The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - March (2011 vol.60)
pp: 346-359
Kai Zheng , IBM China Research Lab, Beijing, China
Hongbin Lu , Tsinghua University, Beijing, China
Erich Nahum , IBM T.J. Watson Research Center, Hawthorne, NY, USA
ABSTRACT
Pattern Matching (PM) is a key building block for many emerging network applications. Modern multicore platforms are becoming performance competitive with traditional hardware solutions, which are expensive and hard to adapt to the rapid diversification of Internet applications. However, due to uneven network flow sizes and the need to retain packet order within each flow, traditional parallel processing models using packet flows as the basic unit to partition the workload cannot fully take advantage of multicore platforms' power, exhibiting low CPU utilization and poor scalability with increasing numbers of CPUs or cores. In this paper, we propose a novel parallel inspection model called Dynamic Differentiated Distributed Detection ({\rm D}^{4}). {\rm D}^{4} deploys balanced parallel detection by adding one more dimension on PM workload partition. The pattern set is prepartitioned into several subsets so as to distribute the workload of the hot flows across multiple cores while still maintaining packet order within each flow. We also show theoretically that higher number of subsets leads to higher algorithmic overhead. To achieve optimal throughput for all flow size distributions, {\rm D}^{4} prepartitions the pattern set in several ways for use in different detection modes beforehand, and then, dynamically switches among these modes on-the-fly according to the flow and runtime information it senses. {\rm D}^{4} also allows multiple PM algorithms to work simultaneously on different pattern subsets. According to several heuristics and the algorithms' characteristics, the detection mode selection and subset partitioning algorithms are designed to maximize the CPU/core utilization while avoiding unnecessary overheads. Experiments show that {\rm D}^{4} features high core utilization and low overhead, thus achieving distinct performance gains against traditional load balancing schemes, as shown by experimental results using real-world pattern sets and traffic traces.
INDEX TERMS
Load balancing, network-level security and protection, scheduling and task partitioning.
CITATION
Kai Zheng, Hongbin Lu, Erich Nahum, "Scalable Pattern Matching on Multicore Platform via Dynamic Differentiated Distributed Detection (D⁴)", IEEE Transactions on Computers, vol.60, no. 3, pp. 346-359, March 2011, doi:10.1109/TC.2010.89
REFERENCES
[1] "2005 FBI Computer Crime Survey," http://www.digitalriver. com/v2.0-img/operations/ naievigi/site/media/pdfFBIccs2005. pdf , 2010.
[2] S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, "Generating Realistic Workloads for Network Intrusion Detection Systems," Proc. ACM Workshop Software and Performance, 2004.
[3] I. Sourdis and D. Pnevmatikatos, "Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching," Proc. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), 2004.
[4] Y.H. Cho and W.H. Mangione-Smith, "Fast Reconfiguring Deep Packet Filter for 1+ Gigabit Network," Proc. IEEE Symp. Field Programmable Custom Computing Machines (FCCM), 2005.
[5] J.V. Lunteren, "High-Performance Pattern-Matching Engine for Intrusion Detection," Proc. IEEE INFOCOM '06, 2006.
[6] S. Dharmapurikar and J. Lockwood, "Fast and Scalable Pattern Matching for Network Intrusion Detection Systems," IEEE J. Selected Areas in Comm., vol. 24, no. 10, pp. 1781-1792, Oct. 2006.
[7] H. Lu, K. Zheng, B. Liu, X. Zhang, and Y. Liu, "A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection," IEEE J. Selected Areas in Comm., vol. 24, no. 10, pp. 1793-1804, Oct. 2006.
[8] K. Zheng, H. Che, Z.J. Wang, and B. Liu, "DPPC-RE: TCAM-Based Distributed Packet Classification with Range Matching," IEEE Trans. Computer, vol. 55, no. 8, pp. 947-961, Aug. 2006.
[9] H. Che, Z.J. Wang, K. Zheng, and B. Liu, "DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors," IEEE Trans. Computer, vol. 57, no. 7, pp. 902-915, July 2008.
[10] F. Yu, R.H. Katz, and T.V. Lakshman, "Gigabit Rate Packet Pattern-Matching Using TCAM," Proc. 12th IEEE Int'l Conf. Network Protocols (ICNP '04), pp. 174-183, 2004.
[11] "Snort—The De Facto Standard for Intrusion Detection/Prevention," http:/www.snort.org, 2010.
[12] "Bro Intrusion Detection System," http:/www.bro-ids.org/, 2010.
[13] N. Dukkipati and N. McKeown, "Why Flow-Completion Time Is the Right Metric for Congestion Control," ACM SIGCOMM Computer Comm. Rev., vol. 36, pp. 59-62, 2006.
[14] Intel, Inc., "Intel IXP2400 Network Processor Product Brief," http://download.intel.com/design/network/ ProdBrf27905302. pdf, 2003.
[15] Intel, Inc., "Intel IXP2805 Network Processor Product Brief," http://download.intel.com/design/network/ ProdBrf30942901. pdf, 2005.
[16] "IBM Internet Security System," http:/www.iss.net/, 2010.
[17] S. Wu and U. Manber, "A Fast Algorithm for Multi-Pattern Searching," Technical Report TR-94-17. Dept. of Computer Science, Univ. of Arizona, 1994.
[18] V. Aho and M.J. Corasick, "Efficient String Matching: An Aid to Bibliographic Search," Comm. ACM, vol. 18, pp. 333-340, 1975.
[19] "MIT DARPA Intrusion Detection Data Sets," http://www.ll. mit.edu/IST/ideval/data/2000 2000_data_index.html, 2010.
[20] R.S. Boyer and J.S. Moore, "A Fast String Searching Algorithm," Comm. ACM, vol. 20, pp. 762-772, 1977.
[21] L. Schaelcke, K. Wheeler, and C. Freeland, "SPANIDS: A Scalable Network Intrusion Detection Load balancer," Proc. Second Conf. Computing Frontiers, pp. 315-322, 2005.
[22] Radware, Inc., "SecureFlow: Unified Security Switch," http://www.radware.comThank_you_download.aspx?ID=4848 , white paper, 2005.
[23] D.P. Scarpazza, O. Villa, and F. Petrini, "Peak-Performance DFA-Based String Matching on the Cell Processor," Proc. Third IEEE/ACM Int'l Workshop System Management Techniques, Processes, and Services (SMTPS '07), within IEEE/ACM Int'l Parallel and Distributed Processing Symp. (IPDPS '07), Mar. 2007.
[24] V. Paxson, R. Sommer, and N. Weaver, "An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention," Proc. 2007 IEEE Sarnoff Symp., Apr. 2007.
[25] Endace, Inc., "Accelerate SNORT," http://www.endace.com/ assets/docs/accelerated accelerateSnort.pdf, white paper, 2008.
[26] O. Villa, D.P. Scarpazza, and F. Petrini, "Accelerating Real-Time String Searching with Multicore Processors," Computer, vol. 41, no. 4, pp. 42-50, Apr. 2008.
[27] D.P. Scarpazza, O. Villa, and F. Petrini, "High-Speed String Searching against Large Dictionaries on the Cell/B.E. Processor," Proc. 22nd IEEE Int'l Parallel and Distributed Processing Symp. (IPDPS '08), Apr. 2008.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool