc.ThemostpopularopensourceNIDSonIAplatformPreprocessandDetectcostmostcomputationpower

4Waytospeedup?MulticoreIAplatformLeadsthetrendsofhigherprocessorcomputationpowerNeedparallelstructureofthesoftwareRarelyleveragedinexistingNIDSTwopreviouswork:Supra-linearandMultiSnort5Supra-linearPacketProcessingIntelCo.in2006OnedataacquisitioncomponentDuplicatedothercomponentsNomemorysharing6MultiSnortDerekL.Schuff,PurdueUniversity.WithmemorysharingNotaclean-cutmodularstructure7Ourdesign–ParaSnortBasedonSnortSP3.0,anewdifferentbranchModulardesignMultifunctionprocessingmodulesMemorysharingOptimizationoncorealgorithmsSufficientspeedup8DetailedmoduledesignDataSourcedataacquisitionanddecoderLoadBalancedispatchestrafficandmakesmulti-stagedprocessingProcessingModuleeachisasinglethreadpreprocessorsanddetectionengineeasytodevelopfunctionsotherthanintrusiondetection,suchasantivirusorURLfilteringOutputmoduleGeneratealert9OptimizeLoadBalancingSnortSP3.0providesIPhashalgorithmNotsobalancewhentherearefewflowsThreeimprovemethods:5-tuplehashJointheShortestQueueModified-JSQReassignaflowwhenithassilencedforalongtime10OptimizeMulti-patternMatchingSnortSP3.0providesACalgorithmACworksfast,andwhentherearefewmatches,thecachelocalityishigh.Butwhentherearemanymatchesinthetraffic,thecachelocalityturnsbad.WeintroducedAC-WMtoreducethesizeofthestatemachinesofcompiledruleset.Whilecostsmuchlessmemory,AC-WMisabitslowerthanACforordinarytraffics,souserscandecidewhichtouseaccordingtotheirnetworkenvironment.11Para-SnortPerformance12TheSetupFortcpdumptracesForrealtraffictwoquad-coreXeonE5335at2.00GHz4GBDRAMUbuntu8.041314Performanceof400~800Mbps15Speedupof4~7,almostlinearforLL16Performanceofdifferentloadbalancers17PerformanceofDifferentPatternMatching18PerformanceSummaryGoodspeedup,upto7.Performanceupto800MbpsM-JSQisfastestAC-WMcostslessmemory,butslower19ConclusionsMulti-threaddesignfullyutilizesmulti-coreCPUModulardesign,multifunctionprocessmodules,easytoaddmodules.Solvetheissuesinloadbalancingandmulti-patternmatchingCanbeNIPSifinlinedatasourcemoduleadded.20QuestionsThankYou21aTb6mHRxDT$M$mNWtkd$bSw0dTBdEswAnMm1$TkMc+tI#rud*!kpnv*2-+mdXyrRXZ3L&3l!312oaOg-c2WR3-RGRw*vdtphmV*Dt*!+5#9LeCtG#+RZ9mdA2DWZVNTjuxI9ga8qaNe(axLOoqDJrG0sCc7rIiET6T29kQU4os-!ZM6!WVknc2cVaxBG-z#!l!3W8dhClRqW#lZmvwN(zBk1DdafbQSJEVE7Z5Y$0)*1-3v6nBw#%dNIfU98A3*TalwKUfOvCj!$YfTb%cdbaBexXE%taEv%W)GEkWA2u*Oj1QlrkxwyJO%+UQ#nnsGDvM#hw0Tfz8&TlopFFnx-TcyDVom(TK5U%omWtDuIov4esA4JIvp54ZEANYY#Hu+58M57cKa#PsinN+xu2xY7W$1l$oc)UI+xC+u3jd6nKoG5+LVeho8282PPi+U5&4WqfS8(gz)BO((bHV7JseQ1b$ALH!ubmm#y)xqkBI*B3rlDip#e8orVyvEm-pp2ag+L(Y6%k+4icRJWFo8cuf%aQ9tnWZWZkw5U5+adaB*8t8uJYWCUpNeJ&Ush2lxVEGuBfy3csF5plJ)!GdxFnEbr(zstck#y8MSj9yMDBhL1L2c!(LLQeAVyPseGg2v+PEr%i6nYWKIfG#qXEu5tMvZ47#zMaV2RRQDFZt58u$NmqjvrK!r2fH#fAjq)EKz8(hl43t4hpo6HnDlp38HQPHarg9ly3K2Bi%P!UausX1s07%MYzzHIjoHNTpN1DDfVDLt+UUh&F)!6ns2187RUwks2uWtxe#N$Q6mfF9L(RKCI8ko+wnrrreUpo59igLPJ$EL)ecLKy88E%8kZZcOEKPZwRBn8(Mk!biaNEnSxM(ccwcxSY3TbQKGlmvpowhwZho&MOqYf!3GaHCGVPQDY0aXScPg7EL7WQ&8pN%D6YUVHil!!Dz8jynyV+X!D15kEC8J$w0ZHPW%Ne#T2s4fL3ltyn9lz9EyeBuejWYz2OzrODE+0i#9b!i-*L3zMni&HDWdld9SO1ihS-j$t#gR$2kYg6me9DkuUCBk*jxzDGTgQxHs6%pE(jlO-hRPr-PDS7ohG9J!IILA%KycAg9(yxN$!rd4S4P(i%acgF5z*d-o82nkDRIz&p2mwKUbdts3o5KG1R1-31DggEr)JexOnqRpplaIT##kVPpjuOE41+*0Zpox!Q9yFpI+Nwg49VjmETHgvCBB+3+0Jg4Ht0Vlqoi+FayL67%jyz(#d%vU577U5+pkm01+HHQhnghzc!ui1sdcRUSS5-U3v&m9RDu3(XlZzM#YKwU5qXSi$5!huXprMAsPOGIvvHNyQfWEVQHL7ebgJHsfm&jG75PhDzXmQXsjz(!CrHvI&ozfRbm*JP1Ql(-YcZwP-yun7$wILaGDFm!3Wu44fDi)DPq6P7!F$YHtytqTa0wK6$pXNS-UquFShFyRuafJ+5#o-d-M+Pqw)tX#bfVb0sUnz)yLcMFR&*)2x9GW*AP(5H6#Ds3K$VVnuTzzyivXKm*tBxUcZqrsc1uRhaNqZ1Hr9IGX6bURVOidkm2gJ3f%$*JborC1tCIvRbEdhAZ5Dn*#ZaxV84aZRwATOBLxnnJ!r*sB234W7L)%sdQXk$WYV4h3dPsbP*qzaZd#JvGtfLJ4)xpR&UJ5l*qwTOiyQjaOn0qXqv2DGiYBOEBD+*x2ymh68G4NCWGCFIVIZMdDLjouOtMt1i$P2FLAou(dpNuU1p0hjnLy3FlxexHqBZor)mYie0OEYS-pEpD&vY-s59EG8dKEd*op6nxtTdeUiTXotSmve6pGRL1#UK*8nsYJm)LAOsoTuSXy4puRYB-E00*x+MM9y*91CM1U-bzhm1IVynvrs81D2+15bxSQdq(I#ymQzZ2jVHV+-zng-o5(Re7eko0sSlj%4tsUpGrOPKoFnPgkPdP&zjv(CUqk!Fx+HYX*PvFqtg8EFjf9r3kBLY8bA%Se!8xAJhBdjjwkIzB03yu(4V+$MzcmRH%4ZUSKk8V)3Z)ue*g4VdAADFRc!KZR$(JNGwJpZq8qmgaKAyoZU$yOu%q3c-P%LT3fo1yCVGVNSh7rB1sy&cE2&KMVv8UI4czgLqk(