Volume 18, Issue 1 (5-2021)
JSDP 2021, 18(1): 150-135 |
Back to browse issues page
Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
Abbasi M, Afshari Haghdoost M. Improvement and parallelization of Snort network intrusion detection mechanism using graphics processing unit. JSDP 2021; 18 (1) :150-135
URL: http://jsdp.rcisp.ac.ir/article-1-964-en.html
URL: http://jsdp.rcisp.ac.ir/article-1-964-en.html
Bu-Ali SIna University
Abstract: (2369 Views)
Nowadays, Network Intrusion Detection Systems (NIDS) are widely used to provide full security on computer networks. IDS are categorized into two primary types, including signature-based systems and anomaly-based systems. The former is more commonly used than the latter due to its lower error rate. The core of a signature-based IDS is the pattern matching. This process is inherently a computationally intensive task, and in the worst case, about 80% of the total processing time of an IDS is spent on it. On the other hand, the rapid development of network bandwidth and high link speeds, which in turn leads to a loss of a large number of inbound packets in the network intrusion detection system, has posed challenges as crucial factors limiting the performance of this type of system. Snort is a signature-based NIDS that is highly interested due to being open-source, free, and easy to use. To resolve the challenges mentioned above, we propose an enhanced version of Snort, which is enriched by exploiting two key ideas. The first idea is the filtering of unnecessary packets based on a blacklist of source IP addresses. This filter is used as a preprocessing mechanism to improve the efficiency of the Snort. However, the packet filtering speed is decreased by increasing the network traffic volumes. Therefore, to accelerate the function of this mechanism, we have proposed a second crucial idea. The data-parallel nature of snort functions lets us parallelize two main computationally intensive functions of it on the graphical processing unit. These functions include the lookup on the blacklist filter in the preprocessing stage and the signature matching of Snort, which completes the intrusion detection process. For parallelizing the preprocessing step of Snort, first, a blacklist is provided from the DARPA dataset. Next, this blacklist is transferred together with the Snort ruleset to the global memory of the GPU. Finally, each thread concurrently matches each packet against the blacklist filters. For parallelizing the signature matching step of Snort, the well-known pattern matching algorithm of Boyer-Moore is parallelized similarly.
Evaluation results show that the proposed method, by up to 30 times faster than the sequential version, significantly improves the blacklist-based filtering performance. Also, the efficiency of the proposed method in using GPU resources for parallel intrusion detection is 81 percent higher than the best state-of-the-art method.
Evaluation results show that the proposed method, by up to 30 times faster than the sequential version, significantly improves the blacklist-based filtering performance. Also, the efficiency of the proposed method in using GPU resources for parallel intrusion detection is 81 percent higher than the best state-of-the-art method.
Keywords: Network intrusion detection system, packet filter, black list, pattern matching, graphics processing unit
Type of Study: Research |
Subject:
Paper
Received: 2019/02/1 | Accepted: 2021/01/30 | Published: 2021/05/22 | ePublished: 2021/05/22
Received: 2019/02/1 | Accepted: 2021/01/30 | Published: 2021/05/22 | ePublished: 2021/05/22
References
1. [1] R. Chi, "Intrusion detection system based on snort," Lecture Notes in Electrical Engineering, vol. 272, pp. 657-664, 2014. [DOI:10.1007/978-3-642-40633-1_82]
2. [2] Y. Meng and L.-F. Kwok, "Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection," J. Netw. Comput. Appl., vol. 39, pp. 83-92, 2014. [DOI:10.1016/j.jnca.2013.05.009]
3. [3] T. Ho, S. Cho, and S. Oh, "Parallel multiple pattern matching schemes based on cuckoo filter for deep packet inspection on graphics processing units," IET Information Security, vol. 12, pp. 381-388, 2018. [DOI:10.1049/iet-ifs.2017.0421]
4. [4] C. Hung, P. Wu, H. Wang, and C. Lin, "Efficient Parallel Muti-pattern Matching Using GPGPU Acceleration for Packet Filtering," in 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems, 2015, pp. 1843-1847. [DOI:10.1109/HPCC-CSS-ICESS.2015.209] [PMID] [PMCID]
5. [5] C.-L. Hung, C.-Y. Lin, and H.-H. Wang, "An efficient parallel-network packet pattern-matching approach using GPUs," Journal of Systems Architecture, vol. 60, pp. 431-439, 2014/05/01/ 2014. [DOI:10.1016/j.sysarc.2014.01.007]
6. [6] K. RahimiZadeh, M. Torkamani, and A. Dehghani, "Mapping of McGraw Cycle to RUP Methodology for Secure Software Developing," Signal and Data Processing, vol. 17, pp. 33-46, 2020. [DOI:10.29252/jsdp.17.2.46]
7. [7] K. Kendall, "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems," Electrical Engineering and Computer Science, MASSACHUSETTS INSTITUTE OF TECHNOLOGY, MIT Lincoln, 1999.
