Space-Time Tradeoffs in Software-Based Deep Packet Inspection

Transcription

1 Space-Time Tradeoffs in Software-ased eep Packet Inspection nat remler-arr I Herzliya, Israel Yotam Harchol avid Hay Hebrew University, Israel. OWSP Israel 2011 (Was also presented in I HPSR 2011) Parts of this work were supported by uropean Research ouncil (R) Starting Grant no Supported by the heck Point Institute for Information Security

2 Outline Motivation ackground New ompression Techniques xperimental Results onclusions 2

3 Network Intrusion etection Systems lassify packets according to: Header fields: Source IP & port, destination IP & port, protocol, etc. Packet payload (data) IP Internet packet eep Packet Inspection Motivation ackground New ompression Techniques xperimental Results onclusions 3

4 The environment: eep Packet Inspection High apacity Slow Memory Locality-based Low apacity Fast Memory ()RM ache Memory Motivation ackground New ompression Techniques xperimental Results onclusions 4

5 Our ontributions Literature assumption: try to fit data structure in cache fforts to compress the data structures Our paper: Is it beneficial? In reality, even in non-compressed implementation, most memory accesses are done to the cache UT One can attack the non-compressed implementation by reducing its locality, getting it out of cache - and making it much slower! How to mitigate this attack? ompress even further - our new techniques: 60% less memory Motivation ackground New ompression Techniques xperimental Results onclusions 5

6 omplexity os ttack Find a gap between average case and worst case ngineer input that exploits this gap Launch a enial of Service attack on the system Internet Throughput Motivation ackground New ompression Techniques xperimental Results onclusions 6

7 Outline Motivation ackground New ompression Techniques xperimental Results onclusions 7

8 ho-orasick lgorithm [ho, orasick; 1975] uild a eterministic Finite utomaton Traverse the F, byte by byte ccepting state pattern found xample: {,,,,, } Input: s 0 s 1 s 2 s 7 s 3 s 4 s 5 s 8 s 13 s s 6 9 s 14 s 10 s 11 s 12 Motivation ackground New ompression Techniques xperimental Results onclusions 8

9 ho-orasick lgorithm [ho, orasick; 1975] Naïve implementation: Represent the transition function in a table of Σ S entries Σ: alphabet S: set of states Lookup time: one memory access per input symbol Space: In reality: 70M to gigabytes S S S S S S S S S : Motivation ackground New ompression Techniques xperimental Results onclusions 9

10 Potential omplexity os ttack 1. xhaustive Traversal dversarial Traffic Traverses as much states of the automaton s 0 ad locality - ad for naïve implementation (will not utilize cache) s 1 s 2 s 7 s 3 s 4 s 5 s 8 s 13 s 6 s 14 s 9 s 10 s 11 s 12 Motivation ackground New ompression Techniques xperimental Results onclusions 10

11 lternative Implementation [ho, orasick; 1975] Forward Transition Failure Transition Failure transition goes to the state that matches the longest suffix of the input so far Lookup time: at most two memory accesses per input symbol (via amortized analysis) Space: at most, # of symbols in pattern set, depends on implementation s 0 s 1 s 2 s 7 s 3 s 4 s 5 s 13 s 6 s 14 s 8 s 9 s 10 s 11 s 12 Motivation ackground New ompression Techniques xperimental Results onclusions 11

12 Potential omplexity os ttack 1. xhaustive Traversal dversarial Traffic - Traverses as much states of the automaton s 0 - ad locality - ad for naïve implementation (will not utilize cache) s 1 s 2 s 7 2. Failure-path Traversal dversarial Traffic - Traverses as much failure transitions - ad for failure-path based automaton (as much memory accesses per input symbol) s 3 s 4 s 5 s 14 s 13 s 6 s 8 s 9 s 10 s 11 s 12 Motivation ackground New ompression Techniques xperimental Results onclusions 12

13 Prior Work: ompress the State Representation symbol forward: 13 6 symbol forward: 13 6 failure: 7 match: False failure: 7 match: False size: 2 itmap: Length= Σ Lookup Table an count bits using popcnt instruction Linear ncoded s 0 s 1 s 2 s 7 forward: 13 6 s 3 s 4 s 5 s 8 failure: 7 match: False itmap ncoded s 13 s 6 Motivation ackground New ompression Techniques xperimental Results onclusions s s s 9 13

14 Outline Motivation ackground New ompression Techniques xperimental Results onclusions 14

15 Tuck et al. Our Path ompression 2004 Path ompression One-way branches can be represented using a single state s 0 Similarly to PTRII tries s 1 s 2 () s 7 Problem: Incoming failure transitions s 3 s 4 s 5 () s 8 Solution: ompress only states with no incoming failure transitions s 13 s 6 s 14 () s 9 ' s % () 75% s 11 s 12 Motivation ackground New ompression Techniques xperimental Results onclusions 15