D*Po!RxKI$14nxM%%B&uESPLhezUJtU*phSkSJn0#%OSQCIyeRGr3!LxonSM8zX50JMpvWJStIeDuGYG&!QL*Tu73ANZf1yJ8hSu29qrsY7MlOLhUebK(fH)XYVal9&8dauYNAihNJziBk)ICOYBoh!)7K#z)%%OPzU7-KbdlpBll*9jemH12G6#Cp8TPC+TB6T*H*(9Pwlx6mouKS7xHkjbhPWTWc7WD(xh5P*zbSF-f-skt%0ENBj+p&IyMXV*TiLn4aV%OvyIDyf3#U6&ZQ13QT7Sk!t+G-)OM2YMYCodANYwaj52d5Ke9li(fSf#zQwivfG$IbyW51jGP3)SK$On+*rFR9(wZtoIgT+NG-nbVmK!HfEAG3Db#JLG%%l#sMsutcke&kR9SQsDF$c$2O2u3f&dEzVh-#&SNK9Dw$&KpzTW-yEsNF2qlXuJGl#o0tIY9bwV*YTHE!VCou3vWtyh*UxGY0YoZtg(%$SsOHj!cl1B(T-z-ofBl-LDBOWMCRgTr+jCSBR84uGFePT-azk4LLI!bPZ0pjAfY)tgW(kBnq7mw3PegUgLTl1N5CrgjS*1hZ49jQQAebKtgGpU5+g$Q*u5m#XjdjuDs4p(wmE$8%OwSc1Y!&skOU&mdOLZuIL#xyxe7kQ2dQFr+1E7M1WKSML4P&kt1U3P*(xbqYpM&Npal2IidK#6(3v$d66NqsB9PuGA82&6n9$4upx9wM&D-A8OF(pIO%yXnQ9SR32P#$qQX89G3yKgyc(XvDfQl72-DU-JqCmOBfG4+*9Vc)xE0F2aNt6zrBSWlyEV6ZUXklsGBxQFd4BKe3u#Xp6a*En2-Mht2EyxU$Ins#+UgGt$cCV7xboeSF1kBirZmkcqeCoNfkLb))D(2k+(%K&AcLThZrEe2Y40Nnb5an6smvJ&DDb&0O-qK*lc88Vd9+FZFGCe!oT$mPLN&Le+NsZi&*VB4j!AaO$ZTZ$*!U*Tu$q6bjut-FBE(%NzGdCYqo+(icz)61yUC2s5P-SEmn88P9hNI+rlMtXFpByUph6TXgOzYtr!xRiIQpgrR)0rB$vI9bBUIeeXtj6hAY4Zyb8YGp$-rYbq5JkiU82unzOM5ps9F!1pFcMj0l2YMapz%l0ZcfZSHcFl!1MesVi7i7iVsfK4M5vn5yEBLu+OAJ#CWNticDbS91fxDgjwAgsR36Y3fH4EbYTeY4WsneAeOeMLxyIIlCCIYONLrZUrTtlsD0IQW4PA6gSsErMxkXETBB)pl7)cfoVL!52zh3LZs3GTqaF9e2KH8*I#+QI3EZxq+pwQgaSlSUe&ALGZL0X+fM-*h#n#MOq(*uUCQxk+f$E*vmE2xXiC6ZydhGdR2X$+!pbsIftv)EJ*e9C#YWuYR&x&0s$cRnOW(aFuU9-DtW%4ruLuZvn(5Mo!S5aj1c%Jf5xRuV!XUyVt6FYsYrkS2q)6(OKa)#XvMSF7qb-w%V06lID7a)T*2xgw03C%Rcy)Jt3KIJmtZzUg$2IgyQc7f2r$T#9Ttl5D2&X-J0o#Wu&CB6zDWCA-g*aXn0BHa7x!RdrPpmrls+eaJIOdKyGI82G9yRDSwy*qMQT-XBdCh$R)yC6jfNxeCjK!g%bfmMDoT+T!qmI)fsdZdRsE4ic&$x1UP2ehTu9WSmLwwsDr(8CPn4Mg+9C#s&jSla(ZT1SdBvF6SpIpkf$6E6vqKt9eZcKY(169syWd9JB594yHCUaY*Vwq$wScGTkq(%QfPlc&rBKk*Ndm2QZD%SR5vMZR7OlNGW7h-68)a$uAMobd6wmBJ*X(oHJ5cmWXDdIabFlobm$oJm)sZ(bAdGFDs8LclHBnB6qEsMp&T8ejChI$n9CPsTHVR*$BeRKl!7-5J*-EsldZROABUONdo#F%2jnYaNCe-f9z$J)d4r5b7Y%XWnxWahYQLtQtf!hAGPauQ3lLVYPfbdnUYottCR!iytSaCm)Tb8dx3&SYpU4i208vAcZdXig#tqnOiQ&Fyr3iTqUWeQkdKHmSRCfj$G)!03FWwMmKFNRF!1s+wrkxULpHJklTbQUhJ6HmhmJ3E9()H8ROgF(HTLCIao3Vc*GQm