8. [8] P. Innella and O. McMillan, An Introduction to Intrusion Detection Systems, 2001.
9. [9] P. Bunel, "An introduction to Intrusion Detection Systems," in Sans Security Essentials v1.4c, ed LONDON, 2004. [DOI:10.1016/B978-193226669-6/50021-5]
10. [10] P. Bunel, "Host- vs. Network-Based Intrusion Detection Systems," in Sans Security Essentials, ed, 2004.
11. [11] X. Luo, "Model design artificial intelligence and research of adaptive network intrusion detection and defense system using fuzzy logic," Journal of Intelligent & Fuzzy Systems, pp. 1-9.
12. [12] A. S. Almogren, "Intrusion detection in Edge-of-Things computing," Journal of Parallel and Distributed Computing, vol. 137, pp. 259-265, 2020. [DOI:10.1016/j.jpdc.2019.12.008]
13. [13] F. Erlacher and F. Dressler, "On high-speed flow-based intrusion detection using snort-compatible signatures," IEEE Transactions on Dependable and Secure Computing, 2020. [DOI:10.1109/TDSC.2020.2973992]
14. [14] A. Thakkar and R. Lohiya, "A review of the advancement in intrusion detection datasets," Procedia Computer Science, vol. 167, pp. 636-645, 2020. [DOI:10.1016/j.procs.2020.03.330]
15. [15] B. Caswell, J. Beale, and A. R Baker, Snort IDS and IPS Toolkit. Syngress Publishing, Inc. Elsevier, Inc.: Williams, Andrew 2007.
16. [16] R. Chi, Intrusion Detection System Based on Snort. China, 2014. [DOI:10.1007/978-3-642-40633-1_82]
17. [17] M. Roesch, C. Green, and S. Team, SNORT Users Manual 2.9.9, 2016.
18. [18] S. Sharma and M. Dixit, "A Review on Network Intrusion Detection System Using Open Source Snort," vol. 9, pp. 61-70, 2016. [DOI:10.14257/ijdta.2016.9.4.05]
19. [19] C.-H. Lin, "Accelerating String Matching Algorithms on Multicore Processors."
20. [20] R. S. Boyer and J. S. Moore, "A fast string searching algorithm," Commun. ACM, vol. 20, pp. 762-772, 1977. [DOI:10.1145/359842.359859]
21. [21] A. V. Aho and M. J. Corasick, "Efficient string matching: an aid to bibliographic search," Commun. ACM, vol. 18, pp. 333-340, 1975. [DOI:10.1145/360825.360855]
22. [22] C. L. Hung, C. Y. Lin, H. h. Wang, and C. Y. Chang, "Efficient Packet Pattern Matching for Gigabit Network Intrusion Detection Using GPUs," in High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems (HPCC-ICESS), 2012 IEEE 14th International Conference on, 2012, pp. 1612-1617. [DOI:10.1109/HPCC.2012.235]
23. [23] C. S. Kouzinopoulos and K. G. Margaritis, "String Matching on a Multicore GPU Using CUDA," in Informatics, 2009. PCI '09. 13th Panhellenic Conference on, 2009, pp. 14-18. [DOI:10.1109/PCI.2009.47]
24. [24] h. sadeghi and A. Akhavan Bitaghsir, "Signal Detection Based on GPU-Assisted Parallel Processing for Infrastructure-based Acoustical Sensor Networks," Signal and Data Processing, vol. 14, pp. 19-30, 2018. [DOI:10.29252/jsdp.14.4.19]
25. [25] G. Vasiliadis, M. Polychronakis, and S. Ioannidis, "MIDeA: a multi-parallel intrusion detection architecture," presented at the Proceedings of the 18th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2011. [DOI:10.1145/2046707.2046741]
26. [26] S. Soroushnia, M. Daneshtalab, T. Pahikkala, and J. Plosila, "Parallel Implementation of Fuzzified Pattern Matching Algorithm on GPU," in 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, 2015, pp. 341-344. [DOI:10.1109/PDP.2015.75]
27. [27] N. P. Tran, M. Lee, S. Hong, and J. Choi, "High Throughput Parallel Implementation of Aho-Corasick Algorithm on a GPU," in Parallel and Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2013 IEEE 27th International, 2013, pp. 1807-1816. [DOI:10.1109/IPDPSW.2013.116]
28. [28] G. Vasiliadis, M. Polychronakis, and S. Ioannidis, "Parallelization and characterization of pattern matching using GPUs," in Workload Characterization (IISWC), 2011 IEEE International Symposium on, 2011, pp. 216-225. [DOI:10.1109/IISWC.2011.6114181]
29. [29] C. H. Lin, C. H. Liu, L. S. Chien, and S. C. Chang, "Accelerating Pattern Matching Using a Novel Parallel Algorithm on GPUs," IEEE Transactions on Computers, vol. 62, pp. 1916-06, 20313. [DOI:10.1109/TC.2012.254]
30. [30] L. Vokorokos, M. Ennert, M. >Čajkovský, and J. Radušovský, "A Survey of parallel intrusion detection on graphical processors," Central European Journal of Computer Science, vol. 4, pp. 222-230, 2014. [DOI:10.2478/s13537-014-0213-6]
31. [31] A. P. M.S., "Parallelizing a network intrusion detection system using a GPU," Master of Science, Computer Science and Engineering, Louisville, UK, 2012.
