利用多核心處理器平台平行處理網路入侵偵測系統

Abstract

網路入侵偵測系統(NIDS)常用於監控企業內部之網路與偵測來自外部的攻擊行為。NIDS在執行封包分析時是非常消耗計算資源的，然而面對不斷增加的網路流量，傳統的單執行緒NIDS遭遇到無法完全發揮多核心處理器效能的困境。在這篇論文中，我們提出了一個多執行緒的NIDS架構(以下簡稱為bmtNIDS)，使多核心處理器中所有的計算資源能有效運用在攻擊行為的偵測上，並藉以提高封包的處理量。bmtNIDS允許所有的執行緒同時接收封包，並利用封包過濾器避免兩個執行緒擷取到相同的封包。在此架構中，我們克服了傳統單執行緒NIDS在執行時必須依照接收封包的順序執行分析的規範，並適度的減少了在資料存取時必須被同步機制所保護的資料結構數量來提升系統的整體效能。除此之外，我們也設計了一個被動式的負載平衡機制，根據每個核心的使用量，動態地決定處理新封包的執行緒。如此，可以避免NIDS將封包分析的工作過度集中於某些特定執行緒上，進而導致作業系統丟棄來不及處裡的封包。根據我們在四核心機器上的實驗結果發現：(1)在300Mbps的傳輸速率下，bmtNIDS提高了Snort的效能約1.5倍；(2)相較於他人的多執行緒NIDS，我們也提高了10%的網路封包分析率；(3)bmtNIDS提供一個較好的資源使用方式，使NIDS效能不因其他計算需求量大的應用程式而受到影響。

In this thesis, we propose a balanced multi-thread NIDS, bmtNIDS, to get a better efficiency when running in a multi-core system. bmtNIDS supports multiple threads for simultaneous packet captures, such a design benefits from reducing data migrations between threads. To prevent threads from receiving duplicate packets, bmtNIDS uses a kernel traffic splitter to distribute packets among threads. Since packets are distributed based on flows, bmtNIDS performs access synchronization only on tables recording information between flows, and thereby access synchronizations can be dramatically reduced. In addition, a passive load balancing (PLB) algorithm is proposed to distribute workloads by CPU utilizations, rather than just counting the number of buffered packets. Compared to the conventional load balancing algorithm, bmtNIDS/PLB improves the packet inspection ratio by 10%. In this research, we realize bmtNIDS on Snort and conduct a series of experiments to compare the performance between exsiting multi-thread NIDS systems. From the experiment results, bmtNIDS has an improvement by a factor of 1.5 if the packet transmission rate is higher than 300Mbps. bmtNIDS also has a better resource untilization stratgy, and hence the performance of bmtNIDS is not affected if the system also runs a computing-intensive application.