Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC.

Published byChloe Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC."— Presentation transcript:

1 Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC Herzliya, Israel This work was supported by European Research Council (ERC) Starting Grant no. 259085

2 NFV and Innovation NFV enables virtualizing network building blocks such as: FW, NAT, IDS, Monitoring, LB, Network AV, WAN Optimizer, etc. … Increases network deployment flexibility, and also product introduction times. Opens market for new vendors for network functions (Middleboxes) About 400 SDN-NFV listed companies 2

3 Middleboxes Policy Chains SDN allows building policy chain via traffic steering 3

4 DPI Based Middleboxes Intrusion Detection System Network Anti-Virus L7 Firewall L7 Load Balancer Leakage Prevention System Network Analytic Traffic Shaper Lawful Interception Copyright Enforcement A MB processes packet header or payload The latter uses DPI engine 4

5 DPI Pattern Examples Snort (NIDS/NIPS) – Intrusion Detection Microsoft XML Core Services cross-site information disclosure attempt ]*SYSTEM[^>]*>.*\x2EparseError ClamAV (Anti Virus) – Virus Detection Cabir.A computer worm signature 886f1f10123a001019040010e5f79547e6ad0100bd006f006400750063007 4004900440054003200200052005300330041005300789c (binary) Bro (NIDS) - Application Classification MS Office 2007 XML documents \x50\x4B\x03\x04\x14\x00\x06\x00 5

6 DPI Engine – Complicated Challenge Hundreds of academic papers over recent years Pattern set size varies between 10 2 -10 5 patterns per MB DPI Engine is considered a system bottleneck in many of todays MBs (30%-80%) [*Laboratory simulations over real deployments of Snort and ClamAV] scalability throughput latency low power resiliency fast updates compression 6

7 Middleboxes Policy Chains Each MB implements its own DPI engine (higher MB costs, reduced features) Each packet is scanned multiple times causing waste of computation resources 7

8 Our Solution: DPI as a Service Contribution: The idea of having a centralized DPI service instead of multiple instances of it at each Middlebox Innovation – Lower entry barriers Rich Functionality – Invest once for all MB Reduced Costs – Cheaper MB HW/SW Improved performance - Scan each packet once 8

9 ARCHITECTURE 9

10 DPI2 Architecture Overview (SDN) L7 FW1 IDS1 DPI1 IDS2 AV2 AV1 TS S1 S2 S3 S4 SDN Controller Traffic Steering DPI Controller hello Register Rules Add Patterns Update Policy Chain 10

11 Architecture: Data Plane DPI Service Instance Scans incoming packets against an aggregated pattern set Each pattern has a unique ID Result: + Each packet may contain several pattern matches All pattern-match results are attached to the packet ID: 139; Offset: 90 ID: 14; Offset: 109 ID: 723; Offset: 201 ID: 221; Offset: 507 … 11 DPI Service Instance

12 Match results header: usually 0B; up to 200B (99%) Using existing tag-fields (i.e. VLAN / MPLS) does not suffice Passing Results hello 12

13 Network Service Header (NSH) – Supports a header per network service – Not limited in size – Resize MTU Passing Results Alternative 1 hello 13

14 Separate result-packet – Mark original packet upon match (set ECN) – Delay packet until result-packet arrives Passing Results Alternative 2 hello 14

15 MiddleBox Support Packet Decode (≈100 lines) Payload Result structure MB with internal DPI engine MB with external DPI service 15

16 QUESTION: ARE THE DPI ALGORITHMS SCALABLE? 16

17 Are DPI Algorithms Scalable? YES! Short Answer: YES! What are the DPI Algorithms? 17 StringMatching 886f1f10123a001019040010e5f79547e6ad0100bd006 f00640075006300740049004400540032002000520053 00330041005300789c RegexMatching ]*SYSTEM[^>]*>.*\x2EparseError

18 String Matching: Aho-Corasick Algorithm Build a Deterministic Finite Automaton (basic full-table variant) Each input byte requires single lookup regardless the number of patterns!! $ Cost Function: 1 Mem. access per input byte More patterns may results in a marginal performance reduction (cache) Example: {E, BE, BD, BCD, CDBCAB, BCAA} s0s0 s7s7 s 12 s1s1 s2s2 s3s3 s5s5 s4s4 s 14 s 13 s6s6 s8s8 s9s9 s 10 s 11 C C E D B E D D B C A B A A B E CB E C B E C D E B C D E C E B C E B C E B C E C B B B BCDBCAB s0s0 s 12 s2s2 s5s5 s6s6 s9s9 s 10 s 11 18

19 Pattern Set Aggregation Pattern Set 1Pattern Set 2 Pattern set 1 Pattern set 2 Both sets 19

20 Repetition operators (e.g. Kleen star) may cause memory blowout Common approach: string matching w/global DFA >> single regex DFA Regular Expressions Matching ]*SYSTEM[^>]*>.*\x2EparseError <\x21DOCTYPE SYSTEM\x2EparseError Multi Regex Matching Multi String Matching + Single Regex Matching 20

21 DPI is Scalable, not Trivial… Encode DFA in TCAM Resilient Multi-Core DPI DPI over Compressed Traffic 21 CompactDFA, ToN 2014 ACCH, ToN 2012 MCA 2, ANCS 2012

22 DPI AS A SERVICE & DIFFERENT MIDDLEBOXES LAYOUTS 22

23 SDN + NFV MB Consolidation Outsource MB (out-of-network) Related Network-Functions Layouts TS VM Hypervisor TS L7 FW1 IDS1 AV1 ETSI. Network functions virtualization Gember et al., HotNets 2012 Rajagopalan et al., NSDI 2013 Comb, NSDI 2012 xOMB, ANCS 2012 Crossbeam, 2012 Kekely et al., Infocom 2014 Gibb et al., HotSDN 2012 Sherry et al., SIGCOMM 2012 23

24 EXPERIMENTAL RESULTS 24

25 Experimental Environment POX SDN Controller (OpenFlow 1.0) Static steering mechanism DPI Service and Middlebox using separate machines Toy middlebox applications: Snort, ClamAV Functionality: Tested in virtual environments (Mininet, VMWare) Performance: no Mininet (overhead) Toy Snort2 Toy ClamAV Toy Snort1 Virtual Environment DPI Controller Static Steering Runs over POX SDN Controller DPI Service Instance 25

26 DPI as a Service Two separate DPIs IDS1 Performance Results Policy Chain with Two DPIs : Combined DPI instances (DPI as a Service): IDS1AV1 IDS1 AV1 DPI1 DPI2 Overall Latency Overall ThroughputLatencyThroughputSpacePatterns 21.5us/p668.4Mbps 9.69us/p807.7Mbps71.18MB4356Snort 11.91us/p668.4Mbps1.87GB31827 ClamAV 13.8us/p1126Mbps 13.82us/p563.3Mbps1.94GB36183DPI1 13.82us/p563.3Mbps1.94GB36183DPI2 Each using separate machines AV1 26

27 Resistance to Peak-Load Traffic Separate IDSs: Static Load Balancing DPI as a Service: Dynamic Load Balancing Two separate policy chains: Combined DPI instances (DPI as a Service): IDS1 AV1 IDS1DPI1 AV1DPI2 Better resistance to load peaks in one PC 27

28 Future Work Potential tasks to be “outsourced” as a service: – Payload Processing ( Decryption/Decompression) Retrieve raw data – Session reconstruction (Connection Tracking) For session processing rather than packet processing – Header/protocol analysis For protocol aware network functions Use the DPI to extend OpenFlow based switches – Use the tags created by the DPI service to drive policies in conventional switches. 28

29 Conclusions DPI is a common service used by today’s MB Thanks to its scalability it may be easily exported as a stand-alone network service DPI as a Service provides: – Innovation (Lower entry barriers) – Network scalability – Lower costs (Cheaper MB Hardware) 29

30 Thank You!!

Download ppt "Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC."

Similar presentations

Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.

Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.
Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.

Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.
MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Keith Wiles Keith.Wiles@Intel.com DPACC vNF Overview and Proposed methods Keith Wiles Keith.Wiles@Intel.com 2015.04.03 – v0.5.

Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Similar presentations

Ads by Google