Gnort: High performance network intrusion detection using graphics processors

Giorgos Vasiliadis; Spiros Antonatos; Michalis Polychronakis; Evangelos P. Markatos; Sotiris Ioannidis

doi:10.1007/978-3-540-87403-4_7

Gnort: High performance network intrusion detection using graphics processors

Giorgos Vasiliadis
, Spiros Antonatos
, Michalis Polychronakis
, Evangelos P. Markatos
, Sotiris Ioannidis

Computer Science

Foundation for Research and Technology-Hellas

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

194 Scopus citations

Abstract

The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

Original language	English
Title of host publication	Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings
Publisher	Springer Verlag
Pages	116-134
Number of pages	19
ISBN (Print)	354087402X, 9783540874027
DOIs	https://doi.org/10.1007/978-3-540-87403-4_7
State	Published - 2008
Event	Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings - Cambridge, MA, United States Duration: Sep 15 2008 → Sep 17 2008

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5230 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings
Country/Territory	United States
City	Cambridge, MA
Period	09/15/08 → 09/17/08

Keywords

GPU
Intrusion detection systems
Network security
Parallel programming
Pattern matching
SIMD

Access to Document

10.1007/978-3-540-87403-4_7

Cite this

Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E. P., & Ioannidis, S. (2008). Gnort: High performance network intrusion detection using graphics processors. In Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings (pp. 116-134). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5230 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-540-87403-4_7

Vasiliadis, Giorgos ; Antonatos, Spiros ; Polychronakis, Michalis et al. / Gnort : High performance network intrusion detection using graphics processors. Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Springer Verlag, 2008. pp. 116-134 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{145a4819dc1548f996dfa7ecbd909a33,

title = "Gnort: High performance network intrusion detection using graphics processors",

abstract = "The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.",

keywords = "GPU, Intrusion detection systems, Network security, Parallel programming, Pattern matching, SIMD",

author = "Giorgos Vasiliadis and Spiros Antonatos and Michalis Polychronakis and Markatos, \{Evangelos P.\} and Sotiris Ioannidis",

year = "2008",

doi = "10.1007/978-3-540-87403-4\_7",

language = "English",

isbn = "354087402X",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "116--134",

booktitle = "Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings",

note = "Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings ; Conference date: 15-09-2008 Through 17-09-2008",

}

Vasiliadis, G, Antonatos, S, Polychronakis, M, Markatos, EP & Ioannidis, S 2008, Gnort: High performance network intrusion detection using graphics processors. in Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5230 LNCS, Springer Verlag, pp. 116-134, Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings, Cambridge, MA, United States, 09/15/08. https://doi.org/10.1007/978-3-540-87403-4_7

Gnort: High performance network intrusion detection using graphics processors. / Vasiliadis, Giorgos; Antonatos, Spiros; Polychronakis, Michalis et al.
Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Springer Verlag, 2008. p. 116-134 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5230 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Gnort

T2 - Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings

AU - Vasiliadis, Giorgos

AU - Antonatos, Spiros

AU - Polychronakis, Michalis

AU - Markatos, Evangelos P.

AU - Ioannidis, Sotiris

PY - 2008

Y1 - 2008

N2 - The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

AB - The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations.

KW - GPU

KW - Intrusion detection systems

KW - Network security

KW - Parallel programming

KW - Pattern matching

KW - SIMD

UR - https://www.scopus.com/pages/publications/56549099368

U2 - 10.1007/978-3-540-87403-4_7

DO - 10.1007/978-3-540-87403-4_7

M3 - Conference contribution

AN - SCOPUS:56549099368

SN - 354087402X

SN - 9783540874027

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 116

EP - 134

BT - Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings

PB - Springer Verlag

Y2 - 15 September 2008 through 17 September 2008

ER -

Vasiliadis G, Antonatos S, Polychronakis M, Markatos EP, Ioannidis S. Gnort: High performance network intrusion detection using graphics processors. In Recent Advances in Intrusion Detection - 11th International Symposium, RAID 2008, Proceedings. Springer Verlag. 2008. p. 116-134. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-540-87403-4_7

Gnort: High performance network intrusion detection using graphics processors

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this