16 Leaves ompression y definition, leaves have no forward transitions Their single purpose is to indicate a match We can push this indication up by adding a bit to each pointer Then, leaves can be eliminated from the automaton - by copying their failure transition up * s 0 * * s 1 s 2 * * * * s 3 s 4 s 5 * s 14 s 5 () () * * s 13 s 6 () () s 7 s 8 8 ' ' * * s 9 ' 3% more space reduction Reduces number of transitions taken Motivation ackground New ompression Techniques xperimental Results onclusions 16

17 Pointer ompression In Snort IS pattern-set, 79% of the fail pointers point to states in depths 0, 1, 2 dd two bits to encode depth of pointer: 00: epth 0 01: epth 1 10: epth 2 11: epth 3 and deeper 16 bits pointer epth 2 2 bits epth Pointers 0 (s 0 ) 13% 1 31% 2 35% 3 21% 16 bits pointer epth > 2 2 bits 16 bits pointer 11 Motivation ackground New ompression Techniques xperimental Results onclusions 17

18 Tuck et al. Our Path ompression Pointer omp Pointer ompression epth Pointers 0 (s 0 ) 13% 1 31% 2 35% 3 21% etermine next state from pointer depth: - 0: Go to root - 1: Use a lookup table using last symbol - 2: Use a hash table using last two symbols - 3: Use the stored pointer epth 1 Lookup Table: epth 2 Hash Table: Symbol State - s 2 s 7 - Last 2 symbols hash table Next state 100% 75% 41% s 1 Motivation ackground New ompression Techniques xperimental Results onclusions 18

19 Function Inlining ompressed implementation makes more memory accesses Initial implementation was based on a few functions calling each other voiding function calls (by inlining their code) reduced total number of memory reads by 36% Motivation ackground New ompression Techniques xperimental Results onclusions 19

20 Outline Motivation ackground New ompression Techniques xperimental Results onclusions 20

21 Test Systems xperimental Setup System 1 System 2 Type Macook Pro imac PU ore 2 uo 2.53GHz dual core ore i7 2.93GHz quad core L1 ache: 16K (data, per core) 16K (data, per core) L2 ache: 3M (shared) 256K (per core) L3 ache: - 8M (shared) Pattern-Sets Snort lamv* Patterns 31,094 16,710 States in Naïve Implementation 77, ,303 Real-life traffic logs taken from MIT RP * We used only half of lamv signatures for our tests Motivation ackground New ompression Techniques xperimental Results onclusions 21

22 Memory Footprint [M] Space Requirement Snort (Partial) lamv Naïve Implementation est Prior-rt Implementation Our Implementation Motivation ackground New ompression Techniques xperimental Results onclusions 22

23 Memory accesses per input symbol Memory ccesses per Input Symbol Real Life Traffic xhaustive Traversal dversarial Traffic Failure-Path Traversal dversarial Traffic 0 Naïve Implementation Our Implementation Motivation ackground New ompression Techniques xperimental Results onclusions xperimental Results 23

24 L1 ata ache Miss Rate L1 ata ache Miss Rate 35% 30% 25% 20% Intel ore 2 uo (2 cores) 16K L1 ata ache 3M L2 ache Real Life Traffic xhaustive Traversal dversarial Traffic Failure-Path Traversal dversarial Traffic 15% 10% 5% 0% Naïve Implementation Our Implementation Motivation ackground New ompression Techniques xperimental Results onclusions 24

25 L2 ache Miss Rate L2 ache Miss Rate 25% Real-Life Traffic: 0.7% 20% L2 ache Miss Rate 15% dversarial Traffic: L2 ache 23% Miss Rate Intel ore 2 uo (2 cores) 16K L1 ata ache 3M L2 ache Real Life Traffic xhaustive Traversal dversarial Traffic Failure-Path Traversal dversarial Traffic 10% Maximal L2 Miss Rate: 0.06% 5% 0% Naïve Implementation Our Implementation Motivation ackground New ompression Techniques xperimental Results onclusions 25

26 Throughput [Mps] xperimental Results Space vs. Time: Real-Life Traffic Throughput dversarial Traffic Throughput Naïve Implementation Our Implementation -86% Memory Footprint [M] (Logarithmic Scale) Motivation ackground New ompression Techniques xperimental Results onclusions 26

27 Outline Motivation ackground New ompression Techniques xperimental Results onclusions 27

28 onclusions It is crucial to model the cache in software-based eep Packet Inspection: Naïve ho-orasick implementation has a huge memory footprint, but works well on real-life traffic due to locality of reference Naïve implementation can be easily attacked, making it 7 times slower, even though it has constant number of memory accesses We also show new compression techniques: 60% less memory than best prior-art compression Stable throughput, better performance under attacks Motivation ackground New ompression Techniques xperimental Results onclusions 28

29 Questions? Thank you!