32. [32] G. Vasiliadis, S. Antonatos, M. Polychronakis, E. P. Markatos, and S. Ioannidis, "Gnort: High Performance Network Intrusion Detection Using Graphics Processors," in Recent Advances in Intrusion Detection: 11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15-17, 2008. Proceedings, R. Lippmann, E. Kirda, and A. Trachtenberg, Eds., ed Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 116-134. [DOI:10.1007/978-3-540-87403-4_7]
33. [33] G. Vasiliadis, M. Polychronakis, S. Antonatos, E. P. Markatos, and S. Ioannidis, "Regular Expression Matching on Graphics Hardware for Intrusion Detection," in Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September 23-25, 2009. Proceedings, E. Kirda, S. Jha, and D. Balzarotti, Eds., ed Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 265-283. [DOI:10.1007/978-3-642-04342-0_14]
34. [34] M. A. Jamshed, J. Lee, S. Moon, I. Yun, D. Kim, S. Lee, et al., "Kargus: a highly-scalable software-based intrusion detection system," presented at the Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, North Carolina, USA, 2012. [DOI:10.1145/2382196.2382232]
35. [35] H. Song and J. W. Lockwood, "Efficient packet classification for network intrusion detection using FPGA," presented at the Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, Monterey, California, USA, 2005. [DOI:10.1145/1046192.1046223]
36. [36] Y. Meng and L. f. Kwok, "Adaptive context-aware packet filter scheme using statistic-based blacklist generation in network intrusion detection," in Information Assurance and Security (IAS), 2011 7th International Conference on, 2011, pp. 74-79. [DOI:10.1109/ISIAS.2011.6122798] [PMID] [PMCID]
37. [37] M. Ramesh and H. Jeon, "Parallelizing Deep Packet Inspection on GPU," in 2018 IEEE Fourth International Conference on Big Data Computing Service and Applications (BigDataService), 2018, pp. 248-253. [DOI:10.1109/BigDataService.2018.00044]
38. [38] S. Hakak, A. Kamsin, P. Shivakumara, G. A. Gilkar, W. Z. Khan, and M. Imran, "Exact String Matching Algorithms: Survey, Issues, and Future Research Directions," IEEE Access, 2019. [DOI:10.1109/ACCESS.2019.2914071]
39. [39] C.-L. Hung, T.-H. Hsu, H.-H. Wang, and C.-Y. Lin, A GPU-based Bit-Parallel Multiple Pattern Matching Algorithm, 2018. [DOI:10.1109/HPCC/SmartCity/DSS.2018.00205]
40. [40] C. Thomas, V. Sharma, and N. Balakrishnan, Usefulness of DARPA dataset for intrusion detection system evaluation, 2008. [DOI:10.1117/12.777341]
41. [41] P. P, M. T, and L. Raj, A Comparative Study on String Matching Algorithm of Biological Sequences, 2014.
42. [42] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection vol. 4, 2004.
43. [43] "Exact Matching: Classical Comparison-Based Methods," in Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology, D. Gusfield, Ed., ed Cambridge: Cambridge University Press, 1997, pp. 16-34. [DOI:10.1017/CBO9780511574931.004]
44. [44] C. H. Lin, "Accelerating String Matching Algorithms on Multicore Processors," vol. 2, pp. 52-59, 6 June- 2016 2016.
45. [45] J. Yu, Y. Xue, and J. Li, "Memory efficient string matching algorithm for network intrusion management system," Tsinghua Science and Technology, vol. 12, pp. 585-593, 2007. [DOI:10.1016/S1007-0214(07)70137-2]
Send email to the article author
| Rights and permissions | |
 |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. |
