Multi-Core Supported Deep Packet Inspection

1. Introduction

Current Internet is facing many serious attacks such as financial frauds, viruses and worms, distributed denial of service attacks, spyware, and spam. Although many network security applications such as intrusion detection systems (IDS), anti-virus/spam systems, and firewalls have been proposed to control the attacks, securing distributed systems and networks is still extremely challenging. There are unknown threats and zero day attacks (exploits released before the vendor patch is released to the public) appearing everyday, which place an impractical burden on network security systems. The key question here is can we have real time solutions to identify and eliminate attacks without excessive security and management overhead overburdening the networks and computer systems? To deal with the rapidly evolving threats today and more intelligent and automatic threats in the future, we urgently need new methods that support network security applications, at all times and in real time, without causing performance penalty to normal network and system operations.

A multi-core processor combines two or more independent cores into a single package composed of a single integrated circuit (called a die), or more dies packaged together (Intel, 2007). Multi-core processors represent a major evolution in computing hardware technology. While two years ago most network processors and personal computer microprocessors had single core configuration, the majority of the current microprocessors contain dual or quad cores and the number of cores on die is expected to grow exponentially over time (Johnson & Welser, 2005). As the price of multi-core processors keeps falling, multi-core will eventually provide affordable processing power to support the real-time requirement of network security applications.

Multi-core provides a network security application with more processing power from the hardware perspective. However, there are still significant software design challenges that must be overcome. Today the difficulty is not in building multi-core hardware, but programming it in a way that lets applications benefit from the continued growth in CPU performance (Sutter & Larus, 2005). From the server or router side, if the network security software is not fast enough, it can be very difficult to process every incoming packet then it would slow down the traffic. From the client side, it can also be very difficult to run network security applications without any interruption to normal applications because those computing-intensive applications significantly slow down other simultaneously running applications.

Taking advantage of the full power of multi-core processor requires an in-depth approach to realize the speedups by parallelizing the traditional deep packet inspection applications. In this chapter we discuss the research direction of using multi-core processors to support real-time deep packet inspection applications. Section 2 introduces the related work in the parallel approaches to enhance the performance of deep packet inspection applications. Section 3 presents our new system architecture of using multi-core to support deep packet inspection applications. Section 4 presents the basic packet-level parallelization and flow-level parallelization. Section 5 presents a new parallel string matching algorithm. Benefits of using multi-core are discussed in Section 6. Section 7 concludes this chapter.