Gnort: High Performance Network Intrusion Detection Using Graphics Processors

Authors:
Giorgos Vasiliadis;Spiros Antonatos;Michalis Polychronakis;Evangelos P. Markatos;Sotiris Ioannidis
Affiliations:
Institute of Computer Science, Foundation for Research and Technology --- Hellas, Heraklion, Crete, Greece GR-700 13;Institute of Computer Science, Foundation for Research and Technology --- Hellas, Heraklion, Crete, Greece GR-700 13;Institute of Computer Science, Foundation for Research and Technology --- Hellas, Heraklion, Crete, Greece GR-700 13;Institute of Computer Science, Foundation for Research and Technology --- Hellas, Heraklion, Crete, Greece GR-700 13;Institute of Computer Science, Foundation for Research and Technology --- Hellas, Heraklion, Crete, Greece GR-700 13
Venue:
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Year:
2008

Citing 21
Cited 31

A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
A String Matching Algorithm Fast on the Average

Proceedings of the 6th Colloquium, on Automata, Languages and Programming
Stateful Intrusion Detection for High-Speed Networks

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Time and area efficient pattern matching on FPGAs

FPGA '04 Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays
Generating realistic workloads for network intrusion detection systems

WOSP '04 Proceedings of the 4th international workshop on Software and performance
Gigabit Rate Packet Pattern-Matching Using TCAM

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Fast Regular Expression Matching Using FPGAs

FCCM '01 Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
SPANIDS: a scalable network intrusion detection loadbalancer

Proceedings of the 2nd conference on Computing frontiers
A Framework for Rule Processing in Reconfigurable Network Systems

FCCM '05 Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Fast and scalable pattern matching for content filtering

Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems
Bit-split string-matching engines for intrusion detection and prevention

ACM Transactions on Architecture and Code Optimization (TACO)
Offloading IDS Computation to the GPU

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Deep Packet Inspection using Parallel Bloom Filters

IEEE Micro
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Cryptographics: secret key cryptography using graphics cards

CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Towards software-based signature detection for intrusion prevention on the network card

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
SafeCard: a gigabit IPS on the network card

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Massive threading: Using GPUs to increase the performance of digital forensics tools

Digital Investigation: The International Journal of Digital Forensics & Incident Response

A Hybrid Parallel Signature Matching Model for Network Security Applications Using SIMD GPU

APPT '09 Proceedings of the 8th International Symposium on Advanced Parallel Processing Technologies
Regular Expression Matching on Graphics Hardware for Intrusion Detection

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
PacketShader: a GPU-accelerated software router

Proceedings of the ACM SIGCOMM 2010 conference
IP routing processing with graphic processors

Proceedings of the Conference on Design, Automation and Test in Europe
iNFAnt: NFA pattern matching on GPGPU devices

ACM SIGCOMM Computer Communication Review
Improving NFA-based signature matching using ordered binary decision diagrams

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
GrAVity: a massively parallel antivirus engine

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Parallel packet classification using GPU co-processors

SAICSIT '10 Proceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists
Enhancing Intrusion Detection System with proximity information

International Journal of Security and Networks
On distributed intrusion detection systems design for high speed networks

ISPACT'10 Proceedings of the 9th WSEAS international conference on Advances in e-activities, information security and privacy
Experiences with string matching on the fermi architecture

ARCS'11 Proceedings of the 24th international conference on Architecture of computing systems
Efficient distributed signature analysis

AIMS'11 Proceedings of the 5th international conference on Autonomous infrastructure, management, and security: managing the dynamics of networks and services
Fast, memory-efficient regular expression matching with NFA-OBDDs

Computer Networks: The International Journal of Computer and Telecommunications Networking
MIDeA: a multi-parallel intrusion detection architecture

Proceedings of the 18th ACM conference on Computer and communications security
GPU-based NFA implementation for memory efficient high speed regular expression matching

Proceedings of the 17th ACM SIGPLAN symposium on Principles and Practice of Parallel Programming
Indices of power in optimal IDS default configuration: theory and examples

GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
Classifying execution times in parallel computing systems: a classical hypothesis testing approach

CIARP'11 Proceedings of the 16th Iberoamerican Congress conference on Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications
GPUstore: harnessing GPU computing for storage systems in the OS kernel

Proceedings of the 5th Annual International Systems and Storage Conference
Kargus: a highly-scalable software-based intrusion detection system

Proceedings of the 2012 ACM conference on Computer and communications security
A highly-efficient memory-compression approach for GPU-Accelerated virus signature matching

ISC'12 Proceedings of the 15th international conference on Information Security
Editorial: Recent developments in high performance computing and security: An editorial

Future Generation Computer Systems
Review: Intrusion detection system: A comprehensive review

Journal of Network and Computer Applications
Re-examining the performance bottleneck in a NIDS with detailed profiling

Journal of Network and Computer Applications
Scalanytics: a declarative multi-core platform for scalable composable traffic analytics

Proceedings of the 22nd international symposium on High-performance parallel and distributed computing
Wire speed name lookup: a GPU-based approach

nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
GPU acceleration of regular expression matching for large datasets: exploring the implementation space

Proceedings of the ACM International Conference on Computing Frontiers
Indexing million of packets per second using GPUs

Proceedings of the 2013 conference on Internet measurement conference
Parallel data mining techniques on Graphics Processing Unit with Compute Unified Device Architecture (CUDA)

The Journal of Supercomputing
Towards a GPU accelerated virtual machine for massively parallel packet classification and filtering

Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference
Fast and flexible: parallel packet processing with GPUs and click

ANCS '13 Proceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systems
A regular expression matching engine with hybrid memories

Computer Standards & Interfaces

Quantified Score

Hi-index	0.00

Visualization

Abstract

The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.