入侵检测系统
服务拒绝攻击
吞吐量
计算机科学
云计算
嵌入式系统
深包检验
现场可编程门阵列
网络数据包
大方坯过滤器
服务器
计算机网络
实时计算
分布式计算
操作系统
互联网
无线
人工智能
作者
Jian Chen,Xiaoyu Zhang,Tao Wang,Ying Zhang,Tao Chen,Jiajun Chen,Mingxu Xie,Qiang Liu
标识
DOI:10.1145/3470496.3533043
摘要
Network intrusion detection systems (IDS) are crucial for secure cloud computing, but they are also severely constrained by CPU computation capacity as the network bandwidth increases. Therefore, hardware offloading is essential for the IDS servers to support the ever-growing throughput demand for packet processing. Based on the experience of large-scale IDS deployment, we find the existing hardware offloading solutions have fundamental limitations that prevent them from being massively deployed in the production environment. In this paper, we present Fidas, an FPGA-based intrusion detection offload system that avoids the limitations of the existing hardware solutions by comprehensively offloading the primary NIC, rule pattern matching, and traffic flow rate classification. The pattern matching module in Fidas uses a multi-level filter-based approach for efficient regex processing, and the flow rate classification module employs a novel dual-stack memory scheme to identify the hot flows under volumetric attacks. Our evaluation shows that Fidas achieves the state-of-the-art throughput in pattern matching and flow rate classification while freeing up processors for other security-related functionalities. Fidas is deployed in the production data center and has been battle-tested for its performance, cost-effectiveness, and DevOps agility.
科研通智能强力驱动
Strongly Powered by AbleSci AI