Beyond Pattern Matching: A Concurrency Model for Stateful Deep Packet Inspection

TitleBeyond Pattern Matching: A Concurrency Model for Stateful Deep Packet Inspection
Publication TypeConference Paper
Year of Publication2014
AuthorsDe Carli, L., Sommer R., & Jha S.
Other Numbers3724

The ever-increasing sophistication in network attacks, combinedwith larger and larger volumes of traffic, presents a dual challengeto network intrusion detection systems (IDSs). On one hand, to takeadvantage of modern multi-core processing platforms IDSs need tosupport scalability, by distributing traffic analysis across a largenumber of processing units. On the other hand, such scalabilitymust not come at the cost of decreased effectiveness in attack detection. In this paper, we present a novel domain-specific concurrencymodel that addresses this challenge by introducing the notion ofdetection scope: a unit for partitioning network traffic such that thetraffic contained in each resulting "slice" is independent for detection purposes. The notion of scope enables IDSs to automaticallydistribute traffic processing, while ensuring that information necessary to detect intrusions remains available to detector instances.Weshow that for a large class of detection algorithms, scope can be automatically inferred via program analysis; and we present scheduling algorithms that ensure safe, scope-aware processing of networkevents. We evaluate our technique on a set of IDS analyses, showing that our approach can indeed exploit the concurrency inherentin network traffic to provide significant throughput improvements.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 0915667 (“A High-Performance Abstract Machine for Network Intrusion Detection”) and CNS : 1228792 ("Understanding and Exploiting Parallelism in Deep Packet Inspection on Concurrent Architectures"). Additional funding was provided through NSF grant CNS : 1228782 ("Understanding and Exploiting Parallelism in Deep Packet Inspection on Concurrent Architectures") and by a grant from the CISCO Research Center. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation or Cisco.

Bibliographic Notes

Proceedings of the 21st ACM Conference on Computer and Communications Security (ACM CCS), Scottsdale, Arizona

Abbreviated Authors

L. de Carli, R. Sommer, and S. Jha